Jump to content

Insteon Hub Security issue


LFMc

Recommended Posts

Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

 

 

Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

 

Great article and its interesting how quickly Wink offered a patch to the Android platform. I can't honestly say this will be the case for the Insteon Hub as way back in the day the Hub v1 had similar issues. The Smartlabs company never resolved that issues for existing users and simply released a Hub v2. Then, later released what many know as the Hub which is technically called the Hub II.

 

If this article pushes the new owner of Smartlabs to finally push for encryption in all aspects. good! 

Posted

I saw that in a link on Insteon.com forums. A few days ago.

Since it is put out as a User To User Forum. There are no posts to it from anyone yet.

I suspect Smartlabs may read it but will not comment on it.

Posted

I saw that in a link on Insteon.com forums. A few days ago.

Since it is put out as a User To User Forum. There are no posts to it from anyone yet.

I suspect Smartlabs may read it but will not comment on it.

 

One would hope they do more than just read the forum thread. But, if history is any indicator a break fix won't be forth coming very quickly ~ if at all. You all know what they say about *Hope*. 

 

Hope don't float . . .

 

Posted

Interesting...

 

In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub
This is a feature of Insteon, not a flaw. It’s why you shouldn’t use Insteon to control a garage door.
Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

We have been hearing this for years and yet nobody has been able to make it happen despite some pretty smart ones trying.

 

The protocol was found to not follow the white papers SH published.

 

I think it all comes back to the perceived end gain is not worth the effort for criminals. My "Protected by Insteon" stickers are doing the job as well as any of the other security brands ever did. :)

Posted

I think it all comes back to the perceived end gain is not worth the effort for criminals. My "Protected by Insteon" stickers are doing the job as well as any of the other security brands ever did. :)

 

I prefer the security sign "Protected by the Smith & Wesson Protocol" myself.  :-P

Posted

I prefer the security sign "Protected by the Smith & Wesson Protocol" myself. :-P

A number of years ago a large group of us banded together in hopes of cross knowledge sharing.

 

In almost every area from agriculture, medical, plumbing, electrical, engineering, framing, networking, fire fighting, deep well drilling, security, industrial applications, solar PV / off grid, force protection, winter survival, hand to hand combat, communications, and many other soft skills.

 

Since many of us enjoy shooting and plinking.

 

As an inside joke, Team 86 put this out at a few locations in the field and at home.

 

6588181f4787eb991a35fbe7972a56de.jpg

 

 

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing

    • No registered users viewing this page.
  • Who's Online (See full list)

  • Forum Statistics

    • Total Topics
      37.2k
    • Total Posts
      372.5k
×
×
  • Create New...