I'm very concern about security. I read that smart device, since not that expensive, could be hacked easier and I don't want someone from Russia to control my lights
Therefore, I decided create a separate VLAN (lets call it 2) for Matter device on my network accessible by a specific SSID.
In my router, the VLAN 2 doesn't have access to internet.
Since I still want to access my Hubitat from outside my home, the Hubitat is on regular VLAN 1 (I trust Hubitat for security).
For the Hubitat to access the Matter devices I authorize VLAN 1 to communicate to VLAN 2. The best thing would have been to let only Hubitat IP to access VLAN 2, but my router (MX68W) doesn't allow a IP directly, the Bonjour forwarding I'm not sure how to set it up and Group Policiy doesn't seem to work with ChatGPT instructions.
That was the relatively part.
However, when I want to add a device, I need to use Google Home and has many steps:
Connect to VLAN 1 (Google Home needs internet)
Add Matter device
When device discovered and I see the message to check to b on 2.4ghz network, I switch to the VLAN 2 SSID (if I understand correctly, at this step the communication is by bluetooth).
Add the Matter device
Matter device, once added, is shown as offline in Google Home because I have to go back to VLAN 1 SSID
In Google Home offline device, get the code to associate to Hubitat
Associate in Hubitat
Delete device in Google Home
Connect device to Google Home by allowing it in Hubitat
Is it neccessary? Is there something easier? Am I the only one doing this?
I have HE C8 and plan on switching the MX68W to Unify Cloud Gateway Max.
1st It's very unlikely that someone is going to directly access your devices. What you need to be concerned about are accounts like google, and what not. Make sure you rotate passwords on a regular basis and that 2fa is set up on every account.
2nd You can pair matter devices directly to hubitat without using google first.
3rd, if you want to keep multi vlans make sure that hubitat can see them properly. Use endpoint Restricted non-local access to the hub. Allows non-local subnet whitelisting by using /hub/allowSubnets endpoint, e.g. /hub/allowSubnets?123.123.123.0,124.124.124.0. Running endpoint without parameters displays currently whitelisted subnets.
I'm a network engineer and honestly at home I have a pretty flat network. I don't worry too much about hacking.
Maybe if your IOT network has wifi connected devices. Exploits we read about where hackers have watched cameras had to do with the device cloud account being compromised and not the device being hacked from a car out on the road. Use password security as rlithgow1 suggests.
unique hard to guess passwords on each online account.
turn on two factor authentication. Having a one time password sent to your phone is better than nothing. Using an OTP generation program such as authenticator or key pass is better. I prefer hardware keys (yubikey) everywhere they are offered as an option. Sad more places don't offer webauth/fido2. When I was setting up user authentication, enabling hardware keys a checkbox in the config pages.
I don't know if this would be considered "hacking" per se, but what about devices that have malicious code in them already? My toaster oven is connected to the internet. So is my pool robot, my dog's tracking collar, my Govee string lights, the mini-split in my garage, the alarm in my pool, my bed, etc. etc.
It's probably unlikely, but not outside the realm of possibility, that any one of the things connected to my network could have malicious code. Perhaps sitting dormant so they don't raise suspicion.
I just noticed earlier today that one of my Echo Dots keeps trying to make connections to India, Thailand, Indonesia, UAE, Malaysia, Peru, South Africa and Brazil. WTF? The logs only go back as far as Nov 30, so I don't know how long this has been going on. The attempts were all blocked by my router. I have Echo devices all over the house, and this is the only one with suspicious activity. I should probably do a factory reset on it or just hit it with a sledgehammer. I have a box full of spare Echos so it's no big deal.
Did someone hack this device, perhaps when my network wasn't as secure as (I hope) it is now? Did it always have code that tries to connect to something in those countries? Who knows.
I'm not paranoid and I don't stay up at night thinking about stuff like this, but there are lots of bad people out there.
Nothing would surprise me. It nearly climbed out of the pool a week or two ago. There was a review on Amazon where someone said it actually did and was roaming around their pool deck before they caught it and shut it off. It's all part of the conspiracy, but nobody believes me.
