New to Forum - Worried about Remote Access security

I am starting to research introducing smart devices into my house. Some key devices will be door locks, garage door sensors, light dimmers, water leak detectors, and security.

There are a lot of good products and information on how to setup and use the devices with ST and other hubs, but I am very concerned when it comes to Remote Access. What is available to protect my house from being hacked, while also providing the benefits of the technology?

What prevents your front door from being kicked in? What prevents your cable modem from being hacked? What stops a rock from smashing through your window?

These are all risks in home ownership. Take the appropriate precautions, good passwords, change often, locks, bars on windows, etc.

The rest comes down to how you use tech. Security is an illusion, locks keep honest people out.

Monitoring and cameras are far better as both deterrents and document the potential for crime.

Can’t stop crazy, but usually crazy doesn’t use a spread spectrum jammer, they just kick the door down.

11 Likes

Like with any on-line service, your account can be hacked, particularly if your password is weak. And if someone gains access to your account, they can do whatever they want.

What @pstuart said.

Plus most burglars in residential neighborhoods get in through windows. The best deadbolt in the world does nothing if the door is next to an unbarred window. :wink:

Most US homes have hackable automatic garage door openers already, and nobody thinks twice about it unless they know they personally are likely to be the individual target of stalkers or home invaders.

That said…probably the biggest general concern is techno punks in upper middle class neighborhoods. Bored teens with enough time and money to buy sniffer equipment and drive around looking for targets of opportunity. You want your network to be secure enough that you don’t look like an easy mark to them. But that’s pretty easy.

edited to add

@geko’s point about online accounts is also important, since one crack might expose thousands of accounts. But what can they do with them?

If you’re worried about physical barrier breach, they have to be at your house. So again, are you likely to be an individual target?

If you’re worried about remote techno punk attacks, there’s not much they can really do. Turn the thermostat up or down, maybe. Turn the lights off. Annoying, but how dangerous depends on your individual situation.

I’m quadriparetic. I don’t put anything on remote access that might cause a fire, Ever. (Not because of fears of malicious attack, just system error.) But that’s me.

The one piece of general advice I would have is never put a gas fueled appliance on a network that isn’t monitored by humans 24/7. That’s the one that could kill you if something goes wrong.

FWIW.

Most important is your router. Change the wifi ssid name and password. Also change the web interface password or disable remote access to it.

2 Likes

I forgot to mention @tslagle13 has a FAQ on network security that might be of particular interest:

I can think of at least three types of attacks:

  1. Denial of service, essentially rendering your home automation system useless.
  2. Remote takeover of your home automation system with the goal to cause physical damage. For example, cranking up your heater on the hot summer day or closing the garage door while your car is exiting the garage.
  3. Takeover of your home automation system to gain physical access to your property.

Sure, but again, are you likely to be a specific individual target, or are you just concerned about random techno punks?

If they’re going to try for a physical barrier breach or they want to close your door on your car, they have to be physically at your house or at least directly viewing it.

That’s not random violence, that’s someone out to get you personally, in which case a rattlesnake in the mailbox is just as likely.

The denial of service is the same as a random power outage. How big an issue depends on your specific setup.

The thermostat is the one where I agree there’s a potential for real harm to random targets. That one does worry me.

1 Like

Thank you for all of the responses. Once they have access to your automation system, they also have access to the rest of your network as well. I currently have all remote access on my router disabled. The only way to access my internal network is from being connected from inside the firewall.

It is the Denial of Service, the disruption to the automation, and access to other critical data is what I am wanting to protect against.

I will read through the Network Security post to see if that satisfies my concerns.

Thanks for the comments and feedback

1 Like

Luv the term.“techno punks”, JD! :slight_smile:

1 Like

Used to be “young punks” but that doesn’t sound high tech enough.

1 Like

Only if your home automation is on the same network. If that’s a concern, that’s an easy fix if you’re willing to spend the money–just get the home automation system its own wifi network.

I would suggest, for strong passwords, to get something like LastPass. Here is an example of what one of my passwords looks like:

p9STtG9oWzrI4qbDyEt0&GTnL5OdQG1!S*4f0%91GNDMO7c3Vf2WHobwiLIigKnOl9%j0w^Sz%o62ui3mVnKnn56R$p6x$Nzsn%z

You could also do KeePass, which keeps all of your data local, if your worried about a hacker hacking a cloud service like LastPass. Although they had a security breach last week, if you have a strong master password, it’s very unlikely they will get your data.

The key is to make sure none of your passwords are the same. Hackers aren’t looking to break Gmail, or Amazon. They are looking to crack in to the Mom and Pop website that you bought an Air filter from in 1997, and that site hasn’t updated any of their security. If they get into that, they get your email address and password that you haven’t changed in the same amount of time.

And finally, if a site has security questions, like “What’s your mothers Maiden name” or what was your first car, make the answer something silly, like “5OdQG1!S*4f0%91GNDMO7c3Vf2W”

Passwords are 1 line of defense, and using a tool like LastPass does enable stronger passwords without the inconvenience of having to remember a new password for each site.

However, for remote access to my ST hub, if they can breach the security of the server and gain access to my home, what can / should be done to minimize inconvenience / damage? Things I am thinking about that were raised in other threads are Network Isolation of my home automation from personal computer data and disabling common ports / network functions such as ping.

Is it possible to setup the ST hub behind an OpenVPN connection, while still having the benefits of Remote Access?

Now that I know you password, I’m taking control of your thermostat! :stuck_out_tongue:

2 Likes

I thought the same, but they said “like this”

It helped get the point across.

Not really, no. In reality, the router is the weak link that gives the bad guys “access to the rest of your network” - most HA is outward facing, so gaining access to (for example) a REST endpoint on a smart app would (possibly) let a bad guy unlock your door (so they don’t need to break the window next to it) or turn your heat on/off, or play with your lights, but it’s not going to let them hack your PCs.

I think the reality of the security risks of HA or other network appliances is far far far lower than the reality of the security risks of the humans in the system.

1 Like

Perfect, turn it down a bit, Grandma is getting hot apparently :smile:

Here are some articles on IoT and how easily they were hacked. All in all the smartthings hub is pretty dumb and focusing on it as a potential attack vector i don’t see as being very fruitful. There are so many easier ways to be hacked, like running Windows, Flash, an old version of Java, downloading “Free Software”, or having UPNP turned on, on your router. As its been said in this tread many times before… Use a good password/passphrase. Uppercase, lowercase, symbols and numbers more than 8 charters long and easy to remember is a good place to start. EXP: I:)Sm4rtTh1ngs Easy to remember is very important cause i’ve found more secure passwords that i’d care to admit on sticky notes under keyboards.

https://www.yahoo.com/tech/report-hackers-can-eavesdrop-on-your-smart-home-115788791209.html

http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

Just check with your insurance company… See if they will provide personal property insurance. If any harm is done because of a break-in, digital or physical, see if you are covered.

Is your house protected from fire, flood, etc? Probably not, but you probably have insurance to cover that.

I’m sure that cyber security insurance will be (if not already) an optional rider you can add to any homeowner policy.

(sarcasm on)
If you get hacked, just burn your house down :slight_smile: Problem solved.
(sarcasm off)

2 Likes

© 2019 SmartThings, Inc. All Rights Reserved. Terms of Use | Privacy Policy

SmartThings; SmartApps®; Physical Graph; Hello, Home; and Hello, Smart Home are all trademarks of the SmartThings, Inc.