Homey will, but you will have no means of controlling Homey because the mobile app and any web apps need to contact the Athom cloud to retrieve an access token before they are allowed access to your (local) Homey.
All in all there is no 2FA and there is no per device authorization. So if you give your child access to lights you must give them access to everything.
It doesn’t have to be Athom that gets hacked, any service with which user is already registered using the same email could potentially open up homey in case password had been reused. Sure, sure don’t reuse passwords but if you invite your wife, kids, family members, anyone can have password reused. Now that we are talking about it the very existence of the haveIbeenpwnd is just that.
I guess the message is that if you’d like to go as far as blocking Internet for Homey there a lot of other things you should have considered/taken action to, to have a secure home.
Let’s not forget a smart home could also add an extra layer of security to your house!
Like I would of never had an security system in my house however I currently have window sensors on every window which will alert me via the Heimdall app when I’m away if their opened. Even better: my house members receive an push message if they are the last to leave the house and leave an window open!
I’ll also be notified when there is smoke detected via an push message which I would otherwise never have.
The same goes for this question as for most questions: use common sense when buying your products (i.e. no cheap Chinese products).
Does anyone know where the data gets stored? When looking at the link above from the Athom website it says:
“ Homey keeps an eye on your home by logging your sensor data and the stuff you tell Homey to do. Both are only stored and accessible on your Homey. This means only you own your data, and no one can peak in.”
When I log in on my account on my wife’s phone (not on WiFi), I get all history etc of when I was in my house on my own device. Judging from the above Homey doesn’t store that info in the cloud. Does someone know how it works?
It’s stored on your Homey.
Ok, but since Homey does not need me to open up ports in my firewall, how is the info transmitted from the Homey to my wife’s device if it’s not stored in the cloud and she is not on the same WiFi? Are they using a websocket so commands can pass back and forth?
Athom provides an external address (
https://TOKEN.connect.athom.com, if I remember correctly) that is used to access your Homey from outside the local network.
Homey sets up a tunnel to the Athom cloud to which your phone connects.
With tunnel, you mean a VPN?
I would assume it is a websocket.
Assumptions, assumptions. Mail to firstname.lastname@example.org and ask the question.
I did a few days ago. Soon we will know!
It’s good to see that someone is critical and objective when it comes to security and secure devices in his/her own house. Too many people take it for granted in my oppinion.
I did some investigation myself over the last few months. Homey’s setup is fairly secure. It basically sets up a websocket to listen to any cloud-calls (to make a very very short summary), so at least it doesn’t have open ports constantly.
Also: Homey works fine without internet access. Obviously cloud depenend functions won’t work, but your zigbee/zwave/433 functions work fine.
On the other hand, Homey has a few questionable features, a few of which, are that you can’t disable remote cloud access via settings and that it uses Google’s DNS servers (it doesn’t listen to your DHCP server) and does not use any form of confirmation that it actually gets a reply from Google’s DNS servers (so it is subject to DNS-spoofing with all potential issues that follow from that)
You also asked what you can do yourself to make your Homey more secure. There are of course a number of things you can do in your own setup. Each point has it’s ups and downs, requires know-how and the appropriate network equipment in your house. Also each of the items I will mention aren’t Homey-specific, but apply genericilly for all IOT-devices. Personally I use Unifi network equipment as it is, in my oppinion, easily and deeply configurable, robust and affordable. (I’m not saying it is the holy grail, just giving my oppinion based on experience)
- Seperate devices types in seperate VLANs
1.0 User-devices, like PCs/tablets/phones (maybe even seperate your PCs from your mobile devices?)
1.1 IOT devices that require internet access (they shouldn’t be able to connect to your network devices by themselves)
1.2 IOT devices that require inertnet access and access to your LAN (maybe even specific devices in your LAN)
1.3 “NOT” devices that require LAN access and no internet access
1.4 Chromecasts (because Google )
1.5 Homey (because it’s a hub that connects to a lot of things)
1.6 (etc, think of a group)
- Set up a DNS-gateway that captures all DNS-traffic and forwards it to an encrypted DNS service using DNScrypt)
By placing Homey in a dedicated VLAN, you at least ensure that Homey can’t set up connections to devices in your LAN that Homey doesn’t have anything to do with (let’s say, your laptop/phone/tablet/ebook/etc), so IF the device is compromised, then at least your entire LAN isn’t vulnerable at go. Also your network devices may also have nothing to do with Homey, maybe you don’t use your pc to connect directly to Homey?)
You could even set up outbound firewall rules that whitelist certain services/IP blocks that your Homey requires, so that your Homey won’t assist in a DDoS attack, but this would be quite cumbersome to set up and maintain.
The above of course doesn’t secure your Homey itself. 2FA alone isn’t the holy grail too, as that effectively only protects your account via regular access, not your device. If your device is compromised, then a person with malicious intent (always love that phrase) won’t need your account to access it. Also, if 2FA isn’t properly implemented, then that also doesn’t protect your account being used via non-standard ways.
That said. 2FA would be a very welcome thing in case you accidentaly drop your password somewhere.
Disclaimer to the above: I’m not saying all the above is ‘needed’ to be secure with Homey. It also doesn’t make Homey completely watertight and I’m also not saying that Homey is insecure. Other security-specialists and enthousiast may have other oppinions than I do. (if so, please let me know. I’m always open to other opinions and views when it comes to high level security designs)
Great answer - big thanks!
So do I understand it correctly that all data (e.g. “I came home”, “My child just walked out of the door”, etc etc) is stored on the device, not on any servers and can only be accessed via the websocket? If thats the case I guess a “data leak” is improbable since the attacker needs to individually needs to find a way to connect to each Homey out there in order to fetch the data.
I assume another mitigation is to make sure I don’t have my address details, name, etc in the app - should someone gain access to it. It’s not only about me losing my pwd, it could also be Homey having a bug in their auth system (which in this case is more likely )
Do you see that a VPN in my router would help in any way?
Is there any way to shut off remote controlling of the Homey? If it could be read-only remotely that would up the security even more.
In your network setup, do you have to switch networks all the time in order to use different functionalities (e.g. chromecast)?
Again, big thanks for a great reply!
As far as we can tell (and given that Athom tells the truth (personally I don’t have any reason not to believe them)) all data is stored on the device and no data is stored on their servers that is accessable by anyone. If any data leak would happen it would happen from your own device, which is ‘highly improbable’
Depending on what your purpose is, you could choose not to have any personal information in your device. You address information however can be retrieved via other ways. (Homey does ask for your location, which you can of course not provide). But that is also unlikely unless you are specifically targeted. And if that happens, there are easier/more efficient ways to target an individual for a hacker
I haven’t tried it, but I’m not sure a VPN will work. Homey isn’t reachable via internet, it reaches out to internet (websockets). So if you block internet access for Homey (outbound) and you connect your phone to your LAN via VPN, I’m not sure that Homey will work properly. The device does ‘assume’ a working internet connection, so it really depends how the app behaves (the app may think it is trying via internet, whereas Homey doesn’t??). If it does work, then it provides the added value that the device is not controllable directly via the internet and you can still switch off your lights (sillly example of course), but if you want to be completely sure, you should also do something in your own LAN to mitigate device hopping (so your smart fridge may be a gateway to your Homey )
No, that is currently not in place. Read-only would also be a security risk, as someone could see activity in your house remotely and know if someone is in the house (paranoia mode )
No, that would be unworkable (my wife wouldn’t accept that, and I wouldn’t want to work that way). In case of the Chromecasts specifically. They (I have 2 in my house) have a dedicated VLAN. They can advertise themselves to my phones/tablets/pc VLANs (via mDNS from top of my head) and they can go to the internet for obvious reasons. They cannot ‘see’ the rest of my network by themselves. My phone/tablet/PC VLANs can connect to the Chromecast on specific ports. (other IOT VLANs which, for example, contain Dyson fans can’t connect/broadcast to the chromecasts as I didn’t speficfically allow that, and I don’t see any reason for that)
All of my VLANs are forced through a DNSCrypt proxy for their DNS-requests (which in turn forwards it via the dnscrypt protocol to Cloudflare)
- I meant that Homey still would have access to the internet, but everything will be routed via a VPN. As of my understanding though the only upside there is that my ISP won’t see I’m using Homey. Do you know if it is wss or ws for the websockets?
Yes, that would be correct. It would provide little added value. Also your ISP can’t see what you’re doing as all communication https. They can only see to which IP address you are connecting. (and from that they can derive that you are using a Homey, if they would really want to know that )
Homey uses secure websockets. (all communication by Homey is ‘secure’, I’m not entirely sure if that also counts for all Apps you can install. I’m not sure if Athom enforces this for the apps that are in their ‘app store’)
I don’t think they can, since the external connection to Homey is run through AWS (I’m assuming that Athom uses AWS-provided loadbalancing, which makes the IP-addresses you connect to even more generic).
Yup. Good point. The only they could see come by then are the DNS-requests towards Google (which are unencrypted). Then again. If you don’t trust your ISP enough for them to know if you have a Homey in your LAN, then I think you need another ISP or do something more rigorously on your internet connection