Warning, This topic discusses an deep technical network issue. It should not be an issue for most of the average Homey Pro users on default consumer Internet connections.
The pros and cons of DNS Rebinding protection
Athom uses a technique for secure communication on your Local Network (WiFi) that possibly conflicts with another security option available in newer consumer routers and access points.
I created this Topic to provide a central place to discuss the issue and possible solutions.
Please let me know if you want to Edit this Topic.
The issue with DNS Rebinding.
Technically for remote attackers it could be possible to use several ways of DNS Rebinding to Access a device on your Local network by sending Local IP addresses on your DNS Requests. As this Could be unwanted it is possible to protect you with several options:
Rebind Protection in WebBrowsers
Rebind Protection in DNS Resolvers / Routers.
âŚ
Rebind Protection in DNS Resolvers / Routers filter out (all or some of) the local IP addresses in responses from DNS requests to internet and several newer routers have that option and enable it by default. Sometimes the options are added to provider Routers/modems in newer firmware and enabled.
The Issue with Homey using DNS Rebind protection
When youâre at home, Homey first tries to use a local secure connection (HTTPS). Only when local TLS does not work, Homey uses a local insecure connection (HTTP).
Homey uses a SSL Certificate (Needs to for encryption) and for that Certificate it needs to be accessed using a FQDN on that certificate. This is the DNS name that Homey uses with your Local IP Address: 1-2-3-4.homey.homeylocal.com. Where the first numbers should reflect your Homey Proâs local IP address separated by dashes. It alway resolves to that same IP address.
Usually if the connection in your Homey Mobile App doesnât work âLocal (Secure)â it switches to âLocalâ and drops the extra encryption. This should be no issue as you should be on your own âprotectedâ WiFi / LAN network at that moment.
Sometimes Users in the community complain Homey Pro isnât stable working / often disconnects / etc. In that case you could test temporary if disabling DNS Rebind protection in your router solves this issue.
In the case that solves it please report your issue / temporary workaround to Athom Support. (As disabling DNS Rebind protection is your own Risk and choice). Also please report here in this Topic your Network configuration (ISP, Router brand and Firmware version, setting you changed) it could help other community members.
I will create two Reserved Posts for updating with fe known issues or configurations and move a recent discussion below. PM me if I missed something, if you have additional information or want to add something to this post. If necessary we can make it a Wiki
Yes, this is better, than some competitors, does not havinâ https at all. May-be the same reason, do not have browsers/developers complain. No certificate - no problem
Using HTTPS on a local network doesnât add a whole lot of security, certainly not so much that it warrants having to disable DNS rebinding attack protection to get it working. It also requires an always-on internet connection, because the hostname should be resolvable.
From my point of view itâs really depends. But for me personally seems, that unencrypted traffic in âpublic networkâ is little bit bigger sin than âŚ
Yeah, sorry, but most of nowadays home-users WiFi networks are actually just waiting someone to join ;(
So, may-be then for Athom - give to Homey also certificate with alias from local DNS, not a âone for allâ - â*.homey.homeylocal.comâ
I donât see how thatâs possible, you canât get certificates for hostnames like homey.local.
Regarding bad WiFi networks: at least that requires a relatively close proximity to the network to be abused. And when it gets abused, itâs not likely that the communication between Homey and your mobile phone is the likely target. Whereas DNS rebinding attacks can be done remotely and can be just as damaging as a WiFi hack.
Guess Athom follows you on that point and if I remember changed their point. Although not that clear for a normal user what to do but I guess Athom isnât the one responsible for education of users the differences on such a complex topic.
Note: Some routers block a feature called âDNS Rebindingâ. For a local secure connection to work, this feature must be disabled. We do not advice to do this, but itâs something to consider.
So if I understand correctly everything should function the same with DNS rebinding protection enabled. With only difference for connections are local unencrypted.
Actually every Homey knows his hostname - at least i hope so. So, during âE.T. calls homeâ, itâs possible to ask also certificates. Yes, this is additional connection and also may lead to some delay during initial connect (and also, when someone changes the hostname). But in theory this must be working.
Yeah, of course⌠or nope, if The Bad is really interested⌠or just a DIY-ers with âPringles cantennaâ. And even without such equipment. Have seen ~50 different WiFi networks on my phone in ânormal situationâ (just a dense living block, not some exhibition or something)
About targets⌠Actually, Homey smells like honey for attacker. For proffessional - itâs the key for doorlock, disarm button for alarm system and also indicator about presence. For amateur itâs very interesting to see: Sending packet and there the light switch on.
About communication between phone and Homey - start some sniffer, and look, how many âbonjoursâ and SSDP-s You can count from Homey during a minute. So, target is self-advertising. Only sniff some real connection (as this is WiFi, then itâs public, no need to fool switches) and take the bearer.
On my local network, Homeyâs hostname is âHomeyâ. Thatâs not something you can get a certificate for. Itâs also not how the app connects with Homey (because it depends too much on your local setup to actually work). Thatâs why the homeylocal.com workaround is used.
Agreed, Homey is a great target. And if people are stupid enough to use bad WiFi, theyâre also stupid enough to use Homey as an alarm system But if I were a professional, I would look into how each Homey receives the private keys for the *.homeylocal.com certificate from Athomâs servers: endless MITM possibilities
AFAIK, thereâs no such thing as extending a certificate, youâll just get a new one. With a new private key.
A Homey canât request this by itself (because of validation), so itâs something that Athom needs to do on their servers and then distribute the new certificate (including its private key) among all active Homeyâs.
Neither. It uses Letâs Encrypt, so the certificates are accepted by pretty much all TLS implementations, but Letâs Encrypt doesnât perform identity validation (only domain validation).
Yes I know, the âCertificateâ itself is new but the Priv Key isnât necessary. With all othe infor the same I Guess it is often called âRenewâ a Certificate.
Can I use an existing private key or Certificate Signing Request (CSR)?
Yes, but not all clients support this feature. Certbot does.
But pretty sure Athom can let Homey Proâs replace Both the Certificate and the Private Key without Firmware changes. Guess Homey has a standard service that Request and installs it at a Homey Cloud server.
The only way I see how is by downloading both from Athom servers at a regular interval. Because itâs a wildcard certificate, DNS validation is required so renewing the certificate is not something that a Homey can do by itself automatically. Also, I assume that every Homey uses the exact same certificate.