Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


  • 0

When will the HC2 security be strengthen and vulnerabilities be solved?


Lambik

Question

When will the HC2 security be strengthen (https login, for example) and vulnerabilities (see image below) be solved?

 

Please login or register to see this attachment.

Link to comment
Share on other sites

15 answers to this question

Recommended Posts

  • 1
  • Inquirer
  • @redsave, thank you for reporting.

     

    I asked this for a long time, and it's (again) a typical Fibaro response.

    Quote

    The customer decides / insures the security of the home network – access to the eg router settings also is without https

     

    No access to a modern network device lacks the possibility to login by https. Most of them are enabled by default. We living in 2017 not the early 2000's....

     

    Nobody can insure it's network to be 100 % secure, not even professional companies, so it's all about strengthen as good as possible.  Securing is all about lowering the weaknesses at is lowest possible level and constrain the consequences when breached.

     

    Because of the known security flaws of IoT devices, the possibility of Home network being hacked is often warned for. The HC2 is more likely to be a member of a network where IoT devices are included (like IP-cameras, other IoT-gateways etc). So you can say the safety risk is increased in these kind of networks.

     

    Secondly, a lot of home users are no security specialists. A lot of IoT devices are accessible from the internet because of the lack of knowledge how to safely implement these devices. Just check the shodan.io search for IoT devices to be convinced.

    For example:

    Please login or register to see this link.

    A lot of the search results do have a direct access to the HC2 webmin. These devices are accessed,  by the their users, by http over the internet and are vulnerable!

     

    Thirdly, a lot of devices are not maintained by their builders. So even if a home user is a specialist he has to spend a lot of time isolating the vulnerabilities. And at this point the Fibaro HC2 is one of them.

     

    Security should be maximized by default. And having a device which is build on an EOL embedded OS, which must be accessed by a non-secure protocol and several Asterix vulnerabilities is not a safe device. Period.

     

     

    On 7-11-2017 at 2:25 PM, barend121 said:

    Is this a owasp framework Or something else?

    Sorry for the late response @barend121... :oops:

     

    I'm not familiar to the owasp framework, but on

    Please login or register to see this link.

    OpenVas is not mentioned.

    • Thanks 1
    Link to comment
    Share on other sites

    • 1
  • Inquirer
  • At this moment I don't use any Fibaro services, not even the remote access.

     

    I get access by using a private OpenVPN connection to my LAN, all communications to email/push/Telegram/IP-Cams/other IoT/etc is done by a RaspBerry Pi using Node-Red with https secured commands, user/password authorisation, etc from the HC2 (by using https API commands in HC2 Scenes). Other IoT Devices communicate with secure and proper authentication from/to a MQTT (Mosquitto) server. Works like a charm without the need to open ports to the Internet.

    (see my signature for examples/info regarding Node-Red)

     

    So I'm, kind of, prepared... I hope....;)

    Link to comment
    Share on other sites

    • 0
  • Inquirer
  • @1152 Sure!

     

    You can use the

    Please login or register to see this link.

    of the

    Please login or register to see this link.

    (Open Source vulnerability scanner and manager) and execute a target scan.

     

    FYI, when starting the VM for the first time, be patient. It downloads about one GiB data of Network Vulnerability Test (NVT) by rsync, Security Content Automation Protocol data (SCAP) and Computer Emergency Readliness Team data (CERT).

     

    EDIT: Live demo is available:

    Please login or register to see this link.

    Edited by Lambik
    • Like 1
    Link to comment
    Share on other sites

    • 0

    Hi @Lambik,

     

    Thank you for your valuable input.

     

    I will pass those information to the person responsible.

    Link to comment
    Share on other sites

    • 0
    Quote

    https login

     

     

    Quote

    17/6/2016

    At this moment we do not have in the plans to implement https protocol in local access.
    The customer decides / insures the security of the home network – access to the eg router settings also is without https
    The introduction of https for local access could increase the response time of the controller (due to additional security)

    On our side, we strive to provide the highest level of security for remote access (including https)

    But I will pass your suggestion to the department responsible for develop.
    Have a nice day!

    -- 
    Pozdrawiam, 
    Regards, 

    Rafał Ciesielski 
    Technical Support Engineer 

    Fibar Group S.A. 

     

    Link to comment
    Share on other sites

    • 0

    @Lambik I totally agree with you. This is something so simple to implement yet so important that's inconceivable they are not caring about it.

     

    Link to comment
    Share on other sites

    • 0
  • Inquirer
  • Well, personally, I think it has something to do with infringement of the Open Source license of the embedded Debian OS.

     

    I noticed they will not use any Debian/Linux services but code their own. See how their handle NTP (network time), SMTP (custom mail settings) and other, already embedded implemented, protocols. Not to mention omitting updates of the EOL embedded Linux version.

     

    Just guesswork though....

    • Like 1
    Link to comment
    Share on other sites

    • 0

    Well, we should pretend https.

    Say tomorrow Fibaro is going to do this:

    Please login or register to see this link.

     

    No remote access, what would be going to do? 

    We should be able to use the device standalone and in a secure way. 

    Link to comment
    Share on other sites

    • 0

    Lambik, while I do agree in most of your writings here,  I also think Fibaro is right: It's your own responsibility. I don't see how it could be different. Only you know the risk, only you know what needs to be protected and how much openness and integration is needed. Honestly,  are the risks that big in smarthome iot? I think not. But you should evaluate every new device and integration in a security perspective, and take your precautions in the code/scenes. And you should monitor events, errors, patterns etc - now that's in fact a feature I miss with HC2: Access to a detailed systemlog, so that I can create alarms on certain patterns etc. That would really improve security, and I think it would be a better priority than hardening the box.

    Link to comment
    Share on other sites

    • 0
  • Inquirer
  • @ivhansen Off course it is my responsibility, I don't argue that. But security is as weak as the weakest link. And the HC2 is vulnerable without encrypted LAN communications and outdated system OS.

     

    Maybe you think about this, you are a customer, like me, with knowledge way less then the people who want to abuse it. What do experts say about security?

    1. Keep your systems updated
    2. Secure your connections

    That's the only thing I'm asking for. To keep my network, my devices and my home users as secure as possible.

    Link to comment
    Share on other sites

    • 0
  • Inquirer
  •  

    Please login or register to see this link.

     

    Quote

    For all domotica users, be aware of the risks when connecting internet of things devices directly onto the internet. Next to the above exploit example, I discovered lots of internet of things devices connected onto the internet using Shodan. It is possible to connect to these devices to read and/or control them. If remote management of internet of things devices is required, it is wise to disclose them using an VPN-server. Also I would like to recommend network segmentation whenever implementing Domotica devices onto your local network, implement a DMZ (for internet-facing devices) and/or Domotica VLAN to seperate the devices from the regular network.

     

     Sounds familiar? The actions mentioned is exactly how I have my setup right now.

     

    Connection to my IoT devices (and HC2) are done by a private VPN to segmented VLAN, blocking all internet communication to the internet.

    Edited by Lambik
    Link to comment
    Share on other sites

    • 0
  • Inquirer
  • Nothing changed since November last year:

    Please login or register to see this attachment.

    • Like 1
    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Answer this question...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    ×
    • Create New...