Openhab App exposes direct Access to items for any user. Security risk?

Hello community,

I was wondering about something. In the Openhab app there is an admin area that hides such things like direct access to rules, items, things, etc. This is great for security reasons so that not any user can make changes to the system.

However this can be bypassed by triggering items through tasker or by addings an item shortcut to the desktop. The App freely lets any user choose from the full range of internal items. Even those that the developer might have hidden from the end user. Thereby rules or security procedures can be bypassed.

Is this intended and is there any way to expose ony certain items for direct access in the App?

Anyone else ever wondered about this? Of course I love the flexibility of tasker integrations but I don’t want others to be able to mess with the system.

Thanks!

OH security is all-or-nothing right now.

However, if you have concerns about non-users being able to access Items you can turn that off requiring an authentication code or login to access any Item. But if one can access any Item, one can access all Items.

All-or-nothing.

The description under the visibility fields make it clear that visibility is not a security feature.

image1458×196 27.1 KB

So this behavior should not be a surprise.

Yes and no. Yes this is intended and no there is no way to expose only certain Items.

Pages and pages of discussions and arguments and more have occurred on the topic. Please note that any sort of authentication at all is new in OH 3. It’s a huge amount of work to go to the next stage of implementing ACLs and more than two user roles and implementing fine grained access control.

First, the Andorid app only allows access to other apps running on the same phone. So rule 1 should be "don’t install untrustworthy apps on your phone.

Second, you can turn off Tasker integration. With that turned off no apps on your phone can get to Items through the Android app beyond the app itself.

Beyond that, your keeping physical security of your phone should be sufficient (have a password for login, don’t let it remain unlocked for long, etc).

Third, if you are concerned about other people on your LAN installing the app:

1. Disable guest mode in openHAB settings so users must be logged in to openHAB to access anything
2. Don’t give those people login credentials.

You can further limit access to certain IP addresses when using a firewall.

Fourth, if you can’t trust them with your OH, why do you trust them on your LAN in the first place? If they are not on your LAN, they’d have to get to OH through myopenhab.org (which requires credentials) and, if guest mode is turned off they also need credentials to log into OH itself. That’s two separate sets of credentials (no, this doesn’t count as two factor).

Thanks for your explanations! Helps a lot!

For the record, this is just Main UI rendered in a webview. It’s not specific to the Android app.

Rich covered it well, but just for the heck of it I’m trying to think of scenarios in which this would become an issue. Really, it comes down to:

1. Someone you trust has access to your openHAB system on their phone.
2. Something changes and you no longer trust that person.

If this is the case, then you’ll likely have to do more than just preventing them from accessing openHAB items through Tasker. You need to change your WiFi and myopenHAB passwords so that they can’t access your network at all.

There could be a feature to expose only some items to Tasker, but that would have to be implemented on the server side and would affect all users. You can’t built it into the app alone, because then it would be controlled by the person using the phone.

The thought is not so much about a security threat. Just think about a scenario where children install the app on their phone an try to manipulate the system just playing around. My thought was more about users who don’t know what they are doing than about criminal intruders.

In my case I experienced a very strange behavior of one of my rules. Took forever to understand that someone on the lan had played around in tasker making error producing status updates without even realizing it. No bad intentions involved.

I actually did consider a scenario like this, but rationalized that it can be handled similarly to other things that kids need to be taught how to use, like vehicles and kitchen appliances. So as you note, I didn’t consider it to be a “security risk”, per your original post.