I have just been looking on the website https://www.shodan.io (The Website that scans the world of computers and finds unprotected devices) I did a search for Openhab,
Results can see 232 Openhab setups directly exposed too the Internet the first one in the list allowed me direct access too there habpannel and i expect many more allow the same
(I didn’t do anything other than load the start page I do not want too test any more as i’m assuming its illegal too access this even unprotected like it is and slightly unethical)
I would like too help warn the people involved
Directly exposing your setup like this is not safe you need too use a VPN or use the openhab cloud connector
Forwarding ports like this / exposing stuff directly without passwords anyone in the world can connect too your setup devices ect its extremely unsafe you are broadcasing extremely sensitive information too everywhere in the world
Can people with more power than me pin this post
Is there any way too directly inform these people using there ip addresses and accounts ect
If you search this forum on Shodan you’ll find a few more posts about it from the past…
How many of those say 401 Authorization Required? I know mine does.
Those ARE secured with credentials.And, yes, some of them turn up in a search for openhab.
YES you are right and it looks like people are still doing it
It’s in the docs.
Security Warning: It is vitally important that you MUST NOT directly expose your openHAB instance to the Internet (e.g. by opening a port in your firewall)!
It’s on the forum several places.
If a user isn’t going to read the docs on this I highly doubt they will read a pinned post in this forum. I’m sad that so many are on the Internet unprotected, but I’m encouraged that the number is so low given the thousands of OH users.
This warning belongs in the docs, and it’s already there. I don’t see how pinning this will make it any better. The people who do this are either reading the docs and ignoring the warning or they are not reading the docs at all. In either case a forum posting is going to have no impact on their decision.
I am a little surprised that shodan can identify password protected OH. Unless they are running OH 1, the only way to get authentication is through a reverse proxy in which case shodan should only see the proxy, not what is behind it.
I have found many things that shouldn’t be exposed to the internet just by using Google and known keywords from the services webpage.
Printers, IP cameras ect. One that surprised me was an exposed sonarr install. No passwords, could add to the TV shows or if somebody wanted to nasty could delete the contents (we were talking in the 5tb+).
The one thing I will say for openHAB is that it gives you warnings in the logs if it believes it’s exposed.
I use myopenhab or a VPN. Started setting up reverse proxy but I’m not 100% on it.