So I just got the newsletter announcing the port forwarding support that was added. This has me worried, especially for those who aren’t very technically savvy. I’m definitely not opening up any ports like this, but I would like to hear from the Athom team about their security considerations regarding doing this.
What web server are you using as the reverse proxy on the Homey? How often do you do security reviews or penetration tests of the software stack on the Homey? How often do you push security updates? Why have you chosen not to inform people about the inherent security risks when forwarding ports?
Risks are much greater when opening ports like this, are much greater than the indirect access where the Homey only communicates with Athom’s cloud services. As soon as you do this, you give anyone access to nginx or whatever web server is there, and any possible security holes therein. So this would lead to a new attack surface within your network. If someone manages to perform remote code execution attacks on the Homey, that could potentially be very bad for anything else running on your network.
Those issues also exist without the use port forwarding (and are by the way very legitimate questions). Was also not really to answer the questions. But for others reading this post.
So they can make their own decision if they want to use portforwarding or not.
For me: I choose to live in a house and not in a bunker and so I accept some securtity-issues by choosing for a house.
But less so because with port forwarding the security moves from a (hopefully) well-maintained cloud service to Homey itself, which isn’t maintained at all other than getting firmware updates. Homey also doesn’t have any logfiles that the user can inspect to see if perhaps there are attempts to penetrate it.
I don’t see how this bears any relevance. Enabling port forwarding on Homey doesn’t significantly improve anything (the connection won’t be significantly faster and it still depends on Athom’s cloud servers anyway so it will not fix connection issues when Athom’s servers are down) but it does have security ramifications.
It’s more like living in a house where the front door is always open versus a house where the front door is closed. It might be a minor inconvenience to have to open the lock each time you enter the house, but that doesn’t weigh up against the improved security that a closed door provides.
The question is: how well maintained is the cloud and what measuers are taken to be safe for the homey-cloud. But same for the Homey in your house. Communication from the cloud is no guarantee a hacker cannot use your homey to enter your network.
With house/bunker I mean to say if I live in a place with now windows and one door security is indeed better. So choices have consequences and yes, I made it a bit bigger than your example with the front door.
I have more trust in the people maintaining Homey’s cloud servers than I do Random Homey User maintaining their home network.
This port forwarding feature, while mostly useless, might be something that experienced users want to use, but it’s presented with no information at all on possible security implications, and I’m fairly sure that no reasonable security reviews have been made by Athom against the HTTP stack running on Homey.
Also, if that HTTP stack proves vulnerable in any way, mitigating the issue will require a firmware update, and until that update has been installed Athom cannot do anything to remotely mitigate the issue for any user that has turned on this port forwarding feature.
Well, no one is forced to use port forwarding - so be a bit more relaxed.
For those using port forwarding a log should be provided plus information about what has been implemented to mitigate the change of a security breach like blocking of ip addresses for a while after a few unsuccessful login attempts.
By the way won‘t using a VPN be a bit more secure?
You’re right, it’s optional, but I can already predict that a lot of people will enable this option because of the way Athom presents it (“…it’s faster and more reliable”).
The reason I am happy with this addition is that it means that homey can function for the remote connection without cloud, which is a good thing…
Personally I will not be using the direct connection option and should the cloud become unavailable (homey bankrupcy for example) I would still use my own vpn instead of this… No port forwards, no upnp….
For those not tech savy the cloud is a better option, for those tech savy there are better ootions…
HTTPS is not good enough. Discovery of viable attacks in the attack surface of the Homey is made less convenient when you have to go through the cloud service.
You have to find vulnerabilities in the cloud service, that will allow you to send malignant payloads to the Homey. Possibly the vulnerability is a session hi-jacking vulnerability, but there are many possible options here. Of course, if vulnerabilities are found in the Athom cloud servers, that almost guarantees remote code execution is possible, as you can send scripts to your Homey from Athom’s cloud.
With an open port, you will have to find a vulnerability in the HTTP server or the services the HTTP server passes the requests to. The HTTP server is likely Nginx configured as a reverse proxy, but there are other options. The service receiving the request, will be responsible for checking the authorization token, and handling the request.
When the port is open, the firewall is almost completely useless, although they may have something like fail2ban configured.
There are people running port scans against private IPs all the time. When open ports are found, automated tools can be used to scan for known vulnerabilities. There might not be a huge amount of vulnerabilities in the Homey, but if one is found, it’s pretty much all you need.
I would not, but I would have liked for Athom to comment and/or inform people of:
The security risks involved in opening ports, and what pieces of software are involved, so you can make an informed decision about taking said risk.
How do they work on security reviews of this part of the software stack to reduce the risk of users who choose to open up network access to their Homey.
If they are following CVEs and releasing security patches quickly in response to upstream fixes, it might not be very serious.
They could also give some advice on network setup, like using a separate network for your IOT devices, so they cannot access your computers and phones.
As RobertKlep and Sardtok pointed out, port forwarding introduces an increased security risk. It’s difficult to quantify the exact increase because other factors are involved (as mentioned by Sardtok).
Should You Use It?
From a user’s perspective, the key question is “Why should I use port forwarding?” Traditionally, security might be a reason, but in this case, it actually decreases.
Speed and Reliability
The Athom blog post claims that port forwarding offers “faster and more reliable” access when you’re away from home because it bypasses their cloud services. However, you might need to ask yourself:
Do I experience significant slowness with the current setup?
Would I even notice a speed improvement?
It’s likely that (most) users won’t see a major difference in speed. Reliability might only be a benefit if Athom’s cloud services are experiencing problems. As in ‘normal’ circumstances as a user you will not experience a better reliability.
Limited Advantage for Users
RobertKlep also raises a valid point: Athom’s statement about “bypassing cloud services entirely” might not be entirely accurate. There’s a chance some communication still relies on their servers.
So, Why Use It?
Currently, the benefits of port forwarding for Homey users seem very limited and more theoretical. It might actually be more advantageous for Athom by reducing traffic on their cloud infrastructure.
This topic still is not clear to me, and reading the blogpost doesn’t answer my main question… According to the illustration used in the blogpost, there is NO need for Athoms cloud anymore.
