Hub Security Risks ⚠️

It has recently been brought to our attention that some users are exposing their hubs online. We have notified these users to take action to secure their hubs as soon as possible.

As a reminder, port forwarding is not recommended as a way to enable remote administration of your Hubitat Elevation hubs. It can be difficult to secure and if it is not password protected, virtually anyone can control your hub and your home.

The easiest, secure method to access the admin interface of your hub remotely is to use our Remote Admin service.

For more details, or to learn how to subscribe to Remote Admin, visit the following page :

Remote Admin | Hubitat Elevation®

20 Likes

I've got mine!

Less expensive than one smart doodad and supports the platform.

:+1:

5 Likes

I’d like to add that if you’d rather not pay, and/or if you have other devices on your LAN that you’d like to access globally, piVPN or router built-in VPN along with NO-IP works well to create a VPN to access your Lan globally. It requires some technical skill to set up but the end result is connecting to your LAN from anywhere. My personal setup is a TP-Link router with No-IP and vpn built into the router itself. Make sure to use an adress pool starting in 192.168. which doesn’t interfere with current LAN. For example, my IP pool for vpn is 192.168.7.(1-255)

8 Likes

@bobbyD

I’m curious, how are you determining this?

Are you just looking for exposed port 80 or something else?

We don't use any invasive methods. Just simply using available search engines that index (or don't index) web pages. The tip we received recently, that triggered the audit, was a specific keyword that someone stumbled on Google search.

4 Likes

No worries, I’ve got a Synology router with excellent active threat prevention measures and I’ve geoblocked, at the router level, countries with highly active bad actors.

Users don't need to take special measures in order to safe guard their own networks. Regular routers are able to protect the LAN and all the clients within it. The problem is that some users, knowingly use port forwarding, without understanding the risks they take by doing so.

12 Likes

True that, I'm in IT so have a pretty good idea of what I'm doing ..... most of the time. :rofl:

5 Likes

if people really want to access their hub from anywhere, and have a computer they leave on, and option is like Google Remote or something like that. Just popping some ports. Sheesh.. and there is no secure cert on the hub anyways (though it will let you use SSL http)

4 Likes

That's what I do.

1 Like

We do that with TeamViewer.

1 Like

The problem with port forwarding is that though it is bad to forward directly to their hub, any port forwarded to a any device is just about as bad if that device hasn't been hardened as well. But ofcourse you can only address the issues that directly relate to the hub.

If someone has opened up the hub to the internet there is a decent chance they have other stuff opened up as well that will put their home network at risk as well. This really should be a wakeup call to review all opened ports as well to mitigate exposure.

Great service! Thanks for noticing and notifying owners.

3 Likes

If I may ask a question purely for my learning. I know just enough about the IT stuff to be dangerous.

I don't have open ports and don't plan on doing so. Some time back I did have an open port to a camera as that was the only way to access it remotely. When I did that I did a port forwarding with an external port of something like 24534 to internal port 80. Then the camera required a login.

So if something similiar was done for HE wouldn't that require quite a bit of hacking for someone to access it? That is they would need the IP address, remote port number, user name, password. Seems like quite a bit to hack to me. And it would appear it would be the same with a VPN. Need to know IP, user name and password.

Again, just for my edification. Learning what I can. Thanks.

1 Like

I’m also no expert here, but my understanding is that changing the open port to a random number could make it somewhat less likely for a bad guy to notice your firewall has an open port. Port scanners tend to look for commonly used ports. It’s an example of “security through obscurity,” but most security experts consider that to be of minimal added value.

1 Like

Setting a password for the hub's administrative interface further limits the risk, but doesn't eliminate it.

1 Like

I used to expose two ports on my network to the internet:

  1. OpenSSHd mapped to an obscure exposed port.
  2. WireGuard mapped to UDP 51820.

My system logs indicated hundreds of ssh login attempts on a daily basis, and a few attempts to exploit an old version of OpenSSH.

I don’t have a static external IP, and I had chosen something random like 37812. So, my guess is that port scanners do a much more thorough job these days.

1 Like

Wouldn't the same things apply to remote access? All a hacker has to do is figure out the username and password.

The big question is other than to annoy me why would anyone want to hack into my system...:slight_smile:

1 Like

As an example, if someone gains access to my Hubitat, and by unknown means roots it, then it could be a short hop, skip, and jump to my desktop iMac which has all of my financial information.

3 Likes

Download the Hubitat app