Does Homey have a security problem? (+ a potential solution)

I recently discovered a very useful app - Elgato StreamDeck Integration App for Homey | Homey - which allows you to control all devices in your Homey account with a StreamDeck device, as well as see readings from a device (such as CO2 measurements etc). And while this can be very handy, it also raises some serious questions as to what data and devices an app can provide access to.

I’m fully confident The StreamDeck integration developer has the best of intentions - but imagine if a rogue developer (or a rogue app update by someone than the developer) used the same technique to stealthily access devices on the user’s account. He or she could effectively take control of all devices in the user’s home.

My friend who discovered this has raised this very issue to Homey support, but they unfortunately don’t seem to be too concerned with this. They say that the StreamDeck app needs that sort of access for it to work, which makes sense from a practical perspective - but from a security perspective, it offers absolutely no protection for its users.
Support also mentioned that they can’t vet 3rd party apps (while others in this forum have mentioned that they do limited vetting) - which makes me think they need to revisit how apps interact with Homey in the first place.

I’m no security expert, but it sounds like Homey needs to implement some sort of security/permissions layer to protect its users from potential rogue apps. Some thoughts on what this could include:

  1. Control what apps can and cannot access: Only allow apps to have limited access to user data and other devices. Allow the user to grant and remove access - based on, for example, what sort of device types an app can interact with, whether it wants online or offline access etc.

  2. Introduce restricted device types: Maybe special security measures should be implemented for privacy-sensitive devices (such as cameras or audio-recording devices), or devices that may be “dangerous” if turned on/off, such as household appliances

  3. Inform the user: a) Always inform the Homey user about what sort of access a given app requests. If it requests unusual access, clearly inform the user so he/she can make an informed decision on whether to permit it. b) If the app requests online access, show where the user data is being sent. c) Create a list of all installed apps and what sort of permissions they have (like on Android devices).

Also, in terms of API Keys: How’s the user protected from a rogue developer intercepting an API key, so he/she can control the users devices using said key? If there’s no protection here, this would also be worth resolving somehow.

I hugely appreciate the work done by 3rd party community developers - but it sounds like users are being left at sea with little to no security when it comes to 3rd party apps (and no ability to judge what an app gets access to, and whether it’s making legitimate access requests or not). A security/permissions layer between Homey and apps could empower the users to bring back some of that security.

Thoughts?

  • Asbjoern

It already has that permission layer you are talking about, that a developer needs to specify before they can “control your full Homey”.
When you install the app you’ll also get a warning that that app can control your entire Homey.

Here’s a monitor

You ask to implement this:

The developer of that App needs the App to have full control/

you choose to install and have the choice,
image

Trust that developer or skip and have less functional apps.

Guess this already is:

If you add more warnings, lists of permissions, etc… 95 out of 100 users still click Install NOW I WANT THAT APP…

The developer adds the API Keys he has for an App to the App in the Athom Store. You authorize your Homey based on your credentials and a rolling key / token between your Homey and your cloud service.

Afaik rough developers stealing your token only kan use it for short time to access the cloud service you authorized. if they do that often it probably would not get unnoticed by the Cloud service. (and by you)

I you are a security specialist and really see something that is a Gap in Homey please contact Athom: Report a security vulnerability | Homey

1 Like