Announcement

Collapse
No announcement yet.

Vulnerability in the Insteon Hub

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Vulnerability in the Insteon Hub

    One of the reasons why I purchased my insteon products is so I can control things while I'm away. After checking into how Insteon hub works, I'm a bit afraid to open up a port forward on my Sophos UTM9 firewall to control my hub from the internet. There is no SSL and Cisco has released a security bypass vulnerability for the hub.

    Does anyone know when this problem will be resolved? Here is the alert on cisco's site: http://tools.cisco.com/security/cent...?alertId=33393

    Please follow up when there is a new release that addresses SSL and this vulnerability.

    thanks,

    EddieRock
    Tags: None
    #2
    DANG, this is dangerous. I could swear this was happening to me one night.

    I was just sitting there, and one of my switches was going on and off repeatedly, for quite a while, at various times.

    I wondered if maybe someone could get in without security!

    I agree, better security IS NEEDED!


    Comment

      #3
      This is why I have not forwarded the port. I figured My wifi reches far enough outside thatI can use my homes wifi to turn on my lights in the car.

      Comment

        #4
        I've turned port forwarding off because there is no security at the hub when accessed via the web interface.
        http://192.168.1.xx:xxxxx/network.htm will get you right in with no authentication challenge. (replace the x's with your IP and port, this page is how I set the time on my hub).
        Thought, ok, but I'm on the local network. Maybe it's smart enough to know I'm not a hacker.

        Then tried it from the outside. Was able to access just fine with no login required.

        Initially, I changed the port. It's likely that there are scanners looking for the default port.
        Then I decided to just disable it until it's more secure.

        Comment

          #5
          The "netwokk.htm" tag does not work from here at all. If I include the port number, then a login is requested-with of without the tag.
          Message from Forum Admin: stusviews passed away in April 2018. Stu was a huge fan of Insteon and a huge presence on both the Smarthome and Insteon forums, helping thousands of us along the way (he had nearly 20,000 posts to his name). We thank him for his contributions, dedication, and passion for making the Smart Home a reality. He will truly be missed.
          Saving energy is not always free. Be a world saver.

          Comment

            #6
            Do we know if this was ever fixed and we can communicate to the hub securely via SSL? I would like documented proof that this vulnerability is resolved before I expose my home automation to the internet and connect from the android app.

            thanks,

            EddieRock

            Comment

              #7
              I'm surprised Insteon has yet to respond to Cisco or do anything about this considering its been reported over a year ago. Makes me worried about the security of HA devices. Imagine how many people probably don't even know about this.

              Comment

                #8
                Can Insteon comment on this thread? I know moderators watch these posts. I'd like to know if there is a SSL option between the HUB and the App so all usernames and passwords are passed securely. It would be best to use a SSL certificate that use 2048 bit encryption and TLS 1.2 so it can't be hacked. I don't think a third party authority would be required. Just a certificate generated by the hub and the client requiring SSL/TLS should simply fix the my main security concerns.

                Comment

                  #9
                  The vulerability that Cisco found was published March, 2014. It's possible that they did not have the latest (at that time) device. The solution was published August, 2013.

                  https://www.trustwave.com/Resources/...-023/?fid=3869
                  Message from Forum Admin: stusviews passed away in April 2018. Stu was a huge fan of Insteon and a huge presence on both the Smarthome and Insteon forums, helping thousands of us along the way (he had nearly 20,000 posts to his name). We thank him for his contributions, dedication, and passion for making the Smart Home a reality. He will truly be missed.
                  Saving energy is not always free. Be a world saver.

                  Comment

                    #10
                    This only applies to the Hubv1 from 2012. Insteon already issued out a recall for those Hubs. The Hubv2 uses SSL encryption when sending commands back and forth.

                    Comment

                      #11
                      I think Insteon should address this issue directly to their customers and answer the vulnerability issues one by one and indicate if they are fixed and that SSL/TLS is enabled. I don't think this has been communicated to anyone. Does the lack of communication mean that it wasn't addressed?

                      Insteon, please comment on this! Please don't just post a link to a third party site that talks about vulnerabilities about your old discontinued products.

                      EddieRock

                      Comment

                      Previous template Next
                      Working...
                      X