upstatemike Posted November 8, 2021 Author Posted November 8, 2021 1 hour ago, silverton38 said: I also do ELK and DSC security setups but the pricing is much more complex for those installations. Curious how you select between Elk and DSC for a given situation?
upstatemike Posted November 8, 2021 Author Posted November 8, 2021 2 hours ago, silverton38 said: Lutron has no plans to discontinue the Telnet service. Then what is the value of LEAP if it is not meant to replace the current stuff?
silverton38 Posted November 9, 2021 Posted November 9, 2021 55 minutes ago, upstatemike said: Curious how you select between Elk and DSC for a given situation? Mainly the cost; I generally give both options and let them choose. Both have good Internet interfaces.
silverton38 Posted November 9, 2021 Posted November 9, 2021 56 minutes ago, upstatemike said: Then what is the value of LEAP if it is not meant to replace the current stuff? There is already too many integrations with Telnet so they will not get rid of it on Caseta or RA2 select. They many not add it to RA3 but I believe that is unlikely.
upstatemike Posted November 9, 2021 Author Posted November 9, 2021 2 hours ago, silverton38 said: Mainly the cost; I generally give both options and let them choose. Both have good Internet interfaces. So how much cheaper is DSC and why would a customer choose to go more expensive?
simplextech Posted November 9, 2021 Posted November 9, 2021 6 hours ago, silverton38 said: Lutron has no plans to discontinue the Telnet service. Telnet was removed from QSX and so far the answer from the regional rep is that Ra 3 "Uses LEAP".
MrBill Posted November 9, 2021 Posted November 9, 2021 Telnet is outdated and insecure. Everything including credentials is sent in plain text. Lutron probably can't disable or remove it from older products because they would break too many existing integrations, but including it in anything released in 2021 would be insanity. Not worried about someone hacking your lighting? sure no one wants to turn your light on/off.. but there are many hackers worldwide that would take advantages of the device and make it a node in a botnet. 2 1
silverton38 Posted November 9, 2021 Posted November 9, 2021 19 hours ago, upstatemike said: So how much cheaper is DSC and why would a customer choose to go more expensive? Much cheaper. I would say about 1/3 of the cost for equipment but almost the same for installation.
silverton38 Posted November 9, 2021 Posted November 9, 2021 6 hours ago, MrBill said: Telnet is outdated and insecure. Everything including credentials is sent in plain text. Lutron probably can't disable or remove it from older products because they would break too many existing integrations, but including it in anything released in 2021 would be insanity. Not worried about someone hacking your lighting? sure no one wants to turn your light on/off.. but there are many hackers worldwide that would take advantages of the device and make it a node in a botnet. Keep in mind this is the local home network. If you have physical access to the home then you can just walk over to the light switch and that is easier then hacking a telnet stream.
silverton38 Posted November 9, 2021 Posted November 9, 2021 The telnet is just device access there is no security or account access via telnet.
lilyoyo1 Posted November 10, 2021 Posted November 10, 2021 3 hours ago, silverton38 said: Keep in mind this is the local home network. If you have physical access to the home then you can just walk over to the light switch and that is easier then hacking a telnet stream. Telnet is inherently insecure. In today's world, as big as Lutron is, they must use secure communications regardless of how Individuals may feel about it
silverton38 Posted November 10, 2021 Posted November 10, 2021 18 minutes ago, lilyoyo1 said: Telnet is inherently insecure. In today's world, as big as Lutron is, they must use secure communications regardless of how Individuals may feel about it That is what is used today in the Hub Pro or the RA2 select hub. Lutron is a massive company so regardless of what we think they set the standard.
lilyoyo1 Posted November 10, 2021 Posted November 10, 2021 2 minutes ago, silverton38 said: That is what is used today in the Hub Pro or the RA2 select hub. Lutron is a massive company so regardless of what we think they set the standard. What's been used in the past doesn't mean it shouldn't change for the future. As stated earlier, doing so in older systems would cause many more problems than it solves 1
MrBill Posted November 10, 2021 Posted November 10, 2021 (edited) 17 hours ago, silverton38 said: Keep in mind this is the local home network. If you have physical access to the home then you can just walk over to the light switch and that is easier then hacking a telnet stream. Let me repeat: 23 hours ago, MrBill said: Telnet is outdated and insecure. Everything including credentials is sent in plain text. Lutron probably can't disable or remove it from older products because they would break too many existing integrations, but including it in anything released in 2021 would be insanity. Not worried about someone hacking your lighting? sure no one wants to turn your light on/off.. but there are many hackers worldwide that would take advantages of the device and make it a node in a botnet. Your assuming that a device on a local network doesn't need to be secure... bad assumption. If it has memory and a processor it's subject to hacks.. and it can still do it's primary job while being something else for someone somewhere else. And if not that device, perhaps one of the devices that devices with stored credentials on that device. Edited November 10, 2021 by MrBill 2
silverton38 Posted November 10, 2021 Posted November 10, 2021 (edited) 7 hours ago, MrBill said: Let me repeat: Your assuming that a device on a local network doesn't need to be secure... bad assumption. If it has memory and a processor it's subject to hacks.. and it can still do it's primary job while being something else for someone somewhere else. And if not that device, perhaps one of the devices that devices with stored credentials on that device. Lutron is huge and I am sure they know what they are doing. Telnet only gives you the ability to turn on off or dim. That can be done manually just as easy so there is no extra security risk that I can see. There is no known security issue with Lutron Telnet that I am aware of. Edited November 10, 2021 by silverton38
silverton38 Posted November 10, 2021 Posted November 10, 2021 (edited) 19 hours ago, lilyoyo1 said: What's been used in the past doesn't mean it shouldn't change for the future. As stated earlier, doing so in older systems would cause many more problems than it solves I would agree but they are unlikely to remove the feature because people paid specifically paid for this feature in the HUB PRO and RA2 Select. Edited November 10, 2021 by silverton38
lilyoyo1 Posted November 10, 2021 Posted November 10, 2021 52 minutes ago, silverton38 said: I would agree but they are unlikely to remove the feature because people paid specifically paid for this feature in the HUB PRO and RA2 Select. Who said anything about them removing it? Everything that was written was about them no longer using telnet for Ra3. No one said anything about them removing anything from anything else 1
simplextech Posted November 10, 2021 Posted November 10, 2021 59 minutes ago, silverton38 said: Lutron is huge and I am sure they know what they are doing. Telnet only gives you the ability to turn on off or dim. That can be done manually just as easy so there is no extra security risk that I can see. There is no known security issue with Lutron Telnet that I am aware of. The risk comes from the thousands of installs that were running the default integration username/password. This was corrected a little while ago in a firmware/designer update which forced the changing of the default credentials. Primary risk comes from network access in general. If you have solid perimeter network security and controls ie good SSID security and passwords then it's less of a problem unless you have an accessible switch with enabled ports. Anyways, also realize the Lutron system is not "just lights". You can control a whole host of other things from garage doors, entry doors, fire places, spas, etc etc anything with relay control can be done via lutron integration. Granted this is all from Ra 2 and HomeWorks and is not available in RA2 Select or Caseta.
silverton38 Posted November 11, 2021 Posted November 11, 2021 3 hours ago, simplextech said: The risk comes from the thousands of installs that were running the default integration username/password. This was corrected a little while ago in a firmware/designer update which forced the changing of the default credentials. Primary risk comes from network access in general. If you have solid perimeter network security and controls ie good SSID security and passwords then it's less of a problem unless you have an accessible switch with enabled ports. Anyways, also realize the Lutron system is not "just lights". You can control a whole host of other things from garage doors, entry doors, fire places, spas, etc etc anything with relay control can be done via lutron integration. Granted this is all from Ra 2 and HomeWorks and is not available in RA2 Select or Caseta. We will just have to rely on the large corporation keeping up its security. I have faith in Lutron and have many installations without the slightest issue.
lilyoyo1 Posted November 11, 2021 Posted November 11, 2021 3 minutes ago, silverton38 said: We will just have to rely on the large corporation keeping up its security. I have faith in Lutron and have many installations without the slightest issue. Just because you haven't had an issue doesn't mean others haven't. Even so, even if nothing has ever happened, they have to plan ahead to lessen the chance something could happen. Unlike you with singular installs, 1 story getting out on Lutron can cost them millions of not more 1
silverton38 Posted November 11, 2021 Posted November 11, 2021 32 minutes ago, lilyoyo1 said: Just because you haven't had an issue doesn't mean others haven't. Even so, even if nothing has ever happened, they have to plan ahead to lessen the chance something could happen. Unlike you with singular installs, 1 story getting out on Lutron can cost them millions of not more I am not aware of anyone having a security issue with Lutron HUB PRO or RA2. Telnet is an option and if you are concerned then do not turn it on.
lilyoyo1 Posted November 11, 2021 Posted November 11, 2021 8 hours ago, silverton38 said: I am not aware of anyone having a security issue with Lutron HUB PRO or RA2. Telnet is an option and if you are concerned then do not turn it on. See previous post. Regardless of whatever it is you're fighting for, this is moot. Lutron has made the decision to use leap and not telnet in Ra3 1
DAlter01 Posted November 11, 2021 Posted November 11, 2021 (edited) 9 hours ago, silverton38 said: I am not aware of anyone having a security issue with Lutron HUB PRO or RA2. Telnet is an option and if you are concerned then do not turn it on. Even though readers of this forum many not know of an instance of a Lutron system being hacked through Telnet it certainly has occured and Lutron would know abou it. If in the remote chance there hasn't been a known hack from the outside, rest assured the software designers at Lutron have preached continuosly to upper management about the significant risks they are taking by having a system that can be hacked by a 5th grader. Lutron would be foolish to not evolve their system away from an antiquated protocol that was developed over 40 years ago and has been hacked when used in other applications. Failure to recognize known risks and take industry standard practices to minimize security risks is not a strategy a successfuly company like Lutron would follow. Successful companies evolve to address known issues, this is an example of that. Companies that do not evolve their product line to known risks expose their company and their customers to liability and often times fail because of that stagnet strategy. Further, having a system that can be easily hacked will keep their system from being selected by those customers who are security consious or have uses where security is essential, which means lost sales. Lastly, the company likely intended to adopt a security protocol that extends to more than Ra3 and is supported by the next evolution of equipment that currently exists or will exist in the future to allow interoperabilty between a broader range of equipment and functions than just Ra3. In other words, its likely they have a "strategy" of how to grow their business in a world that requires more security and having equipment that can work securly with different lines/types of equipment is a forward thinking strategy that can ultimately allow more growth than we envision if we are thinking only of home lighting automation. Lutron likely has a much bigger vision. Edited November 11, 2021 by DAlter01 1
MrBill Posted November 11, 2021 Posted November 11, 2021 2 hours ago, DAlter01 said: antiquated protocol that was developed over 40 years ago and has been hacked when used in other applications. You made me go look it up..lol Telenet is actually 52 years old... introduced in 1969! Someone with their head inserted deeply within will never be able to see light tho, so we might as well quit repeating ourselves. 1
silverton38 Posted November 11, 2021 Posted November 11, 2021 (edited) 3 hours ago, DAlter01 said: Even though readers of this forum many not know of an instance of a Lutron system being hacked through Telnet it certainly has occured and Lutron would know abou it. If in the remote chance there hasn't been a known hack from the outside, rest assured the software designers at Lutron have preached continuosly to upper management about the significant risks they are taking by having a system that can be hacked by a 5th grader. Lutron would be foolish to not evolve their system away from an antiquated protocol that was developed over 40 years ago and has been hacked when used in other applications. Failure to recognize known risks and take industry standard practices to minimize security risks is not a strategy a successfuly company like Lutron would follow. Successful companies evolve to address known issues, this is an example of that. Companies that do not evolve their product line to known risks expose their company and their customers to liability and often times fail because of that stagnet strategy. Further, having a system that can be easily hacked will keep their system from being selected by those customers who are security consious or have uses where security is essential, which means lost sales. Lastly, the company likely intended to adopt a security protocol that extends to more than Ra3 and is supported by the next evolution of equipment that currently exists or will exist in the future to allow interoperabilty between a broader range of equipment and functions than just Ra3. In other words, its likely they have a "strategy" of how to grow their business in a world that requires more security and having equipment that can work securly with different lines/types of equipment is a forward thinking strategy that can ultimately allow more growth than we envision if we are thinking only of home lighting automation. Lutron likely has a much bigger vision. At this time there is no known instance of hacking Lutron through its telnet interface but if you understand how they implement telnet you would see how hard it is to hack. Telnet runs as a separate process and only allows access to the switches themselves. So basically they give access telnet for anything that you can manually turn on and off or dim in the home. Their telnet implementation does not allow you to have account access or even install a new switch. It is completely open but only for what a physical person can do in the home. I have faith that Lutron knows what it is doing and will continue to use them. Maybe they will continue the feature in RA3 or maybe not but I will work with them as long as they allow third party access that works for me. Edited November 11, 2021 by silverton38
Recommended Posts