Jump to content

Insteon Hub Security issue

LFMc

By LFMc
in Insteon

Recommended Posts

LFMc Advanced

LFMc

Posted
Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

 

 

Link to comment
Share on other sites
Teken Advanced

Teken

Posted
Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

 

Great article and its interesting how quickly Wink offered a patch to the Android platform. I can't honestly say this will be the case for the Insteon Hub as way back in the day the Hub v1 had similar issues. The Smartlabs company never resolved that issues for existing users and simply released a Hub v2. Then, later released what many know as the Hub which is technically called the Hub II.

 

If this article pushes the new owner of Smartlabs to finally push for encryption in all aspects. good! 

Link to comment
Share on other sites
Teken Advanced

Teken

Posted
Posted

I saw that in a link on Insteon.com forums. A few days ago.

Since it is put out as a User To User Forum. There are no posts to it from anyone yet.

I suspect Smartlabs may read it but will not comment on it.

 

One would hope they do more than just read the forum thread. But, if history is any indicator a break fix won't be forth coming very quickly ~ if at all. You all know what they say about *Hope*. 

 

Hope don't float . . .

 

Link to comment
Share on other sites
MWareman Advanced

MWareman

Posted
Posted

Interesting...

 

In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub
This is a feature of Insteon, not a flaw. It’s why you shouldn’t use Insteon to control a garage door.
Link to comment
Share on other sites
larryllix Advanced

larryllix

Posted
Posted

Is anyone familar with this reported issue on the hub?  Any workarounds?  Is Smarthome addressing this issue? I know some are running Insteon hubs in parallel to the ISY, so I thought this might be relevant.  Is this even something to be concerned about? 

 

Quote from article: "Rapid7 discovered two unpatched issues related to authentication and radio transmission security of the Insteon Hub. Firstly the account login and passwords for both Insteon services and the Hub hardware are stored unencrypted. In addition the radio transmissions between the hub and connected devices are unencrypted. This means malicious actors can easily capture the radio signals at any time to manipulate any device being managed via the Insteon Hub."

 

https://www.theregister.co.uk/2017/09/25/home_hub_insecurity/

We have been hearing this for years and yet nobody has been able to make it happen despite some pretty smart ones trying.

 

The protocol was found to not follow the white papers SH published.

 

I think it all comes back to the perceived end gain is not worth the effort for criminals. My "Protected by Insteon" stickers are doing the job as well as any of the other security brands ever did. :)

Link to comment
Share on other sites
LFMc Advanced

LFMc

Posted
  • Author
Posted

I think it all comes back to the perceived end gain is not worth the effort for criminals. My "Protected by Insteon" stickers are doing the job as well as any of the other security brands ever did. :)

 

I prefer the security sign "Protected by the Smith & Wesson Protocol" myself.  :-P

Link to comment
Share on other sites
Teken Advanced

Teken

Posted
Posted

I prefer the security sign "Protected by the Smith & Wesson Protocol" myself. :-P

A number of years ago a large group of us banded together in hopes of cross knowledge sharing.

 

In almost every area from agriculture, medical, plumbing, electrical, engineering, framing, networking, fire fighting, deep well drilling, security, industrial applications, solar PV / off grid, force protection, winter survival, hand to hand combat, communications, and many other soft skills.

 

Since many of us enjoy shooting and plinking.

 

As an inside joke, Team 86 put this out at a few locations in the field and at home.

 

6588181f4787eb991a35fbe7972a56de.jpg

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...