I have a strict IoT security policy: IoT devices have NO access to the internet unless there is a full documentation of what, how, when etc. this access is used, and this is verified to stay within those bounds.
So now: How to setup a HomeyPro without having to trust the whole world wide web and beyond.
As an added bonus i have a phone that does NOT have access to Google, Apple etc. F-Droid as an app-store is no problem.
So i would like to have a workflow to configure the Homey Pro…
(Note there is no desire to use any of Amazon, Google etc. services for speech etc. I need a z-wave, zigbee and possibly COCO bridge to control those devices).
Access to the Home network from remote is no problem i have a permanent mandatory wireguard VPN between my phone and my home so anything in my home network is reachable.
The home network has a separate IOT VLAN, wired & wireless, same fore core, storage & multimedia network, separated wireless access for internal use and guest use, where guest has the same access as the Internet (none to all of the above except for a few web frontends)…
(the network is not a flat single broadcast domain network).
(Note i borrowed someone else’s phone to do an initial setup for testing and i am confused… Why does the Homey need a location during setup… GPS coordinates don’t really matter for network connections, GEOlocation is no requirement for the internet addresses etc.).
Having access to the same LAN should be sufficient to control the device. Obviously this homey needs a reset as there is an “unknown” entity (owner of the borrowed phone) controlling it.
Homey requires an internet connection to be able to log in to the app or web app.
Once you have completely configured Homey, you can disconnect from the Internet and Homey will continue to work.
As long as Homey is disconnected from the Internet, you will no longer have access to the configuration. You will also have to give up all functions that receive data via APIs.
I am not sure if Homey is the right system for you. With your specifications, a purely isolated solution like Home Assistant might be better suited.
But here, too, you have to do without updates and any data that comes from the network via APIs. That would be like removing the engine from a car.
Protect yourself with a good virus scanner and use PiHole, AdBlock or Eblocker. You then decide who has access to the internet and when, and above all what is sent or received.
I already found a huge issue with SSL as it seems to only support SSLv3, and not TLSv1.3. So there is no security in this device from that side.
Home Assistant is Apple … so no go there.
IoT suppliers need to get better aware of SECURITY. … so home centric devices should only work from home and only access the internet when instructed to do so. (OPT-IN for insecure services).
Not doing so means the central servers would need to be certified GDPR compliant. And as they control a lot of homes there is a responsibility wrt. ensure there is sufficient security.
Mentioning IoT and security in one sentence almost always is about issues, problems and failures.
It appears the Homey is no exception to that rule.
requiring to tell it’s geolocation (where timezone is sufficient).
requiring conversation with systems that have unknown security & privacy issues.
requiring access to google playstore (My phone runs without this, and no it’s not an apple either which just another walled garden).
If i buy a device, i should also OWN the device and not have to run on a leash from some manufacturer.
Where i need to kindly request a manufacturers system to allow some stuff on my device.
I think this Homey Pro is an expensive mistake.
I’ll look into Home Assistant. I should have some spare RPi somewhere.
I previously read some articles Homey pro, and i think it was confirmed through their helpdesk, it would not require internet access, only to update the firmware of the device.
Appearantly those statements were wrong, or for another previous incarnation of this device.
If your internet fails at home, a Homey Pro can in principle still be reached from your smartphone for 2 weeks.
The Athom cloud will not suddenly disappear, there is absolutely no reason to fear the continuity of Athom as a company or Athom Cloud as a functionality. If, due to some unforeseen circumstance, this environment still disappears, unfortunately I cannot anticipate the consequences because this is very situation dependent.
Oh, and location is used to provide for geofencing.
That is ofcourse not possible with Timezone info only, dude.
And, you’re free to NOT use it, very simple, by disabling (or better, not allowing) location access to the app.
Athom is using oAuth for user authentication and Homey access.
So you need a internet connection (at your client, phone/PC) to Athom servers to authenticate via oAuth and login to Homey.
For login to Homey I’m not sure, if Homey itself needs a internet connection. Bu tI think fro a reauth and the initial setup, this is needed
If you don’t want to use internet based services, you are limited to local protocols like Zigbee, ZWave or some devices using local LAN access.
Most devices of big brands are using cloud access. So Homey needs internet conncection to connect to this cloud and the devices itself, too.
HomeAssistant can be used with local users and without internet access. But if you want to malke updates, add integrations… you even need internet. And many integrations are using cloud APIs, too. SO there is no big difference to Homey.
With your restrictions, no plug&play solution will fit. Youd would need a standalone wired solution like KNX.
Not allowing Location to the app only makes it complain more about not having access to the location…
And pointing you to all settings that need to be changed, and wait for the change to continue. It even requires the location to be activated.
Hence a blocker.
I asked Homey Help desk in about January, they mentioned there was no problem…
Well there is. It requires internet access beyond initial setup. It will not communicate in a routed environment (according to that article).
So Indeed not for me…
Non-disapearing stuff happen all the time to disappear after all. (even within the Homey… voice recognision f.e.)
Nest that once work independent of Google, became assimilated to not work without google. etc.
oAuth not needed, or i can provide one on my LAN if needed. (alternatives CAN exist), oAuth also means i need to trust the oAuth provider with the keys to my house & network.
I now have a NodeRed based solution running, problem is: I can handle this, my family cannot.
I can live with temp internet access for updates, although i prefer to be able to upload an image.
Zigbee Doing just that using a zigbee->Nodered bridge. on RPi.
Zwave i now have a use case for 2 Zwave devices. (maybe 3-5 extra for heating)
That most devices are doing stupid things doesn’t mean i have to follow that. (Mirai bot-network, does that ring a bell?).
So the Cloud is the excuse to enforce data collection (to said cloud), for …??? I see no need to analyze data, if needed i can do that.
My problem with cloud based solutions is: You pay for some device (“buy it”) but you cannot use it outside of the confines to the manufacturer. It is all running on other people’s hardware. Why then buy a device…
I can update, make integrations on a device that ITSELF has no access to the internet.
I have a Multi-LAN network at home (proxmox host, several VM’s) serious firewall.
One of the LAN’s can only reach the core network, or rather the core network can reach the IOT-LAN. There is Solar power unit in there, and some RPi’s and a few VM’s.
And no a Wired solution is not feasible. hiding all wires is far too much work/expensive.