Jump to content

Can Insteon be secure and backwards compatible?


JimMc

Recommended Posts

Posted

Are you guys worried that someone is going to come up close enough to your house to pick the radio com between Insteon devices and start controlling your lights?   I'm not so worried about that happening.  Maybe that is why Insteon doesn't make door locks?

  • Like 1
Posted

Are you guys worried that someone is going to come up close enough to your house to pick the radio com between Insteon devices and start controlling your lights? I'm not so worried about that happening. Maybe that is why Insteon doesn't make door locks?

That's what security cameras are for! My favorite is the Dahua IPC-HDW5231R-Z; $170 shipped direct from China.

 

 

 

 

Sent from my iPhone using Tapatalk

Posted

Are you guys worried that someone is going to come up close enough to your house to pick the radio com between Insteon devices and start controlling your lights?   I'm not so worried about that happening.  Maybe that is why Insteon doesn't make door locks?

Other than some uber-nerd playing pranks, that is not the issue. If we want/expect Insteon to be a "player" in HA going forward, it has to adopt some reasonable level of security. Otherwise it will be excluded by the much bigger companies that are bringing HA mainstream.

Posted

Other than some uber-nerd playing pranks, that is not the issue. If we want/expect Insteon to be a "player" in HA going forward, it has to adopt some reasonable level of security. Otherwise it will be excluded by the much bigger companies that are bringing HA mainstream.

Insteon protocol is not home automation.  It is home control.  Home automation is done by ISY and other similar devices.  ISY for one has excellent security.  

 

Again, I simply don't see where a home owner should be concerned about some jokester sneaking up to their house to turn lights on and off.  For example, when I was 12 I thought it was great fun to sneak up to someones window and point the cable remote at their tv and change the channels on them, but I quickly tired of that trick, as I suspect an Insteon trickster would.

  • Like 1
Posted

I'm in the mindset that needing encryption is overrated with insteon current lineup. If they ever wanted to pursue a wider use of their devices (Such as for alarm systems) then yes it would make sense. The fact that consumers want to feel like their system is secure (even though there are many other ways to do something) means encryption is needed.

Posted

I'm in the mindset that needing encryption is overrated with insteon current lineup. If they ever wanted to pursue a wider use of their devices (Such as for alarm systems) then yes it would make sense. The fact that consumers want to feel like their system is secure (even though there are many other ways to do something) means encryption is needed.

 

Speaking more in a broader sense, failure to adopt and implement some kind of security protocol leaves you in a disadvantage when compared to the other market leaders. Given the endless and rampant online threats on the Internet it simply doesn't bold well from a marketing, adoption, and long term strategy.

 

In 2017 if a product doesn't integrate and use the most basic security features in today's world.

 

You Lose . . . 

Posted

Teken,

I agree in regards to marketing only. Unfortunately perception is reality. The avg consumer will look for a secure devices yet have an open wireless network or use their phone number as the password.

 

Because devices are not connected directly to the internet, the likelihood of them individually being hacked is probably zero. the controller itself would be the weak link at that point so standard measures need to be done at a minimum. With that said, multi national corporations and governments get hacked on a regular basis. I highly doubt a 50 dollar router along with an 80 dollar controller will stop the most dedicated of hackers

Posted (edited)

Teken,

I agree in regards to marketing only. Unfortunately perception is reality. The avg consumer will look for a secure devices yet have an open wireless network or use their phone number as the password.

 

Because devices are not connected directly to the internet, the likelihood of them individually being hacked is probably zero. the controller itself would be the weak link at that point so standard measures need to be done at a minimum. With that said, multi national corporations and governments get hacked on a regular basis. I highly doubt a 50 dollar router along with an 80 dollar controller will stop the most dedicated of hackers

True . . .

 

But, that doesn't negate the simple fact everyone should follow and implement best security practices. We all know locks are intended to keep honest people out. But, do people really believe leaving their homes unlocked is the best practice? My uncle who owned a farm way back in the day would always leave his keys in the tractor, car, what ever.

 

He would never lock the door to the car / home, ever . . .

 

His mind set was he was so remote that it made no sense and the likely hood of a break in was near nil.

 

For more than 50 years he was right ~ Fast forward his farm land and area was sub divided and brought in who / what?

 

People . . .

 

No sooner did the first crop of homes get occupied what did he find out?

 

His tractor gone and miles down the road due to a few kids wanting a joy ride.

 

A year later he comes back from the store to find his root cellar and barn wide open and canned good and vegetables everywhere.

 

My uncle no longer leaves the keys in the tractor, car, unlocked. He no longer leaves the barn, cellar, or home unlocked. Like my old uncle he too had to adapt and this is what Smartlabs / Insteon must do in 2017. Failure to do so will leave them in exactly the same spot they are in now ~ Alone.

Edited by Teken
  • Like 1
Posted

One must note that lumped into the entire "security" discussion is the concept of ensuring that data is not tampered with in transit -- which is exactly what's happening, according to the prevailing theories, to cause the dreaded "ALL-ON" problem.  Data corruption is a security issue.

 

I'll also note that security relates to a lot more than door locks and garage doors with Insteon -- those with Insteon thermostats in the northern climates should be taking steps to protect their homes from freezing, and those with sump-pumps controlled by Insteon devices should ensure they have a battery-backup, etc.  And again, it's not just about someone being malicious; security means protection from accidental or any other unintended operation, regardless of the source.

 

And yes, the ISY clearly has the most exposed attack surface for any of us - that's the high-value target for any "criminal" or "mischief-maker".  But from accidental/unintentional issues, probably the most severe vulnerability is the PLM's "ALL-ON" issue - and UDI is certain that's got nothing to do with your ISY.

Posted

One must note that lumped into the entire "security" discussion is the concept of ensuring that data is not tampered with in transit -- which is exactly what's happening, according to the prevailing theories, to cause the dreaded "ALL-ON" problem.  Data corruption is a security issue.

 

I'll also note that security relates to a lot more than door locks and garage doors with Insteon -- those with Insteon thermostats in the northern climates should be taking steps to protect their homes from freezing, and those with sump-pumps controlled by Insteon devices should ensure they have a battery-backup, etc.  And again, it's not just about someone being malicious; security means protection from accidental or any other unintended operation, regardless of the source.

 

And yes, the ISY clearly has the most exposed attack surface for any of us - that's the high-value target for any "criminal" or "mischief-maker".  But from accidental/unintentional issues, probably the most severe vulnerability is the PLM's "ALL-ON" issue - and UDI is certain that's got nothing to do with your ISY.

 

Assuming for a moment there was no need for remote access then leaving the controller on a closed network would remove that threat vector. To be clear with respect to the ALL ON / ALL OFF debacle this only impacts Insteon networks using the ISY Series Controller.

 

There has never been a reported ALL ON / ALL OFF incident using any other home automation controller in the market place.

 

Ever . . . 

Posted

Once again however, each one of those devices would need something in front of it to connect to it remotely. Judging by the numerous posts on here about lack of range, I highly doubt somoeone could get close enough to a person's house to hack their insteon thermostat directly.

 

Reminds me of a story where I was putting locks on someone's house. They were afraid of someone hacking their system and breaking in. W/O sayimg a Word, I walked to their backyard, took a chair from their patio, opened their kitchen window, and climbed in. Could someone hacking and unlock his doors? Of course, but there are much easier methods to do so.

 

The all on stuff is all theory. It's only a security issue if you have your garage door on an iolinc. Remove that and it becomes a nuisance bug. With that said, the cause has not been pinpointed. It's easy to blame either company but yet it happens under many different conditions. Blaming the plm is misguided due to the fact that only the ISY experiences this issue. Not homeseer, Indigo, houselinc, castleos, etc. Even the hub's (based off the plm) do not have that issue.

 

Even if you could hack the iolinc to open a person's garage door, there are still easier and faster ways of opening it. The only true and safe way of doing so would be to be off-site at which point they would go through whatever controller a person was using.

 

The way insteon works by default is like having locks on your door and locking them. Encryption would be like putting a heavy duty security door on your house.

 

If insteon or zwave were wifi based devices I would feel different. To each their own however. I do recognize the prevailing thoughts of many people, so I do agree encryption is needed from a business standpoint. Just not a reality standpoint (for the individual devices)

Posted (edited)

Are you guys worried that someone is going to come up close enough to your house to pick the radio com between Insteon devices and start controlling your lights? I'm not so worried about that happening. Maybe that is why Insteon doesn't make door locks?

If nearby, and with a SDR, it's technically easy to sniff and determine the address of the PLM and then any arbitrary device, by sniffing and observing.

 

Find a house with the garage door kit and you'll be able to open the garage door at will.

 

Oh, and there are in fact Insteon interfaced door locks (morninglinc).

Edited by MWareman
Posted

Except for means of entry, there are only a couple of mindsets to be concerned about when it comes to security and Insteon; those who hack in regardless of age who do it because they can (i.e, just for the fun of it, like that joyride) and those whose primary motive is vengeance.

 

BTW, during my happy hippy days I didn't even know where my door key was. I'm not sure I even had one This in the midst of a major city, never a problem. Possibly having a somewhat vicious dog helped B)

  • Like 1
Posted

I am thinking I read in a SmartiePants blurp somewhere that Insteon Rf is only good for about 15-20 feet module to module. I have a real hard time over 15 feet through my brick to an outside wall SwitchLinc with my mini-remotes.

 

It would be easier to yell through the window.

 

Alexa!

...Tell password O-I-C-U-8-1-2  Unlock front door!

 

....OK

  • Like 1
Posted

I really can't determine the RF range because I have so many dual-band devices that I don't know if the communication is powerline or RF. But, I do know that 10 feared 7 because 7 8 9.

  • Like 1
Posted

Zwave devices in my house always fail. There are always communication problems that I can't readily troubleshoot. I wish there was a wand z wave receiver that I could use to assess signal strength. The solution is always to add some other repeater.

 

 

Sent from my iPhone using Tapatalk

Posted

I have always said, NEVER use Insteon on anything "mission critical".  Not because of security, but rather it simply isn't reliable enough.  If a missed Insteon signal or false signal could harm you or your home, then don't use it!!!  I use it for convenience items only!!!!  It works ~99.something% of the time.  But I would never want my sump pump (I don't actually have one but if I did) to fail to start because of that 1/1000 or whatever missed Insteon event.

 

If you want to MONITOR your sump pump, great, but I would never let it CONTROL my sump pump.

 

I do not recomment it for the garage door at all, nor the sprinkler system, though SH does sell stuff advertised for those purposes, I wouldn't do it.  How would you like to come home and find that your sprinkler system failed to shut down the last zone and ran for a whole week?

 

I use Elk for all of that sort of stuff.  It is hard wired, never "misses" a command and, yeah, super secure.

 

For Insteon, the RF means that someone can physically get near my house, set up camp, wait for me to use my Insteon stuff, and sniff out my addresses and then turn my lights on/off.  But wow, that is just a lot of work for a little laugh.  Maybe add 20 cents to my electric bill (ISY would shut it all down at 3am even if they turned the whole house on and I was out of town).  But I also have security cams around my house and you really can't approach my house without being seen, so I'd find you. :x and get you!

 

Regarding thermostats.  I suggest having your ISY run a program at least once a day that puts your thermostats to the correct settings.  Even if someone "played" with it while you were away, it would self correct.  Furthermore, I would (and do) have ISY send out all kinds of notifications in the event of any funny stuff (like if the actual temp was out of range).

 

Regarding RF range, I can tell you that with wide open line of site, Insteon thermostats/PLM will do wireless communication for at least 50 feet based on a PLM thermostat only install I did at my church.

  • Like 2
Posted

I have always said, NEVER use Insteon on anything "mission critical".  Not because of security, but rather it simply isn't reliable enough.  If a missed Insteon signal or false signal could harm you or your home, then don't use it!!!  I use it for convenience items only!!!!  It works ~99.something% of the time.  But I would never want my sump pump (I don't actually have one but if I did) to fail to start because of that 1/1000 or whatever missed Insteon event.

 

If you want to MONITOR your sump pump, great, but I would never let it CONTROL my sump pump.

 

I do not recomment it for the garage door at all, nor the sprinkler system, though SH does sell stuff advertised for those purposes, I wouldn't do it.  How would you like to come home and find that your sprinkler system failed to shut down the last zone and ran for a whole week?

 

I use Elk for all of that sort of stuff.  It is hard wired, never "misses" a command and, yeah, super secure.

 

For Insteon, the RF means that someone can physically get near my house, set up camp, wait for me to use my Insteon stuff, and sniff out my addresses and then turn my lights on/off.  But wow, that is just a lot of work for a little laugh.  Maybe add 20 cents to my electric bill (ISY would shut it all down at 3am even if they turned the whole house on and I was out of town).  But I also have security cams around my house and you really can't approach my house without being seen, so I'd find you. :x and get you!

 

Regarding thermostats.  I suggest having your ISY run a program at least once a day that puts your thermostats to the correct settings.  Even if someone "played" with it while you were away, it would self correct.  Furthermore, I would (and do) have ISY send out all kinds of notifications in the event of any funny stuff (like if the actual temp was out of range).

 

Regarding RF range, I can tell you that with wide open line of site, Insteon thermostats/PLM will do wireless communication for at least 50 feet based on a PLM thermostat only install I did at my church.

The thermostat idea isn't a bad idea. I mean we turn out every light at 3-4 AM on an all-else-fails last resort, so why not the thermostat too?

 

However...I wonder if having a false temperature setting is a real possibility and more dangerous of self inflicted pain, than resetting it every night? My newer stats have range limits for remote setting, so that help give a sense of some security. ohhhh...  there's that data security argument again...:)

 

Now you've got under my skin with this one. :)

Posted

The thermostat idea isn't a bad idea. I mean we turn out every light at 3-4 AM on an all-else-fails last resort, so why not the thermostat too?

 

However...I wonder if having a false temperature setting is a real possibility and more dangerous of self inflicted pain, than resetting it every night? My newer stats have range limits for remote setting, so that help give a sense of some security. ohhhh...  there's that data security argument again... :)

 

Now you've got under my skin with this one. :)

 

My only Insteon thermostat setup is at my chruch.  We have a total of 9 of them.  I have ISY set to do a final shut down (just like how you describe with lighting) and then it repeats every 3 hours through the night.  The idea here is that if the "final" shut down is at 9pm, but someone is still there and sets it back on, it will kick off again at MN, and then 3am again.  My "final" shutdown program sets the mode to auto, the heat, and the cool setpoint, so all of the parameters get set.  Basically, I'm dealing with "security" issue where a "jokester" might change the settings, but the system is set to recover.  Of course here, it isn't really security since those "jokesters" aren't really jokesters but rather well intentioned parishioners with poor memories who forget to turn off the AC when they leave.

Guest
This topic is now closed to further replies.

  • Recently Browsing

    • No registered users viewing this page.
  • Who's Online (See full list)

  • Forum Statistics

    • Total Topics
      37.1k
    • Total Posts
      371.5k
×
×
  • Create New...