I've tried and researched this but all links seemed to be over 1 year old and won't allow any questions.
I just added a tp link managed switch connected to my Firewalla Purple Se firewall. I also have a TP Link wifi 7 router ( Archer BE550) connected in access point mode.
I just created a Vlan and connected my C8 pro to it with no issues. I'm an old timer, and like playing around but dont know a lot of the concepts. My question is- are all my zigbee and zwave devices that are attached to my C8 Pro, which is attached to a vlan, protected from hacks?
I guess a better way if putting it, are all the zigbee and zwave devices that are joined to my Hubitat hub under the umbrella of protection of the vlan that Hubitat is attached to?
Any Z-wave, Zigbee, Matter radio connection to the Hubitat hub can only reach the internet via the Hubitat IP connection. There is no other path. So they are protected by default.
No. I’m certainly no networking expert, but VLANs segment traffic on an IP network. Your hub has an Ethernet (and WiFi) card so that it can connect to an IP network, namely your local area network (LAN).
Zigbee and z-wave are different networking technologies and there is no way for a hacker that has accessed your LAN to interact with those devices.
Unless the hacker can control your Hubitat hub. But they would be doing that through its web interface, connected to your LAN. Not through some direct method of device hijacking using the zigbee or z-wave protocols.
So what your KINDLY saying lolo is i did vlan connection for nothing because Hubitat was protecting the devices anyway.
Thank you for your quick response!
Ok, i guess I was thinking how wifi devices are hacked and not realizing zigbee and zwave devices are a whole new ball game.
So if i understand you correctly, the only way my Hubitat network could be hacked is if someone got control of my Hubitat hub and not from the outside? So Hubitat ,being on a vlan, provides no protection to Hub access and really a waste.
Moving IoT devices to a VLAN could provide more security, depends on how you set up the VLAN/firewall rules, etc., and what kinds of devices you have. If you just have the HE hub and Z-Wave and Zigbee devices then mostly not worth it, IMHO.
No, I would not say this is an accurate description either.
If your Hubitat hub is on a VLAN, and you have firewall rules in place to restrict access to that VLAN, then you make it harder for an unauthorized user to access the hub’s web ui (or otherwise gain control of the hub through its IP network connection).
Once someone has accessed the hub’s UI, they can do whatever they want with your hub. So there is a measure of protection provided.
Where I believe your confusion lies is in assuming VLANs have anything to do with zigbee or z-wave. They do not.
I'll also chime in here. Both z-wave and zigbee uses AES 128 bit encryption. That said a lot of us don't bother using encryption with z-wave as it can slow things down in certain circumstances (especially s0)
That said, I really wouldn't worry too much about your hub being hacked. While exposed to the internet it uses a reverse tunnel when going out for updates or using remote admin or remote dashboards. You can simply disconnect it from the internet and use VPN instead if you're that paranoid.
You are running a NAT based router and that for the most part is fine (as long as you didn't do something dumb like port forwarding). Your best security is keeping up on firmware/os updates for all your devices, especially your router. Keep your home network simple, don't go to sketchy web sites and pay attention to what you download. No one is out there actively targeting your system but there are a lot of trojans out there (none known that apply directly to hubitat). Use a good virus/malware scanner and you'll be fine. Don't let paranoia dictate how you set your stuff. Use the KISS principal.
Many thanks for your time in explaining this. I guess all the hype the media sends out concerning Chinese hacks, and router hacks, TP Link in particular,has got me on edge. Your explanation of zwave and zigbee security was greatly appreciated.
Sensationalism has always sold well, whether it was newspapers, or these days, clicks on web pages.
Not to say there isn’t something behind many of these stories. But the details matter.
I’m also thankful for a community of fellow techy nerds like this one, most of whom are much better than me at this stuff. It can really help sort the wheat from the chaff.
Yeah, I definitely think the TP-Link stuff is overblown. - In the sense of "these issues are intentional "open backdoors" for the CCCP". - I personally don't buy that. Never attribute to malice, what can be likely attributed to stupidity, or in this case: greed.
TP Link's have bugs and vulnerabilities - All routers (and actually all software) do. - It's just that TP-Link is exceptionally bad at patching/supporting older routers - They just don't care, and given they make money selling new routers, and not patching old firmware, that's not really all the surprising. And I'm sure the CCCP (and all intelligence agencies) exploit those vulnerabilities. For examples closer to home: https://www.securityweek.com/cisco-patches-cia-zero-day-affecting-hundreds-switches/ There is no real reason for the CCCP to mandate the company "planting" intentional issues, there are plenty of vulnerabilities and day-zeros already out there to risk the intelligence agencies getting caught "with their hand in the cookie jar" - (that said, it doesn't really seem to bother the US agencies: Photos of an NSA “upgrade” factory show Cisco router getting implant - Ars Technica)
So it's not likely the CCCP cares about your home router, it's more likely script kiddies are scanning the internet looking for know vulnerabilties on various routers - TP Link included.
My sense is that the real news, is that TP-Link is exceptionally bad at patching and supporting existing HW, given their business model. Personally, I think this is one of the few cases were regulation is required to assure at least a min support period (3 years?) for ALL internet connecting devices, along with not using common default passwords, authentication..
There is some real basic security stuff, that should (IMHO) be mandated on internet connected devices. Just most people don't care, or aren't aware, so the business model rewards low prices and fast support of new features/standards. There is no $$ to be made in the consumer space for fixing security issues to 4 year old routers.
