Security and users/roles in openHAB

[Ben Jones]

I have a pretty comprehensive instance of openHAB running in my home. I can control my heating, lighting, irrigation and security system. This worries me a little, as if someone gained access to openHAB on my network they would have full control of pretty much everything in my home.

Now I have setup SECURITY=ON for openHAB itself, and create users for myself and my wife, with very strong passwords (a nightmare to type into HABDroid!). I have shut down access to my LAN from the outside using strict firewall rules. And I have setup strict authentication and ACLs for my MQTT broker, including TLS certificates etc.

So I feel I have done as much as I can to secure my network. 

However there are a couple of things I would like to do further, to really put my mind at ease. Firstly I think we need some sort of user/role based permissions system. I want to be able to setup a 'house sitter' sitemap for example, and create a 'housesitter' login which I hand out to those who stay while we are away. This would be a restricted view of the house and give them a simplified interface since they don't need to know how many kW of energy were consumed yesterday! 

Likewise it would be nice to provide a readonly sitemap which I could hand out to selected friends/family, so they can keep an eye on the house if we are away. I currently do that in fact, but there is nothing stopping them logging into the full sitemap and having complete control of the system. 

So having a simple permissions system which controls which sitemaps a user/role is permitted to view would solve these issues. I can't imagine this is that hard to implement but I haven't looked at the code, and I am guessing Kai/Thomas will be wanting to minimise the changes to core whilst the Eclipse Smart Home project gets underway.

The second idea is a little trickier. What I would like to do is add an extra level of security to certain widgets in a sitemap. The idea being that on the 'Disarm Alarm' button fore example I could add a pin number or password. When a user hits that button they are prompted to enter this pin before the action will be completed. The idea being that if my phone was stolen, someone couldn't disarm my security system without knowing that pin.

I realise this is a lot harder to implement since it requires updates to all the various UIs. But I thought I would note it down for reference.

Interested to hear others views on security and openHAB. I think it is a very real issue with smart homes and whilst we have some features already (user/passwords etc) I think we perhaps need to focus a little more energy in this area to make openHAB as robust and secure as possible.

Cheers,

Ben

[Karel Goderis]

Hi Ben

I support your questions as I will be in the same kind of situation soon. However, there might be some additional things you could do in the meantime, depending on what you have installed or not. For example, disable the alarm system by sending a PIN to a SMS number, that is routed to the Freeswitch binding, which in turn updates a String Item, which you can compare to

A (very) long time ago I suggested to add a new layer of Items to the OH system, being Places and Persons, so that the location based scenario's etc could be better elaborated. For example, you could then then have Rule that only allows to disarm the alarm system if a given Person is a given Place (e.g. geofence)

K

--
You received this message because you are subscribed to the Google Groups "openhab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openhab+u...@googlegroups.com.
To post to this group, send email to ope...@googlegroups.com.
Visit this group at http://groups.google.com/group/openhab.
For more options, visit https://groups.google.com/d/optout.

[Kai Kreuzer]

Hi Ben,

Absolutely agree that this is a topic that need to be addressed!

I am guessing Kai/Thomas will be wanting to minimise the changes to core whilst the Eclipse Smart Home project gets underway.

Very true, I actually would like to address this in Eclipse SmartHome and there is already an issue for it, see https://bugs.eclipse.org/bugs/show_bug.cgi?id=423548.

Which means that you won’t see this feature in openHAB 1.x, but only in 2.x. Good news is that I hope to be able to have a very first 2.0 snapshot ready in a few weeks time (but obviously still without any additional security features).

The second idea is a little trickier. What I would like to do is add an extra level of security to certain widgets in a sitemap. The idea being that on the 'Disarm Alarm' button fore example I could add a pin number or password. When a user hits that button they are prompted to enter this pin before the action will be completed.

This could possibly be done through something like a „keypad“ widget - entering a pin should simply result in sending a command for a String item - the checking should be done in the runtime through a rule.

The idea being that if my phone was stolen, someone couldn't disarm my security system without knowing that pin.

Well, I hope you already use a PIN to secure your complete phone anyhow, don’t you?

Best regards,

Kai

[Kai Kreuzer]

Karel,

A (very) long time ago I suggested to add a new layer of Items to the OH system, being Places and Persons, so that the location based scenario's etc could be better elaborated. For example, you could then then have Rule that only allows to disarm the alarm system if a given Person is a given Place (e.g. geofence)

I am currently supervising a bachelor thesis of a student, who wants to add persons and locations to Eclipse SmartHome. The topic is pretty complex, but I also see the need for them, especially for use cases like geo-fancing etc.

Best regards,

Kai

[Ben Jones]

Thanks for the replies guys.

Yep - I do have a lock on my phone Kai! But I still think this 'keypad' widget would be a good addition, for both security and for stopping children for example, gaining access to certain functions. 

Karel - yep that is a reasonable idea for extra security around an alarm (i.e. presence detection), however there are times when I need to let someone into my home, so being able to fire up openHAB and disarm the alarm from where ever I am in the world is a very handy feature! But yes, it would be quite simple to build a rule around this idea with the current openHAB framework, since I have pretty accurate presence detection with OwnTracks.

I already have rules which automatically arm/disarm my alarm when my phone leaves/arrives home. This in itself is probably a little insecure, since if someone stole my phone and stood outside my house it would disarm everything! But it is very convenient, so there is always a compromise.

I actually had a play around on my dev environment yesterday and managed to get the WebServlet to use the list of 'roles' in users.cfg to validate against the requested sitemap.

E.g. I could specify;

ben=password,homesitemap,adminsitemap

guest=guestpassword,readonlysitemap

This allowed me to restrict which sitemaps a user could access. 

I may just do this locally until v2.0 is released since it gives me pretty much what I need. I still need to work out how to restrict access to the REST API in a similar manner however.

Really looking forward to v2.0 Kai!!

Cheers,

Ben

[Kai Kreuzer]

Really looking forward to v2.0 Kai!!

Me too :-D

[mada...@gmail.com]

Hi Ben,

I am trying to do something similar - i want to leave a few android remotes around the house to control lights/thermostats etc, but I don't want any security functions.

Did you get the sitemap roles to work? if so - is it something you could share?

Thank you

G

[Ben Jones]

I only got it working with the Webservlet. I couldn't figure out how to apply the same permissions to the REST API. This meant I couldn't restrict access when someone was using the iOS/Android apps - only if they accessed my system with a web browser.

I decided to leave it after spending a day fiddling around. I am sure Kai etc will come up with a much better implementation when they get to security/roles in openHAB v2.0.