Yes, in that case, there’s no hacking involved really.
That’s why it’s so important to use strong passwords and never reuse them for different devices/services. For example, people that go on their local news channel to report that their nest camera was “hacked” were probably reusing a password that was compromised in an unrelated breach of an online service they also use.
I guess the thought here is if someone is determined enough they will find a way to get into your system anyway. In my case they certainly wouldn't get much...
You have to consider the "attack surface" that you make available.
If you forward ports which expose devices on your internal network to the open internet, you make it possible for someone who basically has no idea what they are doing to scan for ports that are listening and then probe for any devices with known vulnerabilities. And the more devices you expose this way, the more likely that at least some of them are vulnerable and can be compromised, which opens the door to unrelated devices also being affected like @aaiyar alluded to.
By comparison, if you have a high quality router for which software and security is professionally and actively maintained and you keep it and all of your devices up to date, it takes a much more sophisticated and targeted attack to compromise your systems.
Passwords are great if good practices are used when making them, but they are just one small level of security. Any password that is used on a system that doesn't Auto lock you out or do some level of brute force prevention is just waiting to be hacked.
The problem is that passwords are just one small measure against hacking. You have to keep in mind that all of this is software built on other software right. So who is to say that the HTTP Server using to provide the front end doesn't have some unknown vulnerability. If a device isn't by it's nature hardened then it is likely unsafe to put on the internet. Someone above used a IP based camera as an example. That for an example may use a password, but if that is all you are depending on then you are also depending on the manufacture of that camera to of properly setup and hardend their web interface to have ensure that there are no ways to access it's content without that password. A few years back it would found allot of those cameras weren't harded for that kind of connectiity and peoples homes were wide open to external folks to access.
You also have to consider a password without some kind of Secure socket layer with appropriate encryption is pretty much useless if you are ever out and use it. Think about the airport or starbucks sniffer we hear about occasionally.
And that’s why I use a Synolgy RT2600ac router with active threat prevention turned on and countries like Iran, China and Russia etc permanently blocked in my firewall settings.
The threat prevention module is amazing, it inspects incoming Internet traffic to detect and drop malicious packets. As a result, these sort of attacks rarely get past my router.
Inspecting traffic is good. Country blocking is almost (but not quite) useless, as any APT or even casual hacker will vpn or relay into the country they are attacking first.
Close to 100% of the blocked connection attempts I get are from the US (I'm in the US).
Doesn't mean you shouldn't do it, though. Rarely ever hurts.
True. It is quite interesting to see where the intrusion attempts come from, this is my last 30 days.
Easy to prevent that. IMO, your computers should NEVER be on the same network as HE or any other IOT device.
Every router has a guest network. Use that for your IOT devices. If you flashed your router with dd-wrt or open-wrt you can create as many SSIDs as you want so you can have a guest network, an IOT network and one for your personal devices. Don't let any device on the IOT or guest network talk to any device on any other network.
While I'd trust HE to a point, they can't guarantee there isn't a bug that would allow network access. And I certainly would not trust my vacuum, refrigerator, cameras, doorbells, Echos or any other of the few dozen or so devices that use my wifi network.
Someone clever enough to root an IoT device is potentially clever enough to bridge VLANs.
Yes, there's always the possibility of a hacked IOT device exploiting some weakness in your router. But that's two devices that have to be compromised, and compromising your router's VLAN and/or Wifi code is probably quite a bit harder than hacking an IOT device, many of which do not go through rigorous security testing. I would trust my router's code a lot more than I'd trust the code running on my vacuum.
Anyhow, that's not what I was really concerned about. Most if not all of those devices phone home. Who knows what kind of control those connections enable. What if that vendor's systems were compromised?
What about a DNS hijack that caused a device to connect to some man in the middle, or a completely malicious server?
There's just no reason, IMO, to allow these devices access to the same network you have your personal computers, NAS, and other sensitive devices on. Nothing is 100% secure but that doesn't mean it isn't worthwhile.
Anytime that you have open inbound ports on an internet facing router it presents a significant risk. Strong passwords take only time to crack and if that is your only defense to get into your network, its like walking through a screen door. With that said however, these days it's almost as important to control what goes out of your network to keep the bad guys locked in, if they get inside. Otherwise they can easily setup command and control inside the network and "phone home" through normal established traffic firewall rules outbound. Once they setup shop inside and have a clear shot out they can do literally anything, activate cameras, microphones, scrape data, use your network for hacking others, etc. Most of the time you will not even know that they are there. IoT devices that are IP based are especially low hanging fruit as a springboard to inside hacking. I do not allow ANY IP based IoT devices except hubs to help minimize that. That's what makes Z-Wave, Zigbee and Lutron ClearConnect so appealing. They are segmented and the hackers rarely use them for their work.
I have a Ubiquiti Edgerouter and have my Camera network on one physical network, IoT on another network, my computers, etc on another network (I don't allow Windows on my networks at all) and also a separate guest network. No VLANs, I use physically separated networks. VLAN hopping is fairly easy. I have specific rules that allow traffic between the networks where specifically required and only for required ports and destinations. I have intrusion detection and prevention on each network. I use a VPN with strong encryption to get in from the outside to manage everything. I block all inbound GEOs except my area to prevent unwanted guests although they are likely going to use a hacked US based host. I still block a lot of overseas attempts.
With that being said, I am not saying it's 100% bulletproof because there is no such thing. But I try to be vigilant... So far I have had good luck.
The key to good Cybersecurity is like physical security. Make yours more difficult to get in than the other guy. If a burglar is driving through the neighborhood, the house with burglar bars looks less appealing, than the one without.
Just my two cents.
A great and worthy discussion! We use all of these concepts (and more) in our enterprises. Unfortunately, I suspect much of this is conceptually beyond many HE owners. Not that they can’t learn them, just a question of willingness to spend the time to learn them.
To help our community most, we should help build a set of security best practices for home automation. Acknowledging there are several levels of skill, implementation complexity, and willingness to delve into security, we should construct the list in several tiers. Here is a suggested list:
Essentials
Moderate complexity
High complexity
Umm, sorry to sound , well, stupid, but How do i know if I have inadvertantly set up port forwarding?
Check in the port forwarding section of your router's UI.
You would have told your router to port forward 80 to your hub from the outside. If you didn't do that you're fine.
Or 8080
There is a search engine that can help you track all your devices that are directly accessible from the Internet.
Check out Shodan.io for a comprehensive view of all exposed services to may help you stay more secure.
Hackers can hack the Hubitat and get into your LAN, and eventually breach computers. With a VPN, the open port and server is very hard to compromise to get into the LAN, and the vpn (at least OpenVPN) uses a large encryption key that no password can compare to. A vpn also requires encryption, which only the long key can open, for all traffic to and from the open port, while port forwarding has no such concept (anyone can randomly stumble over it). Finally, hackers can create bots that try to find thousands of these servers per day, as shown by the comments about people tracking where attempted attacks come from.
Tl;dr: port forwarding is unencrypted and not hardened, while vpns are hardened and only accept encrypted traffic from a certain key.
There are currently 288 known Hubitat devices still exposed to the internet. There are probably a lot more.
When I tested a couple of years ago, it wasn't possible to change settings or add rules through a NAT. You can only control devices that are already configured. Still not good. Probably a nuance with how the web interface is made and not intentional.
I just use pivpn and wireguard. I had my old Vera on a special security zone/separate subnet. But many of the apps on Hubitat expect that devices are on the same local subnet, which is kind of annoying. So I can't do that and still have everything work.
Alfred E Newman: What Me Worry? 
Download the Hubitat app
