When I log into the Hubitat app on my phone, regardless if I'm on LAN or WAN I can control all of my devices. This seems like a massive security concern, considering 2FA is not available.
Is there a way to prevent this from occurring in the meantime until we receive 2FA? I tried adding a device to a miscellaneous room (I saw this "work around" on another thread) but now I just have a new, misc room with one device in it but I can still see everything else.
Edit: To be clear, I'm logged into the hubitat app on an android phone, and every device and room shows up under the "Lights/Switches" section. So far I've de-registered my hub from my "my.hubitat.com" account but I am still able to control and see ALL of my devices when I am on cell service. I then reset my password, but didn't log out on my hubitat app. I was again still able to see and control all of my devices, even after my password was changed. I was still on wifi at this point though so MAYBE it was just local control? Still it did not force the account to logout and re-login. I've manually logged out and back in with my new password now.
Create a dashboard that only has the set of devices you want to expose, share a link to that dashboard (WAN and LAN). There is no need to share app credentials (or even to use the app).
Its not the dashboard thats the issue. The lights/switches section of the app shows all of your rooms and devices. It's an issue because having all of your hubitat devices protected solely by your hubitat.com username and password without 2FA is pretty concerning. Unless I'm missing something here and theres a way to prevent all of my rooms and devices showing up under "lights/switches"?
You not using the app won't stop someone else from doing it, though, and it sounds like that is really the question/issue. The only thing at the moment to me seems just not to register for a cloud account (or at least not register this hub), then it's not possible in the first place. (You can still use Hubitat Dashboard without this, and you can find other solutions for push notifications, presence, or whatever else you might want the mobile app for.)
Yes you got it, and why this is a security concern IMO with the lack of 2FA lol. Anyway that might do it. I'll have to figure out how to unregister my hubitat from the cloud account then. I really don't need anything cloud based, and if so I'll just VPN in.
This is one of the main reasons I liked the hubitat being that everything is local and secure, but having this much exposure is concerning
Data breaches happen everyday. I have people trying to login to all of my accounts constantly, and some get in but 2FA saves your â– â– â– . I've been SIM hacked, everything. Having random passwords stored in something like Bitwarden is also very helpful but again, not everyone is automatically following this strict of a password procedure. Many people will have shared passwords between their different accounts however so their hubitat username and password combination is the same as another account that was stolen in a breach for example.
Ok, then it’s as Robert (@bertabcd1234) indicated. Your needs may dictate that there be no cloud exposure, and you will have to use VPN to remotely access your hub.
However, if you are as careful as you seem, then you don’t re-use passwords, and you have extremely long, complex, and unguessable passwords. I’m truly surprised, if you follow those safe practices, that anyone is ever able to guess your password for Hubitat.
Not to minimize the importance of security, but I'm not totally getting the level of concern, as I perceive someone would need to connect to your network first and if by wifi they'd need to hack the password, then load the app on their cellphone and sign into the hub, which you can't do without logging into the hub, requiring a password. Even if they did, going from a zigbee device into your LAN is no easy task, if it can even be done
I'm thinking anyone with this skill level is likely hunting larger targets, unless Kevin Mitnik is your neighbor.
So how do I remove cloud access to only the Hubitat servers? From what I'm finding, when you say "remove cloud access" you mean isolate the hubitat from the internet. If I do that then none of my cloud connected services like Google Home will work.
I'm beginning to think there isn't a solution here..
Several possibilities. You could block the Hubitat server ingress at your firewall, or you could, as @bertabcd1234 suggested, unregister your hub, which leaves no path for the app into your hub from the Hubitat cloud server.
No they show up even if they aren't assigned, every single device. I've deregistered my hub from the cloud at this point however, which is disappointing
