You are part way there then. Remove the Ethernet acccess and set up an isolated guest network which most consumer routers these days can do as a built in feature.
He could retain his limited access well after he leaves and remote control devices among other things, if they have done what I am thinking of. Probably planted a back door access before telling you they had access.
I don't have an issue granting remote access to the Plaza hub. I'm leaving now for a vacation South, so I'm not available to unplug the ethernet cables. Given that fact, if you go in and set things right, would he be able to undo things via the Ethernet cable. So my question is, should your intervention occur after he has checked out and the Ethernet cables have been disconnected or can it be done now? Also, I don't think he maliciously installed the things you have enumerated although a forensic search would prove that, rather I think the hub security blocks certain actions but not all, given that it's all on the same network.
Concerning security of the hub. It would seem to a non technical DIY person that if Hubitat is focused on selling to a typical customer like me, the hubs once updated on initial installation should force the user to set up security first. It reminds me of the nanny cam scandal where users installed these devices and Russians created web sites where the public could look into people's homes.
I don't believe that all the blame us mine. As good stewards of your product, you should be imposing security to your users and informing customers of the importance of locking the hubs up. A quick scan of the your tutorials and information does not indicate this and it is unfair to assume that all non technical DIY people would have the reflex to implement security.
Just for the record, I do not work for Hubitat in case there was any misconceptions.
Not sure if you meant to reply to my PM but its in public now...
Via the ethernet, or even the Wifi (assuming guests have access to the main Wifi), someone could access the diagnostic tool of the hub and factory reset it among other things. They would not have any device access or control from that though. This does require a password, which is the MAC of the hub, which can be obtained by physical access or by scanning the network unfortunately. Removing the ethernet AND adding an isolated guest Wifi together would keep people from accessing your devices via the LAN. If people are left with access to the main LAN via Wifi it is not much different than the ethernet access. The ethernet ports are just more complicated to secure vs making a guest Wifi is usually pretty easy.
He had to have saved some sort of back door access when he was in there, or else setting the password would have totally locked him out. Could be a dashboard you already had created, or just by installing MakerAPI app with the right settings.
I don't disagree with this, would not be a bad idea to at least ask the user if they want to secure the admin interface with a password. Rather than leaving people to find the settings on their own, if they even think about it.
Doesn't matter. Hope is not a strategy. You need to change your mindset about this else you will always expose yourself to security issues. This isn't specific to Hubitat. The only other choice is to give up on this sort of tech deployment. Sorry.
Fully agree. The only reason I can imagine this wasn't done is that it might generate support volume for lost passwords - although I think there is a recovery flow via the hubitat web site if your hub is duly registered (hopefully one day that will be protected by 2FA as well...).
Good luck.
I am guessing you are referring to stories about people who installed web-connected cameras in their homes, and then recycled the passwords they use for other websites (which were somehow compromised), which effectively made it possible for literally anyone on the internet to login to the camera.
Your situation is totally different. You invite strangers to connect to your WiFi and give them the WiFi password.
Even better; they get ethernet access - because they’re in the financial industry, and those folks, like @hydro311, can’t get anything done without a hardwired connection!
This is the problem with you people!! If I buy a car I expect someone to tell me I could crash it and die! I shouldn't have to figure something like that on my own... sheesh! 
The proper way to have set up your unit in a commercial environment (or even in a personal one that you didn't want people to have access to) is not by adding a password to the hub.... but to install a guest segmented vlan that was isolated from the primary lan. This would have given your guest internet access with no risk of them getting to the normal network. I mean, that's like allowing someone at one of my clients to jack in without a cert on their pc (or a whitelisted mac addr) and allowing them access to the same network the servers are on... Yeah, that ain't gonna happen. Most routers these days for consumer use have a guest network option which isolates things from the primary network. THIS is what you should be doing. No need to worry about a password on Hubitat.
Cant hurt though, I would recommend that everyone have Hub login security on, there is no reason to have it disabled IMO.
Perhaps.... but in general my point was to have it isolated.... At that point it generally doesn't matter. (not that with the right tools you can't bypass it or get into hubitat but overall it's less likely to be an issue)
The hub's security is as good as your local network's security. Think of the Hubitat hub as a smart door lock that has a physical key and codes. If you decide to give someone the physical key and a code, then change the code hoping to prevent them from entering, well, they will still be able to do so because they have the physical key. I don't know any lock manufacturers that warn you to not give someone the physical key and expect them not to use it.
IMO, the hub password is pretty much worthless if the LAN is insecure. Any potential hacker can simply reset the hub via the Diagnostic Tool and proceed to do whatever damage they intend to.
This.
And to reiterate; @ngbergeron's setup in a short-term rental is a commercial application. It is 100% up to them to setup a secure local network in their commercial environment. And even then, I want to point out that the hub (as sold) isn't meant to be used in such an environment without a commercial license.
As an Airbnb owner you should know that defeating bad/nosy/destructive guests is at/near the top of a list of your tasks to make it a profitable investment. You have a complex use case. It's on you to know the system limitations and the limitations of your own knowledge. A good network design is important for successful home automation. If you look at a dealer installed home automation system like Control4 dealers charge for the network design service and some won't even use customer supplied network equipment.
This community can and has helped people with their setups like yours. As already said, most of that help is from non-employees, especially help with network design.
Good point on the Diag Tool if someone has malicious intent. The hub login is more to keep out friendly casual snoopers more than anything. It would keep someone from accessing lock codes and controlling devices though. If they were to factory reset the hub all that would be lost, hub would be useless as it sits but at least nothing is compromised.
Leads me to question the security on the Diag tool itself, it is quite vulnerable when you think about it. If you have the IP of the hub and are on the LAN, not very hard to find the MAC even without physical access. Makes me consider firewalling that one port on my own LAN.
Good idea!
The analogy fails here, and I reject it. Unlike the keyhole in the lock or its keypad, Hub Security is not visible to the casual user - you could make it so. The diagnostic tool workaround is not exactly visible either, and it is not a way to enter (unless safe mode bypasses hub security? never tried it), it's a way to destroy the house and build a new one (which will leave, uh, traces of your break-in).
Fully agree, but that distinction is irrelevant to the securing-the-hub discussion, which applies in home settings. Yes you can isolate the hub and harden various aspects of your LAN, but that requires a lot of work. My kids share the wifi password with random friends all the time, despite constant reminders....
True, but sad.
I'll give it a thought. There's a token protected endpoint to restrict Diagnostics tool and hub UI to specific IP/IPs, meant for the commercial customers. Not sure it's a right solution for the home customer, though, some sort of password for Diagnostics tool (with hub's MAC as the default) seems like a better choice. But that's just me.
We're open to suggestions here, let us know.
What @gopher.ny wrote is why as a commercial customer, you need to have a commercial license. Were you to have negotiated/purchased one, as indicated in the TOS, your Hubitat would have been FAR MORE secure from prying eyes.
Not really. As I stated above, most consumer routers (which most airbnb people use) have a guest option. All you have to do is turn it on, name it and give it a key. Not rocket science.
Its a tricky situation, you want to always have access to the Diag Tool if you get into a bad spot. I would almost prefer to have a simple numerical PIN on TOP of the MAC password myself. Or if there was an option to mirror the regular login security password that could maybe work too. Would just hate for an unsuspecting user to set a DIFFERENT password on there, forget about, then be totally SOL when they get the blue light corrupted database.
Maybe the network reset could reset the diag tool password or something? Just trying to think of ways to prevent a total lock out.
Download the Hubitat app
