I was wondering if anyone knew a way to create a local-only dashboard. I saw the SmartTiles dashboard, but it’s not very secure, what will exposing the access_token in the URL and all that jazz. I know you can hack off the token to require a login, but it still feels a little bit iffy to me. I’m feeling like the answer is no, but I was hoping to find a way to create a visual dashboard like that, but one that could only be accessed from within the house. I have the phone app for the monitoring while I’m away.
Is there/will there be any potential for this? I was thinking maybe something like rasberry pi with a touchscreen, but would only work when locally connected to the hub.
Does anyone know of projects like this? Either existing or in the works? Otherwise, I might start pouring through the dev documentation to see if it’s possible to with rasberry pi or something similar.
Nothing is local (until hub 2.0) so no matter what you do, if you want to “see” any status of your home, or change it, you’ll need to use the exact same REST endpoint system used in Dashboard.
There is nothing insecure about it - you control the endpoint (in the Phone app, or via graph api) so if for some reason an endpoint “gets out” and bad people are randomly turning on/off stuff in your house, you can always just remove the smartapp.
I’d like a per-instance way to revoke endpoints myself, but I’ve not found it yet. Still, the big hammer works fine.
All of the information like statuses of your devices are stored in the cloud, so good luck trying to get those information through the hub. I’d imagine that you’ll need to build some smartapp to subscribe to all the devices you have out there and feed it to some local server you have through the hub. Sounds like a bad architecture to me, even iffier than exposing the access token.
If you get man in the middle attacks, the phone app isn’t safer than what SmartTiles has now anyway.
Agreed - that’s what I’m thinking too. I will probably have to see what additional options the Hub v2 offers to see if there’s a non-stupid way to accomplish this.
Yeah, what I’m going for might not ever be possible in the ST framework. Which is fine, I love everything else about the ST ecosystem, so it’s at most a minor annoyance.
In a perfect world, I would love to have a device (or smart app) that functions as a dashboard, but only when it’s actually in my house. Wait, I’ll all Scrum on it
As a User I want to view all my device statuses in a secure, easy to read dashboard so that so that I can see everything at a glace and take action as appropriate, and feel reasonably secure that my dashboard cannot be compromised.
But who knows, like I said, it might be a pipe dream.
1 Like
tgauchat
(ActionTiles.com co-founder Terry @ActionTiles; GitHub: @cosmicpuppy)
8
Yes.
The way I always describe it (though I’m not privy to any secret or in depth tech info…) is that Hub V2 could be described as a “local cache” of all the Device Handlers and SmartApps (except those with any cloud dependencies).
Phone App access still goes only through the Cloud for now.
All configuration changes are made to the cloud and then automatically pushed to your cache.
Events and states are cached locally, but… flushed to the Cloud.
If cache runs out of memory, there will be some sort of priority under-the-covers to pick what is cleared out.
If all you want to do is view, you can make smarttiles read only, there is a config setting just for that. So that even in the highly unlikely event someone else gets your URL they can’t control anything. Further more there is a setting to change your token in smarttiles, you can change it every week if you like.
If you are required to login, it makes the dashboard as secure as the SmartThings account itself. Do you feel that your SmartThings account is secure?
SmartTiles has the built in mechanism to reset access token without needing to uninstall the app.
It used to work like that, but at some point ST changed something that prevented tokens from being invalidated. I never got an explanation why that was changed and how to work around it.
It’s probably my own neurosis more than anything else. I literally just dropped ADT For SmartThings this week, so I’m still trying to reconcile the ADT level of things with my expectations of ST level of hwo things work.
My thoughts are not a criticism of your work in any way, shape or form. It’s all about me in this and wanting a bit of a security blanket is all
Your concerns are totally valid. There’s plenty of discussion elsewhere on security of SmartThings, two factor authentication, user level control, separating control from configuration, etc.
No blanket is bulletproof, but some are fussier than others.
That part is the pipe dream for anything that is cloud hosted, or in any way cloud backed.
You could have the illusion of security, but it’s just an illusion. No matter how you access the data/control in Smart Things, your access is only as secure as your user/password. I know there are folks out there (Steve Gibson comes to mind) that are totally freaked out by the security risks of IoT.
