IoT and security: Shodan

[woody4165]

Hi all

I just discovered this website regarding IoT and security (or lack of security).

I tried to do a search with the word domoticz.
Shodan and Domoticz

Is one of this IP one of yours?

[toreandre]

Hahaha, i connected to one of the IP adresses to see if it checked out. Seems like on the swedes is at dance camp at the moment. MQTT topic with lat/long coordinates.

Made me take a look at my own setup.

EDIT: Omg, look at all these topics open for the public:

Code: Select all

Topics:
owntracks
owntracks/marco/iPhone-6
owntracks/marco/Hyundai
marco/thuis
/home
/fhem/light/4/device1
/fhem/light/4/set
test
system/rfxcom
system/RFXcom
_owntracks/_map/owntracks/gw/jjolie
home/garden/fountain
fhem/light/4
fhem/light/4/set
fhem/light/4/4
fhem/light/4...

[JustME125]

I see a lot of mqtt listed....luckily I don't run mqtt [SMILING FACE WITH OPEN MOUTH AND COLD SWEAT]

Verstuurd vanaf mijn HTC One_M8 met Tapatalk

[RidingTheFlow]

Its quite amusing how many people totally ignore security of their home automation systems until it bites them hard.
Prankers triggering wireless bell/alarms is one thing, hackers fastcycling the boiler relay breaking it down is entirely other level.

Funny when I often asked people "have you ever though how dangerous is to expose your domotic IoT network even to your PC (because PCs are very big potential security hole)?", I was often dismissed as being "overly paranoid". Talk about people exposing their IoTs to the internet just because they wanted to easily flip this switch from their iPhone (which they hardly used anyway). Also not realising that default domoticz Pi SD card image came with NodeRed&MQTT servers in completely password-less mode, etc, etc....

[toreandre]

Its quite amusing how many people totally ignore security of their home automation systems until it bites them hard.
Prankers triggering wireless bell/alarms is one thing, hackers fastcycling the boiler relay breaking it down is entirely other level.

Funny when I often asked people "have you ever though how dangerous is to expose your domotic IoT network even to your PC (because PCs are very big potential security hole)?", I was often dismissed as being "overly paranoid". Talk about people exposing their IoTs to the internet just because they wanted to easily flip this switch from their iPhone (which they hardly used anyway). Also not realising that default domoticz Pi SD card image came with NodeRed&MQTT servers in completely password-less mode, etc, etc....

Not just broken equipment but with the info on the IP i checked someone could easily plan a break in.

[JustME125]

Well, I do understand there is a risk involved in port forwarding to domoticz but never really considered the consequences. I am one of those who often uses a phone so I would like to have domoticz to be connected to the outside world. Any thoughts on how to do it safely?

Verstuurd vanaf mijn HTC One_M8 met Tapatalk

[deennoo]

Créate your own vpn (openvpn)

[JustME125]

Thanks

Verstuurd vanaf mijn HTC One_M8 met Tapatalk

[RidingTheFlow]

Créate your own vpn (openvpn)

... and also its best to check that Domoticz is not visible on any other interfaces. General rule of thumb - more interfaces its visible on, more attack vectors it gives. That's because Domoticz also exposes http JSON interface which allows to do pretty much everything with it (and its very easy to hack, at least by default, if you use unencrypted http).

Also generally I always would recommend to give a good consideration "do I really need to remotely flip switches via my phone?" Often (as its the case for me) the answer is "no", so I just use "read only user" for my outside access. Or at least have a read-only user which could be logged in 95% of time and write-access user which you only log in in rare cases.

Note that you need to think of above even if you don't expose your Domoticz to internet. Because even if Domoticz only visible to your home network - and people often think "my home network is WPA2, really safe, etc, etc". But think about it, how many devices do you have on your home network? Smartphones, PCs, game consoles, etc - what if just one of them gets hacked? That would be enough for hacker to play havoc with your home (or spy on your movements) if your Domoticz is unprotected against your internal network.

[toreandre]

Well, I do understand there is a risk involved in port forwarding to domoticz but never really considered the consequences. I am one of those who often uses a phone so I would like to have domoticz to be connected to the outside world. Any thoughts on how to do it safely?

Verstuurd vanaf mijn HTC One_M8 met Tapatalk

Remember the other services too. In the list that was in the first post domoticz may have been locked with a username and password but not the MQTT server, i saw a few IPs with open IPcameras too.
I assume most people that expose their system to the internet do this for geofencing etc and as someone above me suggested you should think about "do i realy need to flip switches when i am at work?".

I get motiondetection etc when i am away from my house, but i use a virtual home/away switch in domoticz and email alerts.