[SOLVED] Openhab communication with Wemos D1 mini securing

i am wondering how I can secure a communication between Openhab and a Wemos D1?
My plan is to drive garage door with one of these small helpers but I do not want to give someone posibility to ‘read’ commands and stealing cars while we are away.

Is there way to force SSL?


Have a look at tasmota
It can be uploaded on the Wemos D1
There is an TLS option

1 Like

If someone is willing (or stupid enough to get into legal troubles) to steal your car from your driveway, he won’t even bother hacking your WLAN and then sniffing on your MQTT comms to send a command to the D1 :slight_smile: A simple screwdriver most likely can do the job of opening the garage gate easier :stuck_out_tongue:

The D1 will talk to the MQTT Broker. I don’t know if you can use SSL in that comm (I think yes).
openHAB will also talk to the same MQTT Broker. The binding supports SSL (I think… I haven’t tried it)

My neighboars would be looking strange if someone is using a screw driver or similar but if some one comes like he should and opening door like we do … no body would be thinking about suspicious things …

But thanks for your hints.

Start by securing your WLAN with a strong SSID password
All the traffic inside is encrypted
I don’t bother encrypting my sonoffs and wemos mqtt over wifi. It already secure in my wlan.
But I would not put my garage door on wifi. Access and critical sensors are hardwired. No interference, no hacking…

It does but it is a major pain if you are not using a trusted cert. You have to add the CA to Java’s trust store which is a pain. I find it easier, since I run mosquitto on the same machine as OH, to set a firewall to only allow connections to port 1883 on localhost and require external connections to use 8883 with a client cert and TLS encryption.

It is possible to use SSL/TLS with a Wemos D1 based on a few seconds of google searching. However, it doesn’t buy you much by itself.

Let’s say I’m Mr. Hacker Theif and somehow I figured out you have a way to open your garage door via wifi.

First I have to crack your Wifi encryption. While not impossible, this is rather difficult right now with WPA2-PSK assuming you have patched your wifi devices in the past couple of months (there was a vulnerability discovered not too long ago). So what does it take to do that?

I can force a handshake and capture those packets. Those packets have the password in encrypted form in them. I can then go home and run a brute force attack on that captured password. Assuming you have a good SSID password this can take a very long time. If you use single dictionary words this can take seconds.

OK, I now have your password. Next, I need to actually get on your network. Now you have second line of defense because you can use MAC filtering to only allow those devices that you preapprove join your network. This isn’t a very strong defense because it is easy enough to spoof one’s MAC address, so let’s say I join the network and can now start sniffing and connecting to things.

So, now I’m on your network I start scanning around and I see a device named “Garage” or something that makes it look interesting. But I also see a machine named “openHABian”. I see that the traffic to “Garage” is encrypted but I can connect to port 8080 on the openHABian machine, which I know is home automation software because of a quick google search, and I get this nice control panel and now I can open your garage.

My point is you can’t look at security in little pieces. You must look at it holistically. In this case, if I can bring up your openHAB without authentication then all the encryption in the world will not protect your garage door opener.

Also, if I were a hacker sophisticated enough to pull this off, I’m probably going to implant a backdoor on your network and start sniffing for usernames, passwords, and other information I can use to perform identity theft. The effort is much lower, the rewards are higher, and the risks are much lower.

So, definitely work on protecting your wifi. But if you are worried about what someone can do once they get inside your network, then you need to look at it holistically. You need to secure EVERYTHING. Securing piece parts is not going to do much for you.

See above. Hardwired does not guarantee security.

1 Like

It does on the WiFi side of things. It you have your firewall properly setup as @rlkoshak mentioned above you are safe as can be. Never 100% but close

My point is that your overall security is only as secure as the weakest part of your network. If you can access the devices through openHAB and you can access openHAB wirelessly without encryption and authentication then your wired devices are only as secure as openHAB. So from a security perspective (I’m not addressing other reasons to use wired like reliability), only using wired devices doesn’t buy you anything in terms of security. openHAB itself is the weak link.

So there is no reason to limit yourself to only wired devices (I’m only talking from a security perspective) unless OH itself can only be accessed via wires. There is no reason to encrypt the communcation between the MQTT broker and the devices unless the MQTT broker only allows encrypted communication (or is secured in other ways). There is no reason to encrypt the communication between the devices and the MQTT broker if your communication between OH and your client is encrypted on the local network.

So if you are OK with accessing OH without authentication and encryption on your local network (which is reasonable if you are using a strong password and WPA2-PSK and you are firewalled from the internet) then it is not worth the effort to secure the communication of the devices and the MQTT broker and/or OH.

1 Like

Regarding the Wfif Vs Wired. I meant that Wifi can be jammed. Any self-respecting burglar will carry an RF jammer to disable wireless sensor and/or wifi camera and the like
It’s not the hacking that’s the issue in that case, it’s the reliability.