White-hat hackers in the community?

cbh

Hi,
just a thought:
The z-wave protokol is by construct very resistant against hackers.
I guess Athoms protocols are as well - and that different apps are too.

But:
You never know...

Apps are available in the app-store and at Github - but who looks into the security?
Are people looking at the code to identify possible threats and vulnerabilities?
Not that I'm worried - but lots of apps connect to the internet and the internet is a dangerous place...

So, what are your thoughts on the security aspects of Homey and apps?

caseda

All apps run in its own sandbox, so even if an app had bad intentions it won't come very far without the user giving the app more information (like the bearer token).

But all apps in the store are checked by athom for things like this.

Apps installed via github (or rather the cli) is kinda the responsibility of the user installing it...
It is called "side loading for a reason"

swttt

Don't forget the new app permission that works just as a bearer token. But the user has to aprove on install.
But other than that, indeed it runs in a sandbox. 

cbh

Don't get me wrong - I'm not trying to raise suspicion and I'm aware of the whole "Do you accept full responsibility etc" when using stiff.
It's only a matter of having the proper amount of paranoid thinking at the right time - we all know how we accept bearing the responsibility for the future world when we install apps on our phones, use FB and Google etc - and thinking about privacy and security has to be part of using stuff going online in one way or another - and even when you accept something, you still don't know if malicious code is hidden somewhere.

So the question is just as well as matter of raising awareness of it - and knowing that the code is checked by Athom and is open source makes me sleep well :-)

JaapPelt

When there is talk about security, I consider the risk and impact for me personally and the motive for an attack or hack.

In my opinion, Homey is designed pretty good and with security in mind. It is not directly exposed to the outside. Instead, Homey connects to other servers. This takes away the biggest risk. Also, as stated above, all apps run in a sandbox which takes away even more risks.  
Conclusion: Risk is pretty low.

Since there is no banking app yet and i'd not pay for ransomware get get my flows back, so the impact of a hack would be relatively small.
A burglar could hack your homey to see if you're at home or not, but generally, they just ring the doorbell or don't care. Having motion sensors and smart lighting might convince a burglar to take the neighbors instead. 
Conclusion: Impact is pretty low.

Finally, one can consider the motive for an attack. Given a low risk and low impact, what motives would remain to hack a Homey? Perhaps a prank? 
Conclusion: Motive is hard to find.

The security topic pops up once in a while here and I think Homey has it's affairs in order. It might even be one of the more secure devices on my network.

The chair to keyboard interface (aka human) remains the weakest link in the chain. If you are aware of what you're doing, and consider the risks you should be fine. A half-decent router with a firewall is highly recommended in any smart or not so smart home.

NeefRoel

i've run some basic scans against homey on my network and the last time i did it, nessus didn't find any vulnerabilities.
can't say that about other devices on my network (like my providers router, or my smart tv, or my samsung android phone).

If homey itself can be any indication of the security awareness of athom, then i'd say the bases are covered.
the weak spots then would be the additional plugins.. if a flaw would be in one of them then you might get into the sandbox.. and if there would be a flaw in the sandbox, then you might be able to escape that. 

Maybe something for a rainy sunday....

RobinVanKekem

Anyone ever looked at the communication it has to the Athom servers and tried an MITM attack?