HomeGenie Forum
General Category => General Discussion => Topic started by: NicoVermeir on July 15, 2015, 02:26:17 PM
-
I've read from some users that they use HomeGenie over the internet.
Just a quick heads-up to them (and especially those that use door locks with HomeGenie):
the username / password security that HomeGenie uses isn't very safe, personally I'd just use it on internal network.
what I did to check this: I opened up Fiddler (an http request inspector, free tool) and logged into HomeGenie. When I inspect one of the requests with Fiddler I notice an encoded authorization string (see screenshot).
The string:
Authorization: Basic YWRtaW46dGVzdHRlc3Q=
Now, take the encoded part, YWRtaW46dGVzdHRlc3Q=
and past it into https://www.bing.com/search?q=base64+decoder&FORM=EDGENN (https://www.bing.com/search?q=base64+decoder&FORM=EDGENN)
and click decode
you'll see my username and password right there.
What I did to get this is not rocket science. It's pretty easy to get to, especially when you've exposed your HG installation over the internet.
I'm not a security expert, so I don't know how to improve this right now, I just wanted to give an heads-up.
-
If your router support VPN protocols, use that. You can connect to your private network with your phone, or your laptop from internet.
-
Thanks for the heads up! I am one of the people accessing remotely. I've used VPNs for work which require tokens, need to do some research on how to do this for home and mobile.
-
This is one of the primary reasons I don't have any intention to install automated door locks. After review, they appear to be secure with their wireless protocol, but how you use them can completely remove the security they provide.
To some degree, having your other systems (thermostat, sprinklers, stereo, etc) could expose you to some level of annoyance should someone want to prank you as well. At least that's not a safety issue though.
-
HomeGenie does not provide any security at all. It is meant to be run inside an already safe and protected private network.
Cheers,
g.
-
Missed that! Glad I don't have or plan to have any door opening/unlock capability for similar reasoning to bkenobi.
-
HomeGenie does not provide any security at all. It is meant to be run inside an already safe and protected private network.
Cheers,
g.
that's what I figured :)
anyway, you could always setup a second installation of HG that gets all sensor values via interconnection and open that one up over the internet. that way you get a read only version and can remotely monitor your sensors
-
I thinks the best safe way, the OpenVPN. Many router support that. And you do not need token!
for example:
Mikrotik router config with cert generate: (I use this)
https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mikrotik-routeros/ (https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mikrotik-routeros/)
Asus router OpenVPN support (I used this):
http://www.asus.com/support/FAQ/1008713 (http://www.asus.com/support/FAQ/1008713)
DDWRT configuration: (many routers can be installed.)
http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/ (http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/)
You only need OpenVPN client software on the dektop pc or mobilphone side.
Desktop: https://openvpn.net/index.php/download/community-downloads.html (https://openvpn.net/index.php/download/community-downloads.html)
Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=hu (https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=hu)
iPhone: https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8 (https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8)
-
Just bought a router 1 month ago and it doesn't have VPN :-( Looks like I can set up an incoming VPN connection on my Win7 PC though(?)
-
What is your router type?
-
Netgear R6250 AC1600 - actually just using this as wireless access point / switch currently. My ISP AT&T UVerse gateway/modem (model 3800HGV-B) is the router.
-
But, in answer to your question:
You can set openVPN server on your windows 7 pc.
https://www.lisenet.com/2014/openvpn-server-and-client-setup-on-windows/ (https://www.lisenet.com/2014/openvpn-server-and-client-setup-on-windows/)
-
I think, your router support openVPN, if you upgrade the router firmware.
http://drivers.softpedia.com/blog/NETGEAR-R6250-Router-Can-Be-Upgraded-To-Firmware-1-0-3-6-Try-It-Now-473601.shtml (http://drivers.softpedia.com/blog/NETGEAR-R6250-Router-Can-Be-Upgraded-To-Firmware-1-0-3-6-Try-It-Now-473601.shtml)
-
KaZe - thank you for all the info! I just checked the R6250 manual and it doesn't reference OpenVPN but I'll see which firmware I have tonight (I thought I updated it in June while setting it up). BTW, I modified my comment above while you were typing ??? with info about uverse:
Netgear R6250 AC1600 - actually just using this as wireless access point / switch currently. My ISP AT&T UVerse gateway/modem (model 3800HGV-B) is the router.
I can switch over to using the R6250 as router (I would assume?), I was just following some directions I found online and this kept all my network devices at known fixed IP addresses.
-
If you want to keep the ISP AT&T UVerse gateway/modem, you need to forward ports from the master router (model 3800HGV-B) to your secondery router (Netgear R6250 )
Ports: TCP 443, TCP 943, UDP 1194
But if you do not necessarily need the SP AT&T UVerse gateway/modem, then I suggest that you use only the Netgear R6250.
It is much easier and more manageable.
Comment:
many router in Access Point mode turns off certain functionalities. Eg. OpenVPN, DHCP, guest network, dlna ...
-
For those interested in securing HG over the internet or when using the Android app, check out this thread: www.homegenie.it/forum/index.php?topic=1001 (http://www.homegenie.it/forum/index.php?topic=1001)
I've submitted code to the developer to incorporate SSL into the Android app, fixed some bugs, and have supplied an nginx config file to put the server behind SSL.
Thanks.