Wanted to share my thoughts on Hubitat security after using Hubitat for a few weeks.
At the end of the HSM tutorial video, Hubitat’s Joe proclaims that we can “bask in the glory of your securely protected home”.
Well… not quite yet, Joe… (or whatever the name is..)
First, let’s get professional monitoring out of the way here - I will limit this conversation to self-monitoring only. I will just say that self-monitoring is quite sufficient for many households in my opinion, and you could avoid false alarms and dispatch the police yourself with even better results, but I don’t want to have that debate here - big separate discussion.
Then, there is the obvious lack of battery and cellular backup. This is not unique to Hubitat, same problem with SmartThings and some others. However, based on my experience, even when those features are provided out of the box, they are often kind of finicky and limited. I would say that it’s a better long-term approach to set up your own UPS and cellular router regardless which hub you have. If you are doing it for the first time, it will be a hurdle to figure out (router w/SIM support, data SIM card, etc), but in the end it’s solvable in a straightforward way if you are a Hubitat kind of user with a DIY attitude. I also don’t want to go into detail on this here – big topic, separate thread.
I’m going to focus on the cloud component here, and how it matters for self-monitoring. Hubitat’s concept of fully local processing is very wise. They recognize that cloud processing is not necessary for home automation (in fact, detrimental), and not even necessary for most of security monitoring tasks. Hubitat gives you reliable local processing, AND avoids maintaining complex cloud infrastructure, a win-win on both sides. But, if reliable self-monitoring is the priority, there are exceptions that do require the cloud, and Hubitat’s position of not saving any data in the cloud results in a few shortcomings, specifically in situations where a home intruder disconnects or smashes the hub. Here are two big ones:
- Notifications have to have guaranteed delivery via the cloud. If your phone is offline during a home intrusion (e.g. on an airplane), and the intruder gets to the hub, the cloud notification service has to ensure that your phone eventually gets all notifications that the hub dispatched before it gets busted…better late than never.
- Sensor event history has to be available off-site. If you get an alarm notification, but the hub is offline by the time you see it, you cannot get to the sensor history (Hubitat dashboard is down when hub is down), so you will not be able to review motion sensors events to determine if this was a false alarm or the real thing. False alarm assessment is critical for self-monitoring, and the event history, especially the motion sensors history, is the key (unless, you have a separate cloud camera system to supplement Hubitat, but here I’m talking about Hubitat alone)
You could argue that SMS notifications are reliable because many carriers retry delivery for some time before giving up, but it’s carrier specific. Alternatively, you could set up a Google Voice number which persists SMS in the cloud. The bigger problem is the 10 SMS/day limit with Hubitat. Because notifications are also your solution to saving the sensor history. The workaround with Hubitat is to set up notifications on each security sensor event while you’re in the Away mode. Hubitat makes that really easy – just 2 custom alert rules in HSM, one for all contact and shock sensors, and the other for all motion sensors. But 10 SMS/day is not enough for this.
This is where Pushover comes to Hubitat’s rescue. Pushover is a cloud notification platform, and as such, your notifications are saved in the cloud until they are delivered to your device, and subsequently stored in the app. This way your sensor events are always delivered to you regardless of what happens to the hub afterwards. Between Hubitat and Pushover notification configurations (priorities, group delivery etc), there is lots of flexibility to set up Pushover as your notifier and event history collector. As a matter of fact, even when Hubitat releases a mobile app, I still plan to retain Pushover for all my notifications.
There might be other situations where cloud is required…I can’t think of any right now, and so far I’ve got all the essential self-monitoring functionality I need. The way I see it, for self-monitoring Hubitat+Pushover is a fully functional DIY security platform. Pushover is the Hubitat’s missing cloud component that fills the gap.
People say Hubitat is home automation, not security. It’s true that Hubitat security is not provided as turn-key (e.g. like in IRIS or Ring), but it’s all there out of the box (apart from a separate hurdle with cellular and a battery backup), and you don’t have to be a hardcore techie to set it up – if you have a DIY inclination and willing to walk through a number of screens as a one-time exercise, it’s quite straightforward and does not take a lot of time - assuming you know exactly what to do. That last part is where Hubitat should do a better job in their documentation – they should put up a better self-monitoring setup tutorial with all core security components tied together: HSM, keypads, and Pushover. Right now, the biggest time waste with Hubitat security is spending some hours browsing through their forums and docs to tie it all together, and it does not have to be that way. Once I knew what I had to do, it literally took me less than an hour to set up all my security parts and forget about it.
Anyway - I welcome your comments on the cloud aspects and security essential features.
…and with that, you can now bask in the glory of my guidance, while Joe will be indicting me to the Hubitat Hall of Fame for pointing him the way out from Hubitat insecurity confusion to the secure light of clarity…or whatever..