Homey Community Forum

More Secure Recovery Mode

#1

Hi,

Today I tried to reset a Homey Hub that was connected to another user account, boy was this easy. Too easy i thought.
I simply held the Homey upside down, and let the recovery mode start. I thought I would enable the Heimdale Surveillance Mode first to see if this would stop the Homey from entering Recovery mode, it didnt. I reset the Homey completely, erased all user data and added the Homey to a new user account.

Conclusion:
Great if you need to reset your Homey for any reason as start again.
Also great if you are a burglar and break into my home and see a Homey Hub (which everyone has placed in a central location as it is designed to be seen not hidden and just to make sure you can find it, it glows and speaks to you) you simply need to turn the Homey upside down and let it proceed to recovery mode.

Idea for a Solution:
How about a simply option of not allowing to boot into recovery mode is the Surveillance Mode is set to Arm, and not allowing the device to be re-registered to another account unless you know the previous account details. And if you dont, then you need to contact Homey Support.

#2

I guess you have to see it as: If someone has access to your system, he owns your system…

That is for computers, and anythink like that… including Alarm systems

Therefor a decent Alarm is installed in locked closet, all cables should be safe (Like the links of the Alarm to the outer world), there should be multiple security zones and even when power fails it operates on a internal Backup battery.
If someone is entering the outer zone it should give an alarm within seconds if it is not disarmed.
If something enters the inner zone (the closet) it should activat all alarms immediatly and hand over the Alarm to an external system.

I think any burglar looking for my pearls will just unplug it if he already knows what it is, or smash it on the ground or shoot at anything that starts talking to him…

Unless you hide Homey in a locked and secured (contact sensor) closet, powered by a direct soldered powerbank…

So I guess it is in no way a solution to your scenario.
It is not possible in the current firmware for App to do somthing like that.

Only it could prevent theft, reset and selling of a Homey …
If that happens, call Athom and ask to block it (so it is useless) or to report the Location (Geo-IP/ Geo SSID) and email address to the authorities when it re-registers…

So it resetting when I lost my info only cost me and/or Athom time and money if Your lock down is implemented. I guess Athom is not going to spend a second on thinking of implementing that…

#3

Don’t forget the wifi/wireless only thing, just walking by with a jammer (those are damn cheap for all protocols) is enough to disrupt homey, even before he’s within 10 meters of your house.

#4

Good point Dijker, they could just smash or unplug it. But that was one example, I just thought the whole process was very insecure. As anyone could turn the Homey upside down to instigate the recovery mode. Even by accident.
Caseda, not sure what your point is in reference to the recovery mode, but as an alarm system I realise it is not foolproof, to be honest no system is. Even a hardwired system mainly use magnetic contact sensors, that’s an easy bypass. Interrupt the internet service and power supply, and you can have minutes to get into a house before it switches to 4G backup. Or simply use a phishing scam to gain access to their network if its a poorly secured router. Plus dozens of other options. My point was someone could break-in and reset your Homey without you ever being the wiser.

#5

I know this bridge, made by Philips hue (very big brand), it even only has 1 button press with a pen away to fully factory reset.

This and many other controllers have it this way, athom implemented this way to not have a button.

That the burglar or anyone else also needs his smartphone (or another device with wifi).
Then go to the wifi connection of the homey.
Set up a wifi point that homey can connect to (unless it is your house mate, neighbor or close friend that knows your wifi password by heart, they will not have a wifi point to connect to already).
Let homey connect to it.
And only then being able press the button to fully reset homey.
(yes you need to connect homey to a wifi acces point first before you can reset)

That is a lot of steps to just factory reset homey “by accident”, or with the intend to mess up homey quickly.

If you stop, and ptp, let it timeout (yes eventually it will just go back to normal working), or whatever anywhere in between one of these steps, it will keep all its data.

#6

And since all the answers came from people in Europe, here is one from your home land Australia.
Some years back I had a Bosch alarm installed in my house. The installer put the main box into the most inaccessible place, inside a very tight wardrobe right on the highest corner. He sworn like a miner all the time because the place was so tight that he could barely manoeuvre a screwdriver. When I ask him why he did not install it somewhere easy like i the garage on the wall he replied, “clear you don’t want any burglar to run into your house and reach the main panel before the alarm even goes off.”
The panel’s door also has a switch and if someone tries open it the alarm goes off instant.

So what @Dijker said, use your Homey for alarm then do what professional alarm installer do: hide the thing as good as you can.

1 Like
#7

I dont think a home automation system will reach the level of a professional alarm.
Homey is great to add extra safety (make the house look alive, warn you). But if you are in need of an alarm, buy a professional one:
With a secure box and tampering alarm positioned in a safe place
With multiple communication channels, wifi & gsm
With signal jamming detection and a warning when it is detected
With a battery backup, and a warning when the power is off
When thieves know there is an alarm they will probably search for a power box/ light in you garden (most of us have) Push in a plug with all 3 pins connected (earth, connected to power) and the house will be out of power (earth leak safety switch).
Homey is dead, open sesame…

#8

Wow, thanks for all your replies. The alarm was just an example, but I’m curious now, does no one use the Homey as an alarm system then within there home?
@Caseda the Phillips hue bridge is not designed to be seen and on display so you can see the LED ring or get voice feedback or even use the Honeys inbuilt voice control or the inbuilt NFC reader, so you can hide the Hue bridge anywhere or lock it in a cabinet somewhere, so it can be secured better. Sure you could do this for a homey, but it defeats half of its inbuilt features. PS, I tried turning the Homey right way up after the recovery mode finished and it didn’t go back to last settings, had to unplug it and reboot it again. And it did, nice to know, thanks for the heads up.
I agree there is no substitute for a professional alarm system, never, but I am sure there are many out there using the Homey as an alarm system, just like users of a Nest secure or ring alarm kit.
Anyway, I just thought it a good idea to make it a little more secure or foolproof, but it seems it is not wanted. This is why this forum is so great, everyone is so active, they tell you right away if an idea is bad or unwarranted. Cheers guys for your thoughts, no need to issue a feature request.

1 Like