Security concerns

Hi,

I just purchased my Homey, but I’m considering sending it back due to the lack of security focus.

You basically connect all your home devices to one system and then expose that for remote access. It seems like you don’t have 2FA and the only reading about security is that you mostly use https (which is hygiene and not really a feature): https://support.athom.com/hc/en-us/articles/360015685913-Is-Homey-secure-

I love the product and I really hope to get some input from you how I can get my setup to a more secure state. Currently I’m hesitant to add more apps and I’m baffled about those who add locks, alarm systems etc.

Could you please:

  1. Update on the progress of implementing 2FA (maybe use Google?)
  2. Elaborate on how you work with improving the security and what is on the roadmap
  3. Give me some tips on how I can improve the security of my Homey setup (e.g. set up a VPN tunnel)

Thanks

4 Likes

Hi mmell,

first of all: Welcome to this forum! Good to see you found your way here.

Second: based on your topic, I would like to clarify that this is not a forum hosted, maintained and moderated by athom itself. It is in fact, a forum made by the community, for the community. Basically everyone, with the expection of Bram, is a Homey user, not a Homey staff member.

I am not a developer or similar, so I can’t comment on https and similar questions, but I would like to point out that:

I hope this answers some of your concerns. Because I am not a Athom staff member, I cannot answer your first 2 questions. Perhaps someone with more technical knowhow can help you with the 3th question

1 Like

Thanks for the quick response. How do I get in touch with Homey directly?

2FA was oficially requested in April 2017. So I guess it will come :soon: (pun intended)

I suggest sending them an email:
support@athom.com

1 Like

These folks seems more privacy focused: https://www.animushome.com/en/

Anyone that tried it out?

1 Like

Nice Posting hirachy here…

register, complain about security, post “better” Product…

Sorry, but the Product you linked does the same as the Homey does. He communicates with the devices you add. Some of then also require control via a cloud based solution. Whenever that is not required they (seem, i haven’t tested it) use local control. That is exactly how athom and Homey does it.

For Security i would suggest, you go and remove all your SmartHome stuff again, as all of them which are using an app also punshed holes into your firewall, as all of them will contact the servers of thei manufacturers to link you with your app to your product.

Just checked their website. I guess it depends on your on preferences. The number of devices supported is somewhat limited. I’m missing my 2 TV’s, Chromecast, Xiaomi, some Zigbee devices, a whole lot of KlikAanKlikUit devices. Also, things like spotify, ifttt and such are not supported. I personally love Homey because it doesn’t only support devices, but also connects to other online services. I don’t know what it can do, but you’re free to check it.

I must agree with @carp3-noctem that every smart home product has security limitations, but I don’t feel Homey’s security is bad. You’ve failed to respond to my earlier post. Does that not answer your concerns? Also, I miss that part on the website you mentioned where the high security priority is mentioned and the methods they use (which should be superiour to Homey, given your post).

Sorry if I stepped on some toes here. Not my intention. I just googled around and stumbled upon that product and noted that they flag that no cloud access is needed. I have no affiliations with them.

@ carp3-noctem so do I understand you correctly that the only security measure to improve home automation security is to not have it at all? VPN etc won’t help?

@ Neuron44 thanks for the e-mail link, I dropped them a line and we’ll see what they say.

@all do you see security as a concern and are thinking about ways to mitigate? Seems like this is a non-issue for most people? :man_shrugging:t3:

@romell no, i don’t say that needs to be this way. But it it the best way to have security.

As you may see, all different apps are normaly used to connect to a device that is behind your firewall, so the device has a connection to a server (where a user doesn’t know what data will be send / used and how it is encrypted or not)

So at least for the security thinks (e.g. the mentioned doorlocks) i would (and have) avoided the use of a cloud based soltion (exept the nello device is use for main house entry). For the rest i use Homey with it’s features and can’t complain about an issue.

How would a VPN help, if devices that are connected to their manufacturer servers are sending out data and also let you into your own home.

For me, it makes more sense to just have one open hole (homey) instead of 10. Also the approach athom makes with homey is the same as the linked company:
Providing a translation device that make your tech stuff available via their user endpoint. So Homey itself is also available local and via their app as well from away.

I hope i not have offended you with my post, but sometimes you have a lot of such posts and after that the people never come back and like to discuss (that is what this place is for, right?)

I wouldnt be worried about people ‘hacking’ your home from security holes created in your firewall by third party apps. Not when you can just flood spectrum with a cheap device which will stop all devices communicating as they walk to the door.

Your focusing on the wrong attack vector, but regardless of that if security is really a concern, you prob should not have a smart house.

And invest in window bars, statistically speaking the no chance of someone using an exploit in a Home Automation controller (which is not identifiable from outside the home) to get access to your house … vs the number of bricks thrown through windows each hour.

I’m sorry I know this isn’t answering your question, but I don’t see any major differences between Homey and animus.

For me, it makes more sense to just have one open hole (homey) instead of 10. Also the approach athom makes with homey is the same as the linked company:

But Homey’s controls are cloud-to-cloud, no? So you still need those 10 holes in order for it to work?

So to sum up.

What I can do as a user

  • Be mindful of what devices I connect to Homey (e.g. stay away from things sensitive for others to get access to, e.g. alarms, cameras, etc)

What Homey can do

  • Improve privacy control (e.g. settings of what gets logged and what does not get logged)
  • Explore a local-only mode that isn’t dependent on the cloud
  • Secure the user accounts by offering 2FA

It seems like the most apparent attack vector is the user account, so I would say there is a case there for Homey to just add 2FA.

Am I missing something?

As far as I know, homey will still work when you deny it access to the web. It’ll be somewhat limited of course since you won’t be able to contact it from outside your LAN and apps won’t be able to retrieve information from the internet, but it’ll still work. You should be able to control it through a VPN though.

Anyway, whilst I do not see things as B/W as you seem to do, I did take care my security systems are not connected to homey. The alarm system, camera’s and even the central heating system do not share the same network with anything else in my home. If somebody succeeds in hacking the homey, it will be an inconvenience, but that’s it. To me, that’s just common sense.

1 Like

Precisely the type of input I’m looking for. Thank you. So basically you are mitigating by separating services on different networks. Are you using the same or separate routers?

I don’t think it is common sense. Many people just connect basically anything and then trust the provider to solve the rest.

And some make vpn work and disconnects everything from hackers and leave the bedroom window open with a ladder lying in the garden.

The secure part uses its own router. I know it’s not 100% secure, but than again, what is? If people want to break in, they’ll probably resort to the good old brick through the window method.

1 Like

Thanks for the info. It’s an interesting idea to make a split like that.

Regarding the recurring comments about physical security…

Yes I know that people can break into my home. But that is not an argument for not caring about the security around what I expose digitally. You can care about both (also there are a few more attackers in the digital world, incl automated attacks).

With that being said, there have been some valuable input here with regards to discussing VPN, splitting networks, thinking twice about which apps you connect, etc. So happy to hear more on this more productive part of the thread!

Isn’t this where the Norton Core, Bitdefender Box2 or CUJO AI smart firewall come in? If you are that focussed on Homey’s Security?

2 Likes