Protecting a lock switch securely with MySensors and Domoticz



  • Hello fellow MySensors users!
    Writing this here too as it seems that Domoticz forum is not very active one and this somehow relates also to MySensors API.

    I'm currently building a fingerprint door lock. A bit more complicated project but rewarding anyway. 🙂
    There are outside interfacing unit connected to inside main logic module containing microcontroller and NRF24 transreceiver. NRF24 communicates with the lock module installed inside of the door which opens or closes the lock. I use MySensors with signing to have moderate protection in the transmission level. MySensors gateway is physically connected to Domoticz controller (Serial<->Raspberry). Reason to have MySensors here is that this could be leveraged further in the future and need some reliable enough wireless transmission protocol between the logic and lock units.

    Thing is that there is a small possibility that someone could hack through the Wifi in this neighbourhood. Turning on or off some lights haven't been anything to worry about so far but opening a closed door in an unmanned house would be. In Domoticz you could check the "protected" box in the switch settings but it can be turned off as easily without getting even password prompt when doing that. Moreover one could just go to the settings page and change the switch protection password, again without getting a prompt for old password or similar.

    So happen anyone here to have any ideas how to protect the switch within Domoticz securely? Now everything relies on well protected wifi and recent news of cracked wpa2 protocol isn't helping this. Also when having already dozens of wifi nodes in the house, changing the wifi password often is complicated.

    Currently I'm bouncing an idea connecting a ESP8266 to the inside main logic unit (Arduino Mega) and maybe just run there a simple protected lock control web page if remote opening is required... Moreover I have only one MySensor's controller in the house and all the sensors connected there will popup to Domoticz GUI. Any idea what sensor type I should use for communication between the main logic and lock unit without giving any possibility to affect it on Domoticz level (S.INFO maybe...)?


  • Contest Winner

    @sushukka if it is not an absolute requirement that you need to access your controller from wifi directly, perhaps you could filter it in your router so that MAC or IP only can be accessed by LAN. And then you could access it from wifi by VPN or ssh with port forwarding and use those authentication mechanisms for wifi users of the gateway.


  • Mod

    @sushukka how do you access the settings page without password? I get asked for password all the time I open the domoticz page



  • @anticimex Good idea. Sadly I have already plenty of ESP8266s scattered around the house and they access directly the Domoticz controller (as MySensors LAN (wifi) gateways). Also there are couple of mobile devices which should be able to access Domo. I could apply a MAC filter either on router or Domo Rasp3, but the list would be quite long and pain in the ass to maintain.

    @gohan You probably haven't defined the local allowed networks in the settings panel ie. there is no authentication if accessed from those networks. Blanking this out, would be a quite feasible idea indeed, but then I have to login everytime I want to check some temperature or similar from my mobile phone when at home. Maybe I just force the authentication if cannot find any better solution.

    However, now it's implemented like this:

    • Lock unit has normal V_STATUS child presented to gateway
    • Logic unit has similar V_STATUS child but only for internal bookkeeping
    • Logic unit has also V_TEXT child for Domoticz to show who has lastly unlocked the door. This information could be used for push notifications or similar later on. Both nodes doesn't absolute nothing if this text sensor is somehow changed in Domo.
    • Simple trick was to do double check when V_STATUS command arrives to the lock and logic nodes. Basically they keep lock status updated by sending the commands directly to each other (of course via MySensors gateway). It would be enough to have only logic node sending the commands to lock node, but lock node has also button which could be used for locking/unlocking the door and therefore logic unit need to be informed also. So basically the nodes will check the message.sender if V_STATUS update arrives. If it's from each other, we accept it and if not, we revert the status back what it was and don't do anything else.
    • I haven't implemented the signing yet, but when done, I think this should be quite safe.
    • For remote access, I'm still planning to extend logic unit with ESP8266 which could then be isolated to different network or protected with networking tools.


  • You can try to use some sort of pin code. The easiest, but not the prettiest, way that comes to mind is to use dummy selector switch with buttons from 1 to 10 to emulate pin code panel. Then you write the script that remembers pressed buttons on that switch and when it gets for example 4 digits it then sends a string to your mysensors logic node, that checks if code is correct and only then opens lock.
    It would be better if you could make text input "switch" in domoticz, so you could enter string with password, but i guess its not possible at the moment without tweaking the code of domoticz itself.


  • Plugin Developer

    @sushukka You can use NGINX as a reverse proxy on your Raspberry PI and you can enable authentication in NGINX for your controller URL. Do google as nginx reverse proxy with authentication to know more about the setup.



  • @monte Hmm, not a bad hack and easy one too. However, when using mobile devices and the maximum of ten choices in the dummy selector you need to use drop-down menu. Not very user friendly for pin input... Going to have this as a backup idea anyway. 🙂

    @jkandasa What I understand reverse proxy is a good solution when you don't have dozens of ESP8266 nodes already directly connected to Domoticz as Mysensors LAN gateways or...they use port 5003 and I should reverse proxy only the web gui port, right? In that case wouldn't that mean that every time I open Domoticz from any intranet device (mobile, laptop, pc), it would require authentication unless...I would define static IPs to all of them and whitelist them...?



  • @sushukka According to https://www.domoticz.com/wiki/Application_Settings#Local_Networks

    you can setup your domoticz to be used without protection if your nodes uses a internal network (192.168.. etc)

    Local Networks
    The Local Networks setting lets you define the source networks for which Domoticz will not request a login. Wildcards (*) and multiple networks separated by semicolons (;) may be entered.


  • Plugin Developer



  • @smilvert Domoticz local network exception is already in place. The initial problem was that there is a small risk to have someone hacking your wifi hence being in your local network.

    @jkandasa Could this be done also on port level so that you could define access whitelist only for Domoticz web gui port but at the same time not touching "MySensors ESP8266 5003 ports" which are also accessing directly Domoticz?


  • Mod

    actually it is domoticz accessing the port 5003 on the esp8266



  • @sushukka Sry. Didn't read your first post completely 😞

    Btw I have a plan for building a "IOT"-network (runs on a different VLAN and a different ssid) in my house. That wouldn't help you with the WPA2 security but the key will not be shared with others at least. You can also white list all clients on that subnet in Domoticz.


  • Plugin Developer

    @sushukka Yes, it's possible to define a port in NGINX.



  • Update: Finally got this project finished! As soon as there are some mechanic involved + it has to be super reliable, things starts to get complicated. However, now it's done and works fine.

    To this Domoticz/Wifi-hacking dilemma there were pretty easy workaround, which I didn't in my blindsight understand in the beginning: on Domoticz settings you can specify also fully defined IP addresses on allowed networks field. Of course the tooltip says networks and network ranges, but nothing prevents you to use straight IP addresses. So the solution was easy. Just define static IP addresses to the router for the selected devices and then define them in the Domoticz allowed networks field and voila! Now if there are some non defined IP address trying to access Domo, they will be prompted with userid and password and the normal household mobiles/pads/mydomo appliances can use Domo as before.



  • @sushukka don't you think that if someone could hack your wifi network, he will be able as well to change his ip and/or mac address to access domoticz. Both addresses are far easier to change than to crack WPA2 password in the first place.



  • @monte Good note. However, I draw the line on this level. My DHCP range is whole different than static IP range and in static range the Domoticz allowed adresses are quite arbitrary. Also Domo port is not any easy guessable common port. So to break in "cleanly" would take quite some time. Breaking in with "traditional" methods would be hundred times faster. 🙂



  • @sushukka thats good. But i didn't mean that someone would guess your ip/port by hands. There are different network scanners, for example nmap. Once you are on your local network you can know every ip and opened port without guessing.


  • Mod

    Then you need to know what to do with the open ports, and that nmap does not tell you anything



  • @gohan well, we assume that someone has intention to hack his smart lock to enter his home. I believe the probability of this is rather low but if we rely purely on luck and probability, we don't need even to set password on domoticz to protect it from unauthorized clients, because in this case we won't have any. But if we are developing secure system, then we must close any vulnerability we can assume, otherwise it can't be called "secure".
    EDIT: you don't need to be a security specialist to just use google: https://lifehacker.com/how-to-tap-your-network-and-see-everything-that-happens-1649292940



  • @monte True but one need to draw a line to some level. Thing is that in this case the hacker would need to stay close proximity of the house and that would be recorded to security cameras I have around the property. In some crowded apartment building the situation would be a whole lot different. In that case I probably wouldn't have permission to mess with the lock or at least I wouldn't allow any remote functionality with it. But just speculating...remote lock functionality on highly crowded area...MySensors+arduino signing but not cryptography -> maye nah, ESP8266 with WPA2 maybe good enough, RaspBerry or some miniLinux would give lots of options, but not realtime systems, maybe not that reliable stepper etc. handling anymore. HW level should be anyway easy to make secure enough, but controller like Domoticz could be the weak link. Maybe just force authentication to Domo everytime. It seems to prevent also direct REST calls as it should.



  • @sushukka i agree with your point. I just wanted to bring light to some aspects that might be out of your view. Before you make any choice about security you better know what the choices are 🙂 Last advice, google info about your wifi router, if it has any known vulnerabilities that would allow to hack it from outside without much effort.



  • @sushukka I wrote my solution for this problem as I also have a lock-node to secure 🙂
    Look, maybe you will find it useful. https://forum.mysensors.org/topic/9204/secure-node-encrypted-communication-aes-128


 

304
Online

8.0k
Users

8.8k
Topics

94.4k
Posts