Elk health, UPB/SA health, State of DIY HA - rambling questions

[BobS0327]

So can it be hacked? Sure.

 
I just acquired a new alarm/home automation system and have chosen Alarm.com as my cloud based monitoring company.  Alarm.com uses a dual communicator path to communicate to/from the alarm system.  Primary path is internet access.  Secondary path is cellular 4G LTE.  So, if one path fails the other kicks in.  Alarm.com uses 128 bit AES encryption to encrypt all communication to/from the alarm system.  This includes the alarm info such as security and fire info but also all the home automation info.
 
I checked the AES Wiki https://en.wikipedia.org/wiki/Advanced_Encryption_Standard  and the 128 AES bit encryption has not yet been broken.
 
IMHO, other cloud based monitoring systems would use similar methods.

 

[neillt]

I think the concern over cloud based security is that a significant amount of the core functionality is being performed off-prem.
 
You have an Omni, Elk, DSC, or whatever else old panel, everything is being processed right in that can.  Many of these cheap DIY security systems simply phone home with all the data of your home's status to be analyzed in a data center somewhere.  So there is no guarantee they would even work if there is no connectivity.
 
In addition, almost every cloud based security system is doing data mining about activity patterns, usage levels, where homeowners go when the system is armed, etc.

 

[ano]

For a botnet.
 
Armed with an enormous network of pwned devices, you sell your services to anyone needing, for example, to perform a DDOS attack. Imagine harnessing the power of all Amazon Echos or all SmartThings SmartHubs. Like hacking residential routers, it's a huge juicy target.

So you think Samsung or Amazon is going to allow this when they have a team of experts monitoring their networks and they can upload a software at any time? But those PCs in your house, with a million times the processing power, which are monitored by you, have no risk?  I'll put my money on Samsung and Amazon.

 

[neillt]

It's already happened with crappy Chinese CCTV cameras...
 
https://www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html

 

[Linwood]

So you think Samsung or Amazon is going to allow this when they have a team of experts monitoring their networks and they can upload a software at any time? But those PCs in your house, with a million times the processing power, which are monitored by you, have no risk?  I'll put my money on Samsung and Amazon.

 
Setting aside how many large companies are hacked, there is a more fundamental difference.  Most of these cloud-connected devices have, by their nature, a way for outside entities (e.g. your cell phone) to reach into your home network.  By default, a home PC has no such provision.  By default, the home PC can only reach from inside to outside only, others cannot reach it from the outside, even to ping.  To be compromised needs activity that exposes it to malicious outside influences, such as opening a malicious web site, or file. Left just sitting alone, running, no one can reach it, absent a compromise of your home router or some other device on your network.
 
But by their nature, there is some mechanism to reach all these cloud devices, since it is necessary at a moment's notice to be able to see the inside of your refrigerator.  Those paths are attack vectors to reach inside your network, and having been compromised represent now a malicious entity inside your house, not outside. Do those paths require they compromise the vendor?   Or just that they compromise the protocols involved? 
 
What is without a doubt is that repeatedly IOT vendors are found to be giving short shrift to security, and almost universally to providing necessary security updates once exploits are found (one could blame the home owner but seriously, do they expect the home owner to check the firmware on their fridge or doorbell on a regular basis?).

 

[ano]

Setting aside how many large companies are hacked, there is a more fundamental difference.  Most of these cloud-connected devices have, by their nature, a way for outside entities (e.g. your cell phone) to reach into your home network.  By default, a home PC has no such provision.

I believe you are mistaken on how it works, at least SmartThings.  The SmartThing app. on a  phone NEVER connects to my SmartThings hub in my house. I completely disconnected the hub from my network, and the app. had no problem accessing everything in my account. It also had the last state of every device in my house. Obviously its connecting to the cloud, and the hub connects to the cloud as well, but the app. DOES NOT connect to the hub. My guess is app to cloud and cloud to hub transmissions are very encrypted. 
 
And are you saying your home PC is not connected to the Internet? 

I think its a bit unrealistic to assume that a hub and a phone app. both communicating to a known location over an encrypted connection is going to be hacked, but you on a PC communicating with 1000's of web sites, that is secure.

 

[123]

So you think Samsung or Amazon is going to allow this when they have a team of experts monitoring their networks and they can upload a software at any time? But those PCs in your house, with a million times the processing power, which are monitored by you, have no risk?  I'll put my money on Samsung and Amazon.

 
I said no such thing nor did I even suggest it.
 
IOT devices present an enormous opportunity for exploitation. Like the average home router, it's a device a consumer installs and never touches again. They have far more visibility and interaction with the daily operation of their phone, tablet, or PC than in their router or IOT device. That's precisely why they're ideal candidates for incorporation into a discreet network (or simply to gain a foothold within a private network). 
 
Security flaws are not limited to second and third tier players. https://arstechnica.com/information-technology/2018/11/a-100000-router-botnet-is-feeding-on-a-5-year-old-upnp-bug-in-broadcom-chips/
 
You've mentioned encryption several times and how "unrealistic" it would be to assume it could be hacked. Are you familiar with man-in-the-middle attacks? They've been done with stolen certificates so encryption isn't the panacea you may think. Besides that, an IOT device's attack surface isn't limited to its primary communications channel. 

 

[Linwood]

I believe you are mistaken on how it works, at least SmartThings.  The SmartThing app. on a  phone NEVER connects to my SmartThings hub in my house. I completely disconnected the hub from my network, and the app. had no problem accessing everything in my account. It also had the last state of every device in my house. Obviously its connecting to the cloud, and the hub connects to the cloud as well, but the app. DOES NOT connect to the hub. My guess is app to cloud and cloud to hub transmissions are very encrypted. 
 
And are you saying your home PC is not connected to the Internet? 

I think its a bit unrealistic to assume that a hub and a phone app. both communicating to a known location over an encrypted connection is going to be hacked, but you on a PC communicating with 1000's of web sites, that is secure.

 
Not having one I do not know how it works precisely, but most such devices establish a persistent (or regular) connection to some remote service (in the cloud, though of course this is just a computer somewhere).  Other devices that need to connect to it (e.g. your phone) then use that service as a relay point.
 
That relay process can be intercepted in many ways, from DNS hijacks to man-in-the-middle attacks between the home device and cloud, or cloud and mobile device.  Certificate hijacks are also coming in vogue, as more and more registrars get into the game, and play fast and loose with the rules.  IOT devices are particularly vulnerable to those as they may lack robust validation, CA revocation processes, etc.  Mobile device use in open wifi environments are a good example where such MITM attacks are easier, but DNS hijacks are becoming more frequent.
 
None of these require that the cloud server itself be hacked, through that is yet another path.
 
At issue here for home networks is who initiates a connection.  Take my home computer.  If I connect out to cocoontech.com, a connection is permitted through my firewall and cocoontech can send any data back on that connection it would like, but ONLY if I initiate it.  If I do not initiate it, it can reach my firewall, but not my computer inside the firewall with a Cocoontech initiated connection.
 
SOME HA devices require port forwarding, upnp or other techniques that DO allow an externally initiated connection to reach inside.  To me those are the most dangerous.  The mobile apps for Elk M1G for example (at least the ones not from Elk) require that.  There is no inside-out connection established, they require a static NAT connection from outside-in to reach the Elk (more precisely PAT but NAT is better known).  I am then trusting that app, and the Elk, to not abuse that connection.  But they are by no means the only danger.
 
I have no such provision for my PC or any other device inside except the Elk and my router.  So in a very real sense, my PC is not "connected" to the internet, not in a two way connected sense.  It's crouched down low, head down, behind my firewall.
 
An issue with much of the low end HA gear is that the technical details of what it does and how it work are not published.  Very knowledgeable end users are basically told "trust us", there is no provision for one to understand and do a reasoned risk analysis on the technology.   But probably the biggest risk is age -- IOT devices are simply not updated regularly, and if you look at the last couple of years, with major, widely used vulnerabilities being disclosed in low level security protocols, you start to see the problems IOT vendors have.  They have to be simple plug-and-play, cheap devices, but if they are not regularly updated with patches, they are vulnerabilities.  So they either need to put a LOT Of effort into such updates, or stay cheap and ignore them, and figure a $100 device is forgotten in a few years, and besides you can't sue China.  Guess which most are choosing.

 

[Dean Roddey]

The huge difference is that hacking my PC will typically be difficult if I'm remotely careful, and the payoff is very small for that effort. Hacking a large company is very, very difficult, but the payoff might be enormous. And 'payoff' can mean anything from money, to nationalistic psychos doing it just because they want to, to just proving you are the greatest hacker in the world (and once you do that you can sell that information to someone who has other ideas of payoff.)

The former requires me to be lazy and I won't ever be specifically attacked, it'll just depend on chance. The latter will be a very targeted attack.

And, in some cases, it's also a means to get to other things. There's huge, and unjustified and sometimes not even intended, 'web of trust', so that if you get inside a large company, other people will be far less suspicious of something coming from there. If you can set up a legit e-mail within that organization, that's a powerful tool. If you send out things to click on that are clearly from that organization, that's much easier to get people to click on.
 
It makes a huge difference.

If something is quite easy to hack in an automated way, and there are a lot of them, like web cameras and such, then that is also a very juicy target for reasons mentioned above.

 

[pete_c]

Is Elk Products healthy?  Are they continuing to be DIY friendly? 
 
I have no idea relating to Elk future.  Thinking that they will continue to be DIY friendly.
 
If a year or three from now I need more Elk parts, am I likely to find them?  
 
Yes.
 
Am I likely to need to find a friendly dealer/installer to get parts, or use services?  (Unlikely here at least last time I tried).
 
No.  No.
 
UBP.....Starting to think I am better off changing if I wanted to double that, rather than adding on?
 
I have older and new UPB switches and over purchased what I need today.  I do not see myself changing my wall switches anytime in the future.
 
Just wondering if someone has good pointers to current "state of DIY Home Automation" from people that know?   As opposed to inarticulate and uninformed fanboy postings, which I can find far too many of.
 
The DIY world of open source automation has grown these days with the introduction of the $35 RPi.  It is a bit more work than the off the shelf products.  Most yut today prefer the easy button automation.
 
And last more concrete question: Where would a happy Automated Outlet customer (US) buy from now for someone trustworthy and with decent pricing, as a DIY'er?
 
Purchased my first OmniPro 2 panel from Worthington (ASI).  They are in business today and doing fine.

Here on Cocoontech for years now the primary choice for the DIYer relating to a combination security and automation panel has been the Elk and Omni Pro panels. That will not be changing anytime soon.

 

[pete_c]

For the DIY person there are no combination panels today still that match what the Elk and Omni Pro panels can do relating to both security and automation.
 
Relating to use of X10, UPB, ZWave and or Zigbee you can do all or just one of these protocals to control your lighting if you want to automate with your Elk panel.
 
It is not cheap today still to purchase and install any sort of automated switches. 
 
It is starting to get cheap and I am starting to see $15 WiFi in wall switches which are little computers these days.
 
Relating to WAF wife still does ask me why a $50-$100 automated switch is better than a $5 non automated switch. 
 
It is a hobby here such that WAF is there but plays little in what I do with this home.
 
That said if you are interested in cheap security you can purchase what is available under $100 and get decent security from it.  You will need to become familiar with programming the security panel et al.
 
And yes the future is cloud based security and automation but that doesn't mean that you will not have options.

It is your money to spend on what you want to do today or tomorrow. Think I have mentioned that before.

Personally I tinker and look forward to what I see coming and pick and choose what I want to do whenever I want to do it.

 

[BobS0327]

Just wanted to address the need of getting a professional involved in a DIY install.
 
The HAI panel that I had for almost 20 years is a dual function panel. One function is providing security/fire protection and the other function is to provide home automation services. I DIY installed my first HAI panel in 1999. I am not a security/fire protection professional. So, in order for me to a 10% discount on my home insurance, I had to hire a HAI 5 star dealer/installer to inspect, approve and issue an “alarm certificate” to satisfy the requirements of my insurance company.
 
My HAI OP2 was “fried” by an electrical strike in February 2016. The damage was covered under my homeowner's insurance policy BUT the insurance company would not allow me, the homeowner to do the repair work and submit a bill for said repairs. I was required to contract with a security professional to do the repair work. I would then submit the professional's bill to the insurance company for reimbursement. It took me about three months to find a security professional to replace the OP2 board. Most of the professionals wanted to replace my OP2 with their own security systems but I was determined to keep my OP2. Finally, I was able to locate a professional who had some knowledge/experience with the HAI panel and was willing just to replace the board.
 
I just recently DIY installed a Qolsys panel to replace my OP2 panel. I again verified with my insurer as to what was required to get my premium discount. They still required an “alarm certificate”. So, I contracted with the local Qolsys authorized dealer/installer to inspect and issue a certificate to satisfy the requirements of the insurance company.
 
There are local and national codes that have to be adhered to when installing a security/fire alarm system. Thus, the need for an inspection by a professional.
 
Point is, no matter what system you choose, if it's providing fire/security protection be sure it's inspected by a professional. The safety and well being of you and your family is well worth it.
 
On the flip side, the insurance companies, inspectors etc. are not concerned with the home automation function. They absolutely do not care whether or not your automated blinds work.
 

 

[pete_c]

Understood.
 
Here in IL the monitoring company sent me a certificate for the Home Insurance company (~ 40 years State Farm). 
 
I have run in to issues doing a new commercial build where the local town inspectors gave me grief relating to low voltage wiring / alarm panel stuff.  They had no clue what they were looking at and waited for some extra enticing funding which I refused to give them.
 
A few years ago upgraded my water meter and the local town said I had to pay for the upgrade.  They should have done or paid for the upgrade.  That said all of the quotes were between $500 and $1000.  I did it my self with no issues upon inspection.
 
I ignored it and had a face to face chat with the mayor of the town and then all was well.
 
In a new home build in FL the alarm cabling was done by a local security company and then I installed the Omni Pro 2 panel and got a cert from the monitoring company.