"http://<hub_ip_address>/getstarted" allows anyone to become an admin and take over hub

EDIT: I changed the title of the post from "find.hubitat.com redirects to getstarted.hubitat.com and allows anyone to become and admin and take over the hub" to the current title for anyone that might be confused reading this later.

When I go to find.hubitat.com it redirects me to getstarted.hubitat.com. From there I click through to step 4 to find my hub. When I click on my hub it takes me to http://<ip_address_here>/getstarted. In the get started I am able to rename the hub and register the hub to a new email account. After walking through the steps. I went into my the hub settings > hub details, and I see that the hub has a new name and 2 email addresses as admin on it.

Once I have registered the second email as an admin I am now able to go into My Hubitat and remove the original admin and disable the "hub login security".

This seems like a big vulnerability where anyone can take over a hub.

I expect it's designed so you have to be on the same LAN but if someone had managed to hack into that or you had an annoying house guest then trouble could ensue

Hmm... that does seem an unusual feature to have enabled once a hub is already registered and hub login security is already enabled.

@bobbyD can maybe shed some light on that, and confirm if that is working as intended and why.

Oh yes I've just tried it myself and it does redirect to that page. Was it always doing this?

Thanks for the feedback. We are looking into it.

Quick update: there has been a change in the get started workflow as mentioned in the release notes for 2.3.1. To better align with this change for new users, the find.hubitat.com now redirects to getstarted.hubitat.com.

This change does not pose any security threats, as if the user is not on the local network, no hubs are discovered on step 4 of the "Getting Started" workflow, after selecting "Find Hubs".

For those who may have bookmarked find.hubitat.com as the easy way to discover hubs on the local network, please visit findmyhub.hubitat.com, instead.

Being able to register myself as a new admin is still a big vulnerability. Anyone that has access to the hub's IP address can easily take over a hub. Your update relies on current customers and future customers to have knowledge of this issue and have the ability to isolate the hub in its own network. A lot of us don't have the capability to create VLANs to put the hubitat on a different network.

Even if we created a VLAN for IoT devices, one of those devices could be a bad actor, either by getting hijacked or intentionally bad from the start, then take over the hubitat hub locking us out. The only true way to solve this issue currently is to have the hubitat be the only thing in its own network.

There is another way, that our developers are looking into it, and that is, to skip the get started if the hub is already registered. Thanks for bringing this up to our attention. You have a valid point.

I think it might have always been like this. My title is probably misleading, "find.hubitat.com" and "getstarted.hubitat.com" is not the real issue. "getstarted.hubitat.com" just helped me find the vulnerability.

The real issue is being able to "setup" the hub once its already been setup on this url: "http://<hub_ip_address>/getstarted".

Is there currently a way to skip the "getstarted" page if the hub has already been registered?

The hub knows if it has been registered, so I hope they just turn off the /getstarted page in this case to avoid this issue.

Of course, anyone on your local network can go to :8081 and reset your hub (since :8081 has effectively no security if you are on the same physical network). Then they'd be able to use /getstarted I suspect.

(basically: don't allow anyone you don't completely trust on your local network; e.g., use guest WiFi access)

Thanks for showing me the 8081 port for the hub. I was playing around and it looks like most of the buttons in there require the user to know the mac address. Is there a way to take over the device using 8081 page that I'm not seeing?

Do a soft reset, and then go to the get started page.

If you are on the same physical network as the hub, you easily find it's MAC address. Just use the "arp" command ("arp -a" on Windows, Linux, MacOS, etc) after you've connected to it.

so in most cases insecure lol

Considering most people are behind a nat, unless someone is directly connected to your LAN this is unlikely to happen.

Thats a good point. Thanks for showing me that command. The mac address seems like a security design flaw.

For the next iterations maybe there should be a pin that is on the bottom of the physical device instead of using the mac address.

Getting started logic has been tweaked in 2.3.1.132 release to prevent double registering the hub, among other things. During normal operation (unless the hub is soft reset), /getstarted will forward to the home page.

As @gopher.ny mentioned above, the get started is now skipped automatically once you reach step 4 (after updating to version 2.3.1.132).

If you are concerned about someone on your local network accessing your hub, you could always password protect the hub via local security.

The MAC address is a failsafe mechanism to get a user access to their hub if they lock themselves out by forgetting their password.

And having said that, let me reiterate that this hub is not indicated for use as a home security appliance.