Hi,
So I recently installed hubitat app on my android device, and to my surprise, it had access to my local devices (on the dashboard).
I also learned that you can purchase a "remote admin".
I don't want any of these. I want my Hubitat to be local. When you integrate your Hubitat with Google Home, you can select which devices can be managed by Google Home (e.g. not include certain devices). I would like to do the same for "hubitat cloud / hubitat portal". Basically, I want to prevent Local Hubitat from exposing any devices (and configuration) to any 3rd party (and I consider Hubitat cloud a third party), or at the very least, control which devices are exposed to the cloud.
Is that possible? I can't seem to find the option.
I'm going to reply to myself. It's been a while since I set it up, but it seems that Hubitat Dashboards app can be disabled. Whether that dissables entirely the remote admin option, I don't know. Looking further into settings of Hubitat Dashboards.
Turn off the cloud option for each dashboard and they won't be available when the upper right icon in the app is a cloud but will be when it is a house (local), don't add things to google or Alexa and they won't be available. Remote admin makes everything available since the admin has access to everything.
Thanks Terk! Looking now at dashboard settings, I already found a way to disable creation of new dashboard.
But here is the hypothethical:
Say I go to "subscriptions" and purchase "remote admin subscription". Would I have to confirm this subscription on my local Hubitat, or would it suddenly give me access to my local hubitat from the internet? (if the latter, that meant that hubitat cloud had full access to my local device all the time).
Sorry, I haven't tried the remote admin service yet since I use a VPN to access my hubs. However I would imagine if you have the local hub login security set that you would at least have to get through that credential as well?
I have my own VPN too, and that's why I don't want hubitat's network to expose my device in any way (or have access to it).
Maybe I'll try the trial of remote admin just to see if I'll get access. I imagine, as you say, that I'll still need local credentials, but that doesn't make me happy - it basically would mean that Hubitat's network exposes a device from my local network to theirs and the internet. If that's the case, I would probably decide to move my hubitat to a different VLAN, but also i would have to seriously reconsider having my door lock paired with hubitat.
Maybe I'll simply ban outgoing internet connections from my hubitat to the internet (though i need to keep a whitelist for google home somehow).
I wonder if google home integration goes directly from my local hubitat device to Google, or whether it's proxies through Hubitat's infra.
The Hubitat mobile app is optional and wouldn’t do much for you if your goal is to completely avoid the cloud anyway. So uninstall it from your phone, and that problem is solved.
As @Terk explained, it’s certainly possible to use dashboards without going through the Hubitat cloud.
And some integrations like Alexa are 100% cloud-dependent, but Alexa doesn’t work without an internet connection anyway. I’m not actually sure about google home as I don’t use it, I’d be surprised if the integration w/ Hubitat is local though. But again, also optional.
If you want to disable the hub’s ability to communicate entirely with the internet, including Hubitat’s own cloud servers, AFAIK you’ll need to create some firewall rules in your router or whatever device you’re using as a LAN firewall.
If you use presence sensors on you phone for anything blocking the hub from the internet will break those as well as TTS which needs the internet to create the TTS announcement the first time at least, and any push notifications will not be available as well.
This whole line of thought is a bit off to me. There are certain functions that will need internet access though. With that said everything can also run locally on the device that isn't cloud dependent.
If you it to run without internet access put it behind a firewall and block the hubs internet access. Once that is done review your firewall denies and determine if you want them to be opened or not.
There is nothing saying you cant put the hub online setup all your rules and such to get it working the way you want then simply pull the ethernet. It should work fine as long as your devices are all zwave/zigbee and the rules are configured as desired.
Basically, what i expected was a way to restrict the devices/type of access provided by connection to the hubitat cloud.
I don't mind the connection itself, but I do mind exposing my door lock and the "reverse connection" (proxy) for remote admin.
Such reverse connection poses, IMO, a larger security threat / bigger attack surface, and i simply would want to turn it off. (The fact that you can enable it remotely simply by paying $3 means that it's always active on the hubitat client side).
E.g. when you connect hubitat to google cloud you get to choose which devices are exported and visible at google, and google is (hopefully) not allowed to connect back to my Hubitat's admin interface (even if password protected).
I would expect the same level of control when connecting to hubitat cloud. That's all
I hope it makes sense. I appreciate all of your comments.
Unless you subscribe to remote access, there is no remote access connection.
Only devices that you select will be exposed to the dashboard or any other cloud integrations.
So your lock data (or any other device data for that matter) isn't sent to any of our servers or anyone else's unless you authorized it in the first place.
Great! Mike, are you saying that after I subscribe to remote access, I need to confirm that on my local Hubitat device? (right now it seems like I can subscribe from the app, not necessarily being in my local network, and I was assuming that subscribing will give me remote access immediately).
Ok, so the remote admin subscription function is for people that don't want to set up a VPN but want to be able to admin remotely. It is unnecessary for the control or programming of Hubitat locally. You do not need to purchase it. Cloud access by default is available for your dashboard(s) but you can choose to restrict those as well. Devices connected to hubitat are not exposed to the outside world. As to your question above, your hubitat when registered does call home for dashboard purposes. That is how the admin function is available via registration.
The don't need to "connect back" you're allowing them access to "certain devices"
And with Google linking this information to your email account, phone number, and all other devices associated with google, they will now have the metadata to know exactly which room your are in for how long, when and what time you wake up daily, leave and return, your daily routines with your smart home devices, logged conversations when around google devices and much more all linked together.
From an outsiders perspective "security" is the farthest from your concerns.
All remote access does is allow you to connect to an manage you hub via the web ui, just as you would when on your home network.
If you aren't using the remote access connection then nothing device data wise is being sent to the cloud. If you are using the connection then the data being sent to the cloud only consists of what you are actually seeing in your web browser.
