more G-Labs products

Author Topic: Homegenie security  (Read 3530 times)

July 15, 2015, 02:26:17 PM
Read 3530 times

NicoVermeir

  • ****
  • Information
  • Sr. Member
  • Posts: 122
    • My blog
I've read from some users that they use HomeGenie over the internet.
Just a quick heads-up to them (and especially those that use door locks with HomeGenie):

the username / password security that HomeGenie uses isn't very safe, personally I'd just use it on internal network.

what I did to check this: I opened up Fiddler (an http request inspector, free tool) and logged into HomeGenie. When I inspect one of the requests with Fiddler I notice an encoded authorization string (see screenshot).

The string:
Authorization: Basic YWRtaW46dGVzdHRlc3Q=

Now, take the encoded part, YWRtaW46dGVzdHRlc3Q=
and past it into https://www.bing.com/search?q=base64+decoder&FORM=EDGENN
and click decode

you'll see my username and password right there.
What I did to get this is not rocket science. It's pretty easy to get to, especially when you've exposed your HG installation over the internet.

I'm not a security expert, so I don't know how to improve this right now, I just wanted to give an heads-up.

July 15, 2015, 02:57:23 PM
Reply #1

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219
If your router support VPN protocols, use that. You can connect to your private network with your phone, or your laptop from internet.

July 15, 2015, 05:05:00 PM
Reply #2

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
Thanks for the heads up!  I am one of the people accessing remotely.  I've used VPNs for work which require tokens, need to do some research on how to do this for home and mobile.

July 15, 2015, 05:31:58 PM
Reply #3

bkenobi

  • *****
  • Information
  • Global Moderator
  • Posts: 1525
This is one of the primary reasons I don't have any intention to install automated door locks.  After review, they appear to be secure with their wireless protocol, but how you use them can completely remove the security they provide.

To some degree, having your other systems (thermostat, sprinklers, stereo, etc) could expose you to some level of annoyance should someone want to prank you as well.  At least that's not a safety issue though.

July 15, 2015, 07:14:55 PM
Reply #4

Gene

  • *****
  • Information
  • Administrator
  • Posts: 1472
  • Tangible is the future!
    • Yet Another Programmer
HomeGenie does not provide any security at all. It is meant to be run inside an already safe and protected private network.

Cheers,
g.

July 15, 2015, 08:20:13 PM
Reply #5

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
Missed that!  Glad I don't have or plan to have any door opening/unlock capability for similar reasoning to bkenobi.

July 16, 2015, 09:04:27 AM
Reply #6

NicoVermeir

  • ****
  • Information
  • Sr. Member
  • Posts: 122
    • My blog
HomeGenie does not provide any security at all. It is meant to be run inside an already safe and protected private network.

Cheers,
g.
that's what I figured :)

anyway, you could always setup a second installation of HG that gets all sensor values via interconnection and open that one up over the internet. that way you get a read only version and can remotely monitor your sensors

July 16, 2015, 11:20:05 AM
Reply #7

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219
I thinks the best safe way, the OpenVPN. Many router support that. And you do not need token!
for example:

Mikrotik router config with cert generate: (I use this)
https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mikrotik-routeros/

Asus router OpenVPN support (I used this):
http://www.asus.com/support/FAQ/1008713

DDWRT configuration: (many routers can be installed.)
http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/

You only need OpenVPN client software on the dektop pc or mobilphone side.
Desktop: https://openvpn.net/index.php/download/community-downloads.html
Android: https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=hu
iPhone: https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8



July 16, 2015, 02:03:16 PM
Reply #8

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
Just bought a router 1 month ago and it doesn't have VPN :-(  Looks like I can set up an incoming VPN connection on my Win7 PC though(?)

July 16, 2015, 02:21:08 PM
Reply #9

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219
What is your router type?

July 16, 2015, 02:26:01 PM
Reply #10

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
Netgear R6250 AC1600 - actually just using this as wireless access point / switch currently.  My ISP AT&T UVerse gateway/modem (model 3800HGV-B) is the router.
« Last Edit: July 16, 2015, 02:33:14 PM by kevin1 »

July 16, 2015, 02:26:55 PM
Reply #11

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219
But, in answer to your question:

You can set openVPN server on your windows 7 pc.

https://www.lisenet.com/2014/openvpn-server-and-client-setup-on-windows/

July 16, 2015, 02:32:49 PM
Reply #12

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219

July 16, 2015, 02:38:22 PM
Reply #13

kevin1

  • *****
  • Information
  • Hero Member
  • Posts: 330
KaZe - thank you for all the info!  I just checked the R6250 manual and it doesn't reference OpenVPN but I'll see which firmware I have tonight (I thought I updated it in June while setting it up).  BTW, I modified my comment above while you were typing  ??? with info about uverse:

Quote
Netgear R6250 AC1600 - actually just using this as wireless access point / switch currently.  My ISP AT&T UVerse gateway/modem (model 3800HGV-B) is the router.

I can switch over to using the R6250 as router (I would assume?), I was just following some directions I found online and this kept all my network devices at known fixed IP addresses.

July 16, 2015, 02:48:15 PM
Reply #14

KaZe

  • ****
  • Information
  • Sr. Member
  • Posts: 219
If you want to keep the ISP AT&T UVerse gateway/modem, you need to forward ports from the master router (model 3800HGV-B) to your secondery router (Netgear R6250 )

Ports: TCP 443, TCP 943, UDP 1194

But if you do not necessarily need the SP AT&T UVerse gateway/modem, then I suggest that you use only the Netgear R6250.
It is much easier and more manageable.

Comment:
many router in Access Point mode turns off certain functionalities. Eg. OpenVPN, DHCP, guest network, dlna ...
« Last Edit: July 16, 2015, 02:51:29 PM by KaZe »