Hubitat + Pushover: the security solution

Wanted to share my thoughts on Hubitat security after using Hubitat for a few weeks.

At the end of the HSM tutorial video, Hubitat’s Joe proclaims that we can “bask in the glory of your securely protected home”.

Well… not quite yet, Joe… (or whatever the name is..)

First, let’s get professional monitoring out of the way here - I will limit this conversation to self-monitoring only. I will just say that self-monitoring is quite sufficient for many households in my opinion, and you could avoid false alarms and dispatch the police yourself with even better results, but I don’t want to have that debate here - big separate discussion.

Then, there is the obvious lack of battery and cellular backup. This is not unique to Hubitat, same problem with SmartThings and some others. However, based on my experience, even when those features are provided out of the box, they are often kind of finicky and limited. I would say that it’s a better long-term approach to set up your own UPS and cellular router regardless which hub you have. If you are doing it for the first time, it will be a hurdle to figure out (router w/SIM support, data SIM card, etc), but in the end it’s solvable in a straightforward way if you are a Hubitat kind of user with a DIY attitude. I also don’t want to go into detail on this here – big topic, separate thread.

I’m going to focus on the cloud component here, and how it matters for self-monitoring. Hubitat’s concept of fully local processing is very wise. They recognize that cloud processing is not necessary for home automation (in fact, detrimental), and not even necessary for most of security monitoring tasks. Hubitat gives you reliable local processing, AND avoids maintaining complex cloud infrastructure, a win-win on both sides. But, if reliable self-monitoring is the priority, there are exceptions that do require the cloud, and Hubitat’s position of not saving any data in the cloud results in a few shortcomings, specifically in situations where a home intruder disconnects or smashes the hub. Here are two big ones:

• Notifications have to have guaranteed delivery via the cloud. If your phone is offline during a home intrusion (e.g. on an airplane), and the intruder gets to the hub, the cloud notification service has to ensure that your phone eventually gets all notifications that the hub dispatched before it gets busted…better late than never.
• Sensor event history has to be available off-site. If you get an alarm notification, but the hub is offline by the time you see it, you cannot get to the sensor history (Hubitat dashboard is down when hub is down), so you will not be able to review motion sensors events to determine if this was a false alarm or the real thing. False alarm assessment is critical for self-monitoring, and the event history, especially the motion sensors history, is the key (unless, you have a separate cloud camera system to supplement Hubitat, but here I’m talking about Hubitat alone)

You could argue that SMS notifications are reliable because many carriers retry delivery for some time before giving up, but it’s carrier specific. Alternatively, you could set up a Google Voice number which persists SMS in the cloud. The bigger problem is the 10 SMS/day limit with Hubitat. Because notifications are also your solution to saving the sensor history. The workaround with Hubitat is to set up notifications on each security sensor event while you’re in the Away mode. Hubitat makes that really easy – just 2 custom alert rules in HSM, one for all contact and shock sensors, and the other for all motion sensors. But 10 SMS/day is not enough for this.

This is where Pushover comes to Hubitat’s rescue. Pushover is a cloud notification platform, and as such, your notifications are saved in the cloud until they are delivered to your device, and subsequently stored in the app. This way your sensor events are always delivered to you regardless of what happens to the hub afterwards. Between Hubitat and Pushover notification configurations (priorities, group delivery etc), there is lots of flexibility to set up Pushover as your notifier and event history collector. As a matter of fact, even when Hubitat releases a mobile app, I still plan to retain Pushover for all my notifications.

There might be other situations where cloud is required…I can’t think of any right now, and so far I’ve got all the essential self-monitoring functionality I need. The way I see it, for self-monitoring Hubitat+Pushover is a fully functional DIY security platform. Pushover is the Hubitat’s missing cloud component that fills the gap.

People say Hubitat is home automation, not security. It’s true that Hubitat security is not provided as turn-key (e.g. like in IRIS or Ring), but it’s all there out of the box (apart from a separate hurdle with cellular and a battery backup), and you don’t have to be a hardcore techie to set it up – if you have a DIY inclination and willing to walk through a number of screens as a one-time exercise, it’s quite straightforward and does not take a lot of time - assuming you know exactly what to do. That last part is where Hubitat should do a better job in their documentation – they should put up a better self-monitoring setup tutorial with all core security components tied together: HSM, keypads, and Pushover. Right now, the biggest time waste with Hubitat security is spending some hours browsing through their forums and docs to tie it all together, and it does not have to be that way. Once I knew what I had to do, it literally took me less than an hour to set up all my security parts and forget about it.

Anyway - I welcome your comments on the cloud aspects and security essential features.

…and with that, you can now bask in the glory of my guidance, while Joe will be indicting me to the Hubitat Hall of Fame for pointing him the way out from Hubitat insecurity confusion to the secure light of clarity…or whatever..

I agree completely! In fact I got into home automation primarily to create a self monitored security solution since I was sick of paying for someone to "monitor" my alarm system. Hubitat combined with security cameras has been a great solution...plus with outdoor motion detection and notifications I can verify who is outside my house before they break in a trip an alarm giving me even more advanced notice to alert the police. As you mentioned the only caveat is if I am somewhere with no service (ie airplane etc.) but I have it setup to notify a friend, neighbor or relative in those situations who can then check on my house.

Nice writeup for the new users.

Another vote for self monitor security. Been running it since 2015. Having some knowledge about professional alarm services, nearly 90% of all alarm calls dispatched turn out to be false alarms. In some areas the police bill you after two false alarms. This goes for both business and residential. Listening to police radio traffic clearly lets you know that when they get dispatch for an alarm drop, they aren't breaking their neck to get there. And if its a busy time alarm drops are lower priority. In the case of self monitoring if you have personal confirmation you home is experiencing a breaking calling the police (local dispatch, not 911) will save many minutes getting the call out on the radio. If the police believe there is an actual break in in progress they WILL give it more attention.

Bypassing the professional monitors can save at least five minutes in time they waste trying to call the owner first before calling the police. However, self monitoring isn't for everyone. Many people won't invest the time to build out a system like that so they just pay through the nose for slow crappy service. Its the way of the world.

Nice, good to know. You're confirming what I've suspected.

Let's move pro- vs. self- monitoring discussion to another thread. I want to focus on Hubitat features here, otherwise this thread will get out of hand quickly.

My point is, Hubitat+Pushover's got all you need for self-monitoring, although not all the features are evident upfront, and you need to spend some time setting it up.

virtu, I could continue this discussion from a philosophical perspective since I'm an InfoSec guy for 20 years, but you've hit the main points on the head. Nice post.

I totally agree. I just spent more hours than I wanted to just simply trying to figure out how to get my keypad to beep on a contact open event. It is buried under custom commands and motion. Who would have to look there? (thanks @ogiewon). I am still trying to figure out how make the two button press for panic work.

A security tutorial is definitely needed or at least document how to effectively setup and use the supported keypads. What is in the docs is woefully lacking.

YF

There’s a couple of tasks for you;

1. searching for “two button press for panic work.” I’ve seen it mentioned before and recall that some pads do not support it ! Even if they look like they should.
2. write up a security implementation. I’m pretty sure the HE guys won’t stick their necks out for that one. Not being a US company. Too many lawyers

Yeah. Just finished the research on it. Apparently the dual police buttons on the Centralite version I have does nothing.

I hear you on the security implementation.

My gripe is the documentation on the keypads and Rule Manager. I should not have to beg for help on the forums and hope some kind user jumps in to help. If @ogiewon had not helped, I would still be grinding my teeth and pulling hair trying to get a farking beep out of my key pad.

Thank you for your writing! As the one who is now considering to buy one, may I know the official mobile app offered provide push notification function so that user could be alerted via app instead of SMS?

Thanks!

You have the Hubitat native app called “Hubitat” in the respective app stores. This will give you presence and push notifications. It is a pretty new product by the team and one limitation at the moment is that you can’t see a list of previous notifications that were send to you.
That is where the app “Pushover” comes in. It is a paid app but it is a nominal one time fee and not a monthly charge. Pushover has a hubitat build integration and has been working great for a good number of users. The Pushover app will also keep a list of notifications send to you.

How do we setup push notifications to the Hubitat app?

Once you install the app, a new device gets created (the name of the phone that you have the app installed on). You just include that device in whatever notifications you have setup.

No need for a specialized router. Not a detailed explanation, but this works and you can probably get a cheaper data plan:

Flash custom firmware on your wireless router if that's what you use, because I can almost guarantee that the stock firmware won't do this. OpenWRT will do (I don't know much about DD-WRT's routing capabilities, all I know is that I hate it, but it probably works.) Get an Android phone (one that you can root, preferably, and NOT carrier branded) with USB-OTG support, a USB-OTG cable, and an Asix ax88179 based usb ethernet adapter. Disable basically every power saving feature of the phone (you really won't need it if you have a UPS.) Configure tethering to use regular ethernet (many third party apps do this, and newer AOSP versions have it built-in.) Set a static IP on a /30 subnet.

Configure a service on your router that always pings a server outside of your ISPs border routers, i.e. 1.1.1.1. If it goes down, configure it to redirect ONLY traffic from your hub (and anything else you need up 24/7, I advise against doing this for your entire network) to your second router (your android phone.) If you use OpenWRT, this is easy:

https://openwrt.org/docs/guide-user/network/wan/multiwan/mwan3

And of course, configure a VLAN on the same /30 subnet as your phone, and point to your phone's IP as the failover next hop router.

Now the way you save money here is by going with a super cheap plan, say Project Fi, where if you use no data at all in a given month, then you're guaranteed to spend less than $20 a month (all the way down to $10 a month if you don't use anything.) Given this is just a regular phone, your carrier won't try to force you on another more expensive plan if they do an IMEI check, like they would with a regular portable hotspot, tablet, or 4G router.

Some carriers will detect that you're tethering and probably throttle you, and possibly even try to force you on another plan, (with t-mobile in particular, this can be defeated by making your router pre-set your TTL value to 65 when exiting that interface) but there's a universal way of defeating that on any carrier:

That's also why you need a rooted phone. By the way, if you use a VPN on your daily driver phone, you'll also defeat your carrier's annoying throttling of services like YouTube, if they do that, without needing to pay extra for "HD streaming".

Remember that since we're (ideally) not using a whole lot of data, even the cheaper VPN providers will do, and since you're probably going to have most of your hub communication TLS anyways (if not, you really shouldn't have it doing anything over the internet at all) you don't really have to worry about how "secure" or "private" your VPN provider is (that is, unless you want to do some other things over this VPN provider as well.) Just go on the cheap so long as they can provide reliable uptime. Or better yet, spend pennies on an AWS host and run an openvpn server on it (I think it's free for the first 12 months even.)