Security Considerations for OH setup


I am running OH2 for some time and gradually with the automation I added integration to home alarm system which made me a bit uneasy about the security of setup.

I understand that OH requires 755 rights for the configuration files, which makes them world readable. In the items and rules you may find passwords for the connecting to alarm and DSC pin codes. is this safe in general?

Any advise how hardened configuration should look like?



Actually, I do think that OH will run with the permissions set to 700, but that will make editing and maintaining the files a bit difficult.

If I assume that you are only concerned about your OH config files and you are not keeping copies of these files off of your local network, what would it take to access those files?

  1. An attacker must have physical access to your OH server.
  2. An attacker must have access to the file system where your OH config files reside

If 1 is the case then your alarm system has already proved ineffective so we can safely ignore that case.

What are the ways 2 can happen? The attacker must gain access to your network somehow, either through an implant (i.e. they managed to trick you into installing something) or they have hacked your network (e.g cracked your wifi).

OK, lets assume that the attacker has access to your network. Do you have to enter a password to access your OH server (e.g. ssh)? Do you have to enter a password to bring up the files over samba? If so, then the attacker will not only have to be on your network, they will either have to already know your password or have to hack into your OH server.

Assuming you have a reasonably configured server running OH this is not exactly an easy task. So the attacker will have to:

  1. Hack into your network
  2. Discover your OH server password or hack into your OH server
  3. Know what OH is in the first place and what to look for in your OH config files.

What is the likelihood of this happening? Unless you have a motivated enemy it’s probably pretty low. So, as long as you are being farily reasonable in protecting your LAN the risks are probably pretty low. But you can lower that risk by taking some or all of these additional steps:

  • separate your home automation network from your main network
  • set up firewall rules to limit what devices can communicate with what other devices on which ports
  • never directly expose anything running on your network to the Internet directly (i.e. setting up a port forward) unless you really know what you are doing
  • require passwords and or certificates to acess the OH server and any samba shares with your Oh configs