Just a security reminder


(Anders Alfredsson) #1

Although OpenHAB is just breifly mentioned in this post, much of the discussion could be applied to this system as well. What do you all think is the most probable attack vectors into OpenHAB, and what are the best practices to close them? Discuss away!


Open MQTT Servers Raise Physical Threats in Smart Homes
(SiHui) #2

(Markus Storm) #3

Well this threatpost essentially isn’t news but rather an Avast marketing push. Anyway.

In a nutshell: apply basic, well known security principles to your network and servers.
Operate a firewall in front of your server(s), just open those ports you really need, enable encryption on these (HTTPS/SSL for Web UI, MQTT over TLS) and - most important - use authentication and proper authorization.
As openHAB2 does not provide this, you need to setup a reverse proxy such as NGINX in front of your server to handle that. NGINX is contained in openHABian, including a proper, safe setup.
mosquitto and all the clients to connect to it from the outside (such as OwnTracks) you need to setup to use personalized users and only allow for these.

Now of course you can improve on and elaborate on this in lengthy posts, but once you have properly put that basic stuff into operation, you’ll be reasonably safe. At least a lot safer than those 32k home owners :slight_smile:

PS: I hate those Avast popups, my host firewall now generating one every day. Really agressive sales pushes, generating a lot of FUD. But of course they’re still right in that being a security risk.


(Anders Alfredsson) #4

Of course this is nothing new, but it’s worth repeating from time to time.

I made a quick search for openhab on shodan (you can only see the first page without an account, and the first two with a free account) and found a number of unsecured mosquitto-servers and even unsecured samba-shares.


(Michael Sutter) #5

Thats exactly what @mstormi mentioned in his reply.

A smarthome is nothing else than IT equipment. That means a safe smarthome follow the same principals and guidlines than professional IT.

A firewall (physical prefered, host-based optional), no forwarded ports to your WAN IP, Proxies and authentication are the basics.

Seperating technical parts from user parts (vLAN’s) are the next, a little bit advanced step.

The most advanced part is using the “XMV” (gsunder MenschenVerstand = common sense). Not everything that is possible, is also needed and/or intelligent)