I’m using MOH for some time now, but as I learn trough network security I have some question, hope its information that is publicly available.
MyOpenHab sounds to me like reverse proxy, is that so ?
Since the authentication is based on user/pass, it might raise a security issue if that’s the case.
I’m trying to put together list of cons/pros between MOH approach and having CloudFlare to protect my deployment, with port forwarding on the router level
It depends on how technical you want to get with your definition of “reverse proxy.” In general layman’s terms yes, myopenhab.org is a reverse proxy. But it only reverse proxies the openHAB web server. Period. You can’t get to any other network services on your network through myopenhab.org.
With OH 3, even then all that someone can access are your Items unless they authenticate with your OH instance as an admin user.
The way it works is your openHAB instance initiates the connection to myopenhab.org, encrypted using standard TLS. The UID you entered when registering for myopenhab.org is used to associate that connection with your login. The secret is used to authenticate that your openHAB instance, kind of like the private key in a PKI.
- all communications are encrypted using standard end-to-end techniques
- there is authentication between your openHAB instance and the cloud server
- there is authentication between your browser and the cloud server
- the only thing that can be accessed through myopenhab.org is stuff that is served up by openHAB itself, nothing else from your LAN is available, and even then only if an attacker manages to crack your username and password
- without logging in to the OH instance, the only thing that can be accessed are Items
From an attack surface perspective, using myopenhab.org is going to be way safer than opening ports on your router for almost all users. Pretty much the only vulnerable point is that username and password.
Another safer approach includes setting up a VPN (I like Tailscale since it doesn’t require opening a port on your firewall and it’s dead simply to set up).
You could host your own instance of myopenhab.org on a VPS out on the cloud somewhere and set up additional forms of authentication (if that’s what you are worried about) but you will lose Alexa, Google Assistant, and push notifications I think. But if you do that you need to make sure that you monitor and mitigate attacks. No one, not even Cloudflare, is going to do that for you.
Opening your LAN up to the Internet would be the least safe approach and I strongly recommend against it, even with what protections CloudFlare may provide (which is mostly DDoS protection unless you’re going to pay for the pro or business level). When the service is attacked you don’t want that to be anywhere near your LAN. Therefore, even if the attack is successful, they can’t get to your network.
While searching for documentation how myopenhab works under the hood security wise I could only find posts about “more documentation will be available soon” and this post here. Really appreciated this post!
Is there meanwhile an official documentation for it?
I mean saying that “only the REST API” of the local Openhab instance would be exposed on a potential security breach on myopenhab is not really making me relax :). Everything in my house could be controlled then. So are you saying if myopenhab is compromised, every established connection from local instances to myopenhab are then remote controllable by the attacker? So let’s turn off lights in all homes over the world to safe the environment :)?
I’m totally aware that this is also possible with having exposed stuff to Alexa If AWS gets hacked, but somehow I have hopes that those million well paid engineers there reduce that risk a bit more compared to the couple (?) of engineers maintaining myopenhab :).
No offense and thanks to all the contributors making OH the best choice for controlling your SmartHome but they only have their freetime working on such topics and not fulltime I would expect.
All the code and how it’s built stuff can be found at GitHub - openhab/openhab-cloud: Cloud companion for openHAB instances.
In a worst case scenario, possibly yes. But a lot would have to go right for an attacker and a lot would have to go wrong for the openHAB cloud server. The most likely form of a successful attack would be someone cracking a specific user’s password and then accessing that user’s openHAB instance.
But even so, the risk to you in using myopenhab.org is way less than the risk of you running your own private instance of the openHAB cloud server or, even worse if you expose your LAN directly to the Internet through your firewall.
If using myoupenhab.org raises concerns for you, don’t use it. It’s not required and you have to take deliberate actions to install and configure your system to use it. There are other ways to remotely access your openHAB like VPNs which you might consider safer. Or if you are really concerned, don’t allow remote access at all.
Also note that openHAB itself has a separate authentication and authorization. You can configure your instance to still require an additional username/password to access any part of your REST API (in MainUI under Settings → API Security. If you have the implicit user role turned off, even if your myopenhab.org account is compromised, or your the entirety of the myopenhab.org server is compromised, for an attacker to do anything on your instance they’d need yet a another username and password (definitely make them different from your myopehab.org login) before they can do anything.
Everyone needs to make their own risk assessments and appetite for risk compared to convenience.
One final note worth mentioning is that the vast majority of what makes up the openHAB Cloud Server comes from major open source projects with hundreds of contributors used across multiple industries. I know for a fact that Amazon uses Redis, MongoDB, Ngnx, and Node.js in many of their services too. No one builds these kinds of services from scratch. We are able to leverage the security and safety of tens of thousands of man hours that have gone into those products.
thank you for the very detailed and insightful answer, as always :)!
I will take a closer look at the docs at Github then.
Regarding the VPN that would be my favorite, but then Alexa integration would not work as far as I got it (?). Also when I add extra credentials for the REST API of my local install, I guess myopenhab would not be able to access it either, correct?
I fully agree that many companies are using battle proven open source projects to create their products, but it’s usually not about simply using them but using and combine them in the right way :). So just because a product is using well known open source projects does not automatically make it safe out of the box. But I agree that it’s better than implementing your own homebrewed solution. Especially when it comes to security related aspects which is usually hard to get right by your own.
As I’m also a professional (Java) delevoper for about 20 years now, I was just curious how this all works under the hood to get an impression how big the risk might be that someone could hijack my instance using myopenhab. Thanks again for the insights and for all your hard work and support you put into OpenHab!
Alexa requires some openHAB Cloud Server to integrate with. It doesn’t have to be myopenhab.org.
I believe that’s correct. At heart that’s my understanding.
AFAIK the openHAB Cloud Connector communicates over localhost/127.0.0.1 and therefore also works when your openHAB is behind a reverse proxy like NGINX (which I use to control the local access to my openHAB server). For an example of NGINX for basic auth, see Securing Communication and Access | openHAB.