Improve Luxtronik heatpump cybersecurity

Matej_Kotnik · November 28, 2022, 6:45pm

I have luxtronic controller for AIT heatpump with firmware V1.81, and i browsed for an update, noticed there is 1.86 is it even beneficial or safe to upgrade, is there a risk for bricking i know Lw121a is the model of the unit.

I browsed the web for upgrading and one thing i foun out is bad, luxtronik is not secured with password. The guy on the blogpost wrote about loging in with root and no password. Than he was able to modify the web site to inject old java ui to give more controll over machine.

The issue is that almoast everything can be changed on that linux regarding running commands, but password can’t be set the passwd comand fails with read only passwd file, the filesystem is read-only, but home folder is readwrite, and i am not comftable messing with the system more than necesarry to prevent unauthorized access.

It all seems wrong that i can reboot make files and delete files but cant easilly block root access, how it can be so messed up?

I can block the telnet port on the network, but i need a smart switch for that.
In theory home network is security layer but even the rubbish lightbulb can have a password.

I mainly write here as i am an openhab and linux user for few years and i feel more comftable asking here as i know there are quite some Luxtronik users here.
I am not a linux guru thats why all the forums i read about shadow and passwd in read only filesistems didnt make me more comftable as i cant easiliy backup or make a clone of the luxtronik or can i?

Any experience with that?
Advice apriciated.

Thanks
Matej

rlkoshak · November 28, 2022, 7:44pm

I can only reply in generalities since I do not know this device nor technology.

For upgrading, it’s always a risk. So only attempt when there is something you need or really want in the upgraded version. You’ll have to look at the change log for that. If there’s just bug fixes for things you don’t use anyway, I wouldn’t mess with it.

I suspect it’d be possible to mount the filesystem that /etc is on as rw. But beware because there may be processes, scripts, cron jobs and the like that rely on the root user not having a password so you might break it if you did give root a password.

If all that is read/writable is the home folders, there probably isn’t too much damage that the root user can do anyway thanks to the read only file system.

If you care about the security at all, this should be a priority anyway. Even really cheap WiFi gateways have some firewall capabilities.

I think you are coming at this from the wrong direction. What are the threats you are worried about? What would those threats need to do to compromise your machine? How likely are these threats to even bother? What’s the impact if they do compromise the machine?

If you apply numbers to these you get the risk equation.

Risk = Impact * Likelihood

You only need to worry about the high risks. And yes, your home network security is a good mitigation for many many risks. In short, if the only way to get to your Luxtronik is if the attacker is on your LAN, are they really going to care about the Luxtronik or will they care more about your cameras they can use to spy on you, or your computers they can use to sniff passwords to bank websites or install crypto miners? If they are already on your LAN, perhaps you have bigger problems than the security of your Luxtronik. But only you can answer that.

Security is a wholistic activity. Sure, your light bulbs may have a password but that doesn’t mean it’s more secure. Passwords are super easy to implement and often they provide only limited security depending on how it’s implemented (lots of those bulbs will have a back door in the firmware, or undocumented users with default passwords like 12345 and the like).

Matej_Kotnik · November 28, 2022, 9:13pm

Thanks @rlkoshak, i really like your aproach, it is really meaningfull and pleasant to read all your writings.

I try like to make my devices more secure, with the raspberries and computers i am comftable to mess with as there is no harm if i break them while configuring, as i can make a system backup.

I may still want to find out how to backup Luxtronik system.
As the heatpum really needs to work i better not mess with it as you pointed out by root access depending services.

You may be right that i may need to focus mor on securing the network.

I do have intrusion prevention active on my router, but probbably only the smart switch will help it secure even better, that i can block even the local access for that telnet port.

I have unifi usg and i was looking for some flex mini managed switches as they are the onlly aforable unifi option, hopefully i will be able to configure them properlly.

I guess i need one at the router to branch out the network for office and smart and security devices and one in the basement to manage cameras and heatpump as you mentioned(i only have 1 cable to basement).

As i am still learning about network security and setting local firewalls, i was thinking that locking down heatpump is the easy way, but is probs not.

Thanks for clarifying my ideas, so i don’t poke at the Luxtronik too much, it wass too tempting.

Is the unifi flex mini good way tovards hardening a network, to also prevent me from messing with that telnet .

I may again chime in if i get in trouble with configuring the firewalls on these switches.

Greetings
Matej

rlkoshak · November 28, 2022, 9:19pm

I cannot imagine a router that has Bro, Snort, or what ever you are using for intrusion detection but does not have a firewall. That’s all you need. The ability to set some rules saying “only this IP address can communicate with this other IP address on this specific port.” That’s super basic stuff even cheap routers support.

You only need to put this rule on your main router I think, though it probably depends on the full network topology. It’d be unusual but not unheard of to have a bunch of subnets in a home LAN.

Matej_Kotnik · November 28, 2022, 9:26pm

Yes it is unusual to have subnets but as i see the firewall only traps traffic that flows over the router or managed switch that latter i dont yet have.

The topology is the reason as i have some unmanaged switches that make the local network and firewall cant affect them.

I have main 8port switch that links to main teckie rooms where there are 5port switches.

Neting about 20 wired devices.

The router is Unifi USG seems a good internet firewall but not much more, is not as amazing as it sounds regardind local device avarenes and control, it relies on managed switches for more control i guess, as i need to nmap the full network over the 2 local router ports so they swow up in dashboard, othervise only internet active show up.

Matej_Kotnik · December 4, 2022, 10:27pm

Apparently, UniFi Gateway is running Suricata, as you were curious.
I managed to block the Telenet access to the heat pump, by blocking port 23 on the local network Firewall rules, to also block local telnet access.
Heatpump is now on the separate LAN2 port on the router until I get a managed switch. On LAN2 I only allow the necessary ports for access to openhab and timeserver.

I can say that UniFi Firewall is easier to set up and to learn Firewall config, yet more functional than EdgeRouter I had before, where it was so many options to set it wrong and either nothing worked or all traffic went through.

Thanks for encuraging me to set more advanced firewall and not poke into heatpump linux where i could have risked breaking it.

system · January 15, 2023, 2:27pm

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.