Living the dream
Home automation is a hot topic but along with the ability to control multiple devices on a pre-programmed schedule or from the other side of the world comes that nagging feeling: is it secure?
This is a complicated question to ask and answer. What do you mean by secure?
For me, in home automation I look at three basic questions:
- Will my request work?
- Will my request expose anything I don’t want to?
- Will my request damage anything I care about?
Answering these questions help us assess the risk. Or that’s how the professionals in this area sell it.
Part of my home network is exposed to the internet, using a BT infinity network and router. As such, I use port forwarding to allow some holes in my firewall to get to some servers. This is very basic perimeter security.
To allow my web pages to work, the firewall talks to my web server and the 5 applications I use to present my work to the internet all flow through that single, TLS 1.2 encrypted port.
Why? Well, TLS or transport layer security gives me a means to protect me and my users when they need to login to one of my apps by encrypting the passwords and other data flowing between their apps and browsers and my server.
My web server also contains a proxy so that certain addresses can be directed to the right kind of web server. My pump tools is a great example of that: https://samjwatkins.com/pumps maps to a completely different server with a very different set of capabilities to the one serving the web page you are reading. As an end user, you don’t care and I protect you and the server by hiding that detail. It also allows me to do the pump tools without any kind of login and I don’t store any data at all, which makes me GDPR compliant from day 1.
All very nice. But what about the home automation?
I control my heating and my lighting through two different suppliers: Heatmiser makes my heating and TP-Link my lighting (and smart sockets).
Both provide a means to control remotely, i.e. if I am not connected to my home network, I can still find out if I left my bedroom light on for example, and remedy the situation if I did.
Or if I am coming home early, I can ask the central heating to come on a little earlier than planned because it’s turned really cold outside.
I got the Heatmiser thermostats back in 2011, when the second two areas of security weren’t really at the forefront of this technology. As such, if I want to encrypt the data between the user and the device (to protect the password for example), I have to use a proxy on my web server.
Which I can do, but it’s all a bit fiddly.
The other thing that starts to breakdown are the web apps. They rely on my home router being able to do port forwarding. Which is great to a point, but the increased security on today’s browsers means that’s not trivial to test.
Then there’s things like the WPA2 passwords: my devices do not allow you to get these unless you directly connect your laptop to them via a usb cable. Then the network password is available to all!
To give us peace of mind, we’ve put the Heatmiser thermostats and the TP-Link smart lights on a separate “guest network”. Still protected by a password but traffic on this network cannot talk to the rest of the house. Magic.
Anything on the home networks can talk to the devices but anything obtaining the network password can only talk to the devices and then only with the passwords.
Perfect.
Posted: January 15th, 2019 under 42.