I'm new here, and I apologize if I'm bringing up a topic that has been debated too much. I was just surprised to see a significant number downplay this request and talk about you having bigger problems if someone is already on your network.
I think we're underestimating how many networks are compromised to a small degree. And how impactful it is to have an insecure code executor GUI introduced into the mix.
Thanks for hearing me out. 
Nothing is safe so long at it's connected to the world.... I don't know why people like you want to spread hype like this. It has been a well known issue since the birth of internet and wide public use for decades and there are always people, like you, wanting to scare people.
Wow ,,, "The safest machine in the world is disconnected and buried 6 feet under so lets just move along and not utilize the protections available to us because its just overkill! " argument.. been ransomwared much ... Security is and should be important and not overlooked because it scares people
I have been accused of fear mongering here before, because I wanted HTTPS.
At one point in time I saw a user get a lot of flack for wanting a password on the device.
Now both of these options are available today.
Yeah I also work in cyber security, I just think these hypotheticals aren't super likely to occur unless you're someone very highly targeted. Most of the threat actors that will be going after home users aren't going to spend the time doing recon on your home network. I'm not sure hubitat is well known enough for someone to even know what it is without a ton of research. Do we really think a criminal actor is going to spend time writing groovy code when much more common platform are available and likely insecure?
By all means though, push for SSL, I'm just not personally moved by most of the arguments saying it's critical.
@evilborg I don't want to scare people. This isn't fake news or hype. We have well-researched plentiful data into how bad actors think and act.
Security comes in layers. And to say if it's on the internet why even bother is black or white thinking that as a community we should not subscribe to. Hubitat currently has an well exposed attack vector where, as a bad actor, all I need is very limited access to port 80 on a network. And Hubitat gives me the rest. It's a known weak device that auto-identifies itself.
And yes, this is how these things actually happen. Bad actors don't manually go around checking each network and research it to take it over. They run a bot that looks for a known vector, such as a weak unpatched IoT device. Then their bot looks for something similar to a Hubitat, and then it phones home that they're 100% in... please provide the next command.
@Hasty1 thanks for the info. I appreciate it!
Yep I'm aware the not fully tested and beta feature is there, so I guess the discussion is kind of pointless.. I guess I was just pushing for the sake of having another conversation that I'm sure most are sick of having already.
But how are bots scanning to find your hubitat that is not internet exposed? No one should be exposing their hubitat directly to the internet at least in my opinion.
I think @ben12 is referring to other IoT devices on the same network as the HE being the initial point of intrusion. Perhaps something like an IP camera.
^^^^ THIS! It only takes one weak device to then begin looking for other devices on the network. On computer of cellphone with a bad app to break the perimeter. And while Hubitat might not have the presence to attract a threat today, they might tomorrow (we are all seeing Hubitat get bigger and sell more units). A device that doesn't have a password by default, that has a powerful builtin script execution system is a BotWriters dream.
This exactly 
. Hubitat won't ever be your first way into a network. But Hubitat is a hacker's-dream second attack vector in the common scenario for when a bad actor gets limited port 80 network access (which isn't all that useful by itself unless you have something like Hubitat sitting around ready to take orders and execute scripts via port 80)
About 5 minutes ago, I just created a mental list of IoT devices that I have - and there are way more devices that I had previously realized.
4 Sonos speakers
5 Alexa Echos
1 AppleTV
2 RokuTVs
1 Nintendo Wii
1 Ooma phone system
1 SmartDry
2 Anova cookers
1 SleepIQ bed
1 LiFX bulb
1 Sense energy monitor
1 Efergy energy monitor
1 Wyzecam
And this is without counting my 2 HEs, Lutron bridge, and Odroid running NR that sit in their own VLAN.
So there's plenty of things to attack ..... I need to apologize to you (@Hasty1) for previously being privately dismissive of similar concerns when you've raised them.
If I can raise awareness and change one persons mind its all worth it!
I have been accused of spreading FUD and Fearmongering here because of a belief that the Hubitat could be a real potential target for bad times.
I guess I can’t help myself but to play the security devils advocate...
I’m still not confident in saying that traffic sniffing is a super common tactic for the type of threat actors that go after home networks. IoT and appsec is not my area of focus, do these limited IoT devices, with what I hope are slimmed down OS’s, even possess the ability to network sniff? Do these embedded versions of Linux contain all the necessary libraries and other components?
I totally get the risks of lateral movement, that’s the world I’m in everyday (although in the corporate space), but I’m still not totally sure that the type of attackers we’re talking about are doing extensive lateral movement or even recon inside home networks. If there is threat intel out there that says the opposite, would definitely be an interesting read.
In the end it’s all about risk and likelihood of attack, I’m just not picturing attackers figuring out how to write groovy code to take advantage when there are much easier targets out there.
In the end I do agree that security is important, it’s not FUD, I just can’t help myself but to debate it.
And you shouldn't be - there is no hard data on this.
Could it be happening? Sure. Is it happening today en masse? Maybe, but probably not. Is there data to prove it one way or the other - NO.
Better security is great, as is advocating for it. Being cautious is great, and prudent. Statements that insinuate that everything is already a compromised dumpster fire so hunker down are speculation and irresponsible without data to back it up, though. And it is exactly why many cyber experts (and their companies) aren't taken seriously by C-suite executives. Too much FUD, too little data.
And like seemingly everyone else on here, I also have a cyber background. In fact I'm a Director in a Fortune 50 company and am responsible for it. Whoopie. That means little in the end, as we are mostly talking about "feelings" and not "data" anyway.
Agreed. However, there is precedent for IoT devices (IP cameras specifically) being compromised and repurposed for use in a DoS botnet.
(eg. How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet)
Again, I think the primary (sole?) intrusion points vis-a-vis home security remain doors and windows.
I believe that’s one reason why this is a topic that tends to get heated most times it’s revived.
Everyone’s perception of risks like this are different in the home environment that hubitat is meant to inhabit.
And since Hubitat can’t implement all feature requests at all times, opinions are bound to differ on what should come first.
Its important to have this conversation and to understand the issues and risks, Hubitat is relatively well positioned ( have run a pen test or two on mine ) and a little good proactive care at home like network segregation and a little monitoring is all you need to be assured for a regular home network + be careful about what external ( cloud) systems you leverage .... That said most users have no idea what a firewall is let alone network segmentation = believe there is a responsibility to maintain a strong and appropriate security position and yea there is always port 80 but again that can be very tightly controlled by the skilled and not so much by the general punter ...
It is amusing, the conversation gets heated when we discuss security... many see it as a negative when in reality and if done right it actually makes things way more straight forward ... am using several local systems that integrate cloud based security into the local systems and their management enjoys the flex of the cloud approach wile gaining the benefit of local and independent deployment and they are really very straightforward to interact with ( a little more straight forward than hubitat believe it or not )....
Download the Hubitat app
