Security concerns: Openhab2, cloud connector and Alexa


I have been experimenting with Openhab2, Openhab cloud and Alexa voice commands.

I am little confused if I need to ‘expose’ items in the Open cloud settings or not in order to get Alexa to discover devices. I have read that it is not necessary for Alexa but on the other hand it seems to help in getting it to work.

If I do not need to ‘expose’ selected items for Alexa to find them does that mean all my items are somehow in the cloud? This brings me to the main point of my post…how secure is Openhab cloud? Am I risking my security if I have electric door locks, alarm activation items etc.?

Thx Mark.

1 Like

I don’t use Alexa so could be wrong. I believe you need to tag your Items. You do not need to expose them to the openHAB Cloud individually. You set up a trust relationship between and when you perform the oauth approval which I beleive gives Alexa full access to your full REST API. This means it has theoretical access to everything in your OH, but practically, it only knows how to deal with those Items that you have tagged in a certain way.

It is a secure as any third party cloud service. I’d say it is infinitely more secure than attempting to punch a hole through your firewall and exposing your OH to the internet through a reverse proxy if you don’t know what your are doing (i.e. are not a computer secrutrity specialist). Which is the main point. I have enough confidence in digitaldan and the other maintainers of the service that the security is about as good as what you would find with services like IFTTT and Alex itself.

Thank you Rich

I think I am correct in saying that if you have Simple Mode on for item linking then the Alexa tags are added automatically. If Simple mode is off then you need to add them manually. Novices, like me, will be mostly unaware of the consequences of using simple mode for linking!

No that is not a safe assumption. You have to manually add tags I believe in either case.

I did a test before I made that pos. With simple mode on I click add for item in my inbox and then checked with REST API get /items. The lighting tag was already there as below:

Now I am a beginner so maybe its me being daft?

I could be wrong. Though to me it seems presumptious to assume that a Switch should automatically have the Lighting tag. I guess it does something automagically.

It caused me some confusion. Simple mode also creates Alexa unfriendly names so it seemed strange that the tag was already there but the name was unusable for Alexa. WIP?

Alexa is not the only integration that uses Tags. Google Assistant, Homekit, Hue Emulation, and others also use Tags.

I guessed that might be the explanation, thanks for confirming. Still, that leaves a security issue, although low risk. With Simple mode On, items are possibly unnecessarily and unknowingly automatically exposed in the cloud?

I mentioned my tests with Openhab to two independent sets of colleagues today, both with only a mild interest in Home Automation. Both immediately said they wouldn’t do it because they did not want their stuff in the cloud… Its a concern and a fear to many, real risk or not. Many people don’t trust the cloud and avoid if they can.

No, tags do not control what gets exposed to the cloud. For certain integrations, IFTTT in particular, you control what gets exposed through the Cloud Connector settings. For Alexa et al, the entire set of Items gets exposed through the REST API. But it is the Tags that tell Alexa et al how to use that Item.

If you want to use Alexa you are going to be using the cloud. If you want to use Google Assistant, you are going to be using the cloud. Period. End of discussion.

But there is nothing that requires openHAB to use the Cloud. You can avoid using technologies and APIs that only work with a cloud service and set up your own way to access your openHAB while away. There are lots of options including:

  • OpenVPN
  • ssh tunnels
  • Reverse proxy
  • Hosting your own instance of openHAB Cloud on AWS or the like

If you do that and avoid using services and technologies that requires the cloud you are fine.

But if you want to use any of the digital assistants you are already using the cloud, so the objection is spurious at best.

Put another way, if one wants to use Alexa but are afraid to have your data in the cloud, the objection to use openHAB Cloud has no merrit.

I was just concerned that more than necessary could end up in the cloud by accident. I think I now know enough to minimise what ends up there. I am just checking out Openhab2 and how to use it.

Thank you for the info :slightly_smiling_face: I wasn’t complaining just checking if I understand correctly.

I think I have it right now… Items end up in Openhab cloud if I use that. If they are tagged then Amazon and others can use them. So, if security is a concern and I want to use things like Alexa then I should not have the riskier items in Openhab.