This is the forum archive of Homey. For more information about Homey, visit the Official Homey website.
The Homey Community has been moved to https://community.athom.com.
This forum is now read-only for archive purposes.
The Homey Community has been moved to https://community.athom.com.
This forum is now read-only for archive purposes.
Setup, wireless pairing security
xeor
Member
Just got my homey! (jai!)
But I have one big concern.. And that is regarding the initial setup and pairing the wlan.
The setup is for real reasons done over http, and that is fine. But the wlan password send under the setup is not encrypted in any way when transmitting over the wireless "temp wlan". That is very bad!
I was doing the same check when doing the setup of a chromecast, and the chromecast does the correct thing and encrypt the password (even tho the wlan is not encrypted).
The athom account creation is done securely, same with the connection of the app itself. But not the wlan setup..
Trying to work around this, I did setup a temp wlan on wpa 2 (devices get separate session keys, so I don't care if people get that wlan password). But after the initial setup, I figured out that the only way to change the wlan was to do the unencrypted-temp-wlan dance all over... At least I thought that I could change the wlan using the gui, over my temp wlan..
So now I have 400mb less on my 4g subscription, and still no way of doing the initial setup of my homey without broadcasting my wlan password... Might seams paranoid, but with 30 wlans in the wlan-list and a ton of people nearby, I just don't want to take the risk.
But I have one big concern.. And that is regarding the initial setup and pairing the wlan.
The setup is for real reasons done over http, and that is fine. But the wlan password send under the setup is not encrypted in any way when transmitting over the wireless "temp wlan". That is very bad!
I was doing the same check when doing the setup of a chromecast, and the chromecast does the correct thing and encrypt the password (even tho the wlan is not encrypted).
The athom account creation is done securely, same with the connection of the app itself. But not the wlan setup..
Trying to work around this, I did setup a temp wlan on wpa 2 (devices get separate session keys, so I don't care if people get that wlan password). But after the initial setup, I figured out that the only way to change the wlan was to do the unencrypted-temp-wlan dance all over... At least I thought that I could change the wlan using the gui, over my temp wlan..
So now I have 400mb less on my 4g subscription, and still no way of doing the initial setup of my homey without broadcasting my wlan password... Might seams paranoid, but with 30 wlans in the wlan-list and a ton of people nearby, I just don't want to take the risk.
Comments
I just checked it and you are correct, the normal Setup for Homey provides no encryption of the WiFi Pre-Shared Key to connect Homey.
And correct there is no other way to change that WiFi network than to Reset Homey and start over again.
I guess the change someone sniffs that network just at the moment you setup Homey is very small but it could be possible.
At the moment there is no other way to connect Homey to your network that I know of.
So the only workaround I can think of:
- Take Homey (on a Powerbank) your Mobile and Laptop for the Temporary network to a safe place in the middle of no-where (or just before there so you still have 4G ;-) )
- Present your Home Network with the same Pre-Shared Key from your Mobile
- Join Homey to it.
When connected you can switch off the temporary network on your mobile and at Home Homey will connect to your Home network.You could make an Github Issue for it if You think Athom should be remembered to fix it. But I guess they have other priorities first.
I guess I need to build a tiny faraday cage then, to setup my homey...
(obviously kidding...), but almost not. I don't want my wifi password secured by "almost zero chance" of being sniffed..
This exact problem comes with many devices, and it is annoying.
Maybe a cage for the future is not such a bad idea after all...
I'll make an issue on github