Thanks Thanks:  2
Likes Likes:  6
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: smart bridge security

  1. #11
    Senior Member
    Join Date
    Nov 2014
    Posts
    238
    But telnet would only be available from within the local network unless you port forward the router to specifically allow telnet from the WAN.

    Don't let hackers on your LAN or you will have bigger issues than someone turning your lights off.

  2. Likes SDR-Mike, Brian W., SparkyCoog liked this post
  3. #12
    Junior Member
    Join Date
    Jan 2017
    Posts
    7
    Quote Originally Posted by Lukeetal View Post
    But telnet would only be available from within the local network unless you port forward the router to specifically allow telnet from the WAN.

    Don't let hackers on your LAN or you will have bigger issues than someone turning your lights off.
    I think this grossly overestimates the technical abilities of those buying home automation products. Even the more skilled could protect their computers and devices they actually have more control over. But items like the Caseta SmartBridge, and the plethora of other devices being heavily marketed and sold do not offer a lot of control.

    And worse, few document what their ACTUAL network requirements are (needing access to ALL of the Internet on numerous ports is absurd, and would be rejected at my company for use; just DOCUMENT it... not like it has a LOT of requirements for access), and many have incredibly insecure implementation despite all the marketing BS published (and often written) by those who don't have a clue what they're talking about. The word "encryption" does not make things secure, secure implementation of encryption can. "telnet" pretty much says "insecure". telnet is not an encrypted protocol. So that means that IP camera someone bought and which was hacked within 5 minutes of connecting (because that device opened up ports on the home router/fw with outdated firmware), can now sniff the local traffic.

    Seriously... the whole "IoT" thing is pretty terrifying, and really unfortunate that companies (including Lutron) fail to reasonably document what they do to actually MAKE it secure for their consumers, or what network access needs are actually needed (not the broad, we need these 10 ports to ALL of the Internet). So even those who KNOW what they're talking about, could try to secure things and protect some devices from others. Heck, I segment my home network (because I can; wouldn't expect most to) to isolate these devices, but they're still exposed to each other. I'm not about to do micro segmentation on a device-by-device basis at home.

    Anyway... two things would be nice...

    1. Document the actual network requirements (IP ranges if possible, hostnames configured if IPs/subnets are not possible, and ports for each [not just any of these ports to any of these IPs]); It's sad that the customers are having to post the IPs and ports they're observing. I may add my own to a thread on that, since I log all network access in either direction crossing any network segments (allowed or not).

    2. Transparency about security controls - document it in reasonable detail (not just marketing/legal BS someone posted earlier). Heck, if someone's done a fair 3rd party assessment, publish that!

  4. #13
    Senior Member
    Join Date
    Nov 2014
    Posts
    238
    If you know of a working exploit why not contact Lutron and work with them to resolve it?
    You can request a white paper on Caseta directly from Lutron
    http://www.lutron.com/en-US/company-...iterature.aspx

  5. Likes SparkyCoog liked this post
  6. #14
    Junior Member
    Join Date
    Jan 2017
    Posts
    7
    Most might argue that any unencrypted control traffic over a local network (i.e. telnet) is a vulnerability in itself, though. It would be on almost any pen test report as a finding. I'm not planning to spend the time to do a full pen test and analysis on Lutron's product. I don't have the time and quite honestly a cost I think vendors should take on to ensure their products are reasonably secure.

    This isn't just Lutron, though. My biggest gripe is lack of documentation... with Lutron and nearly every company making in-home (and corporate) products that now connect to the Internet.

    Thank you for the link about the white paper. I'll request for it and take a look, but I doubt it will have the detail I expect/want (and many others have been asking about as I read through the forums).

  7. #15
    Junior Member
    Join Date
    Mar 2017
    Posts
    2

    Request for direct access to the bridge via the app

    Quote Originally Posted by Eric H. View Post
    Lutron takes the security of the Case?ta Smart Bridge and the user’s phone very seriously. Lutron employs computer industry best practices including encryption of the communication between the Case?ta Smart Bridge and the user.


    The initial set-up of the Case?ta Smart Bridge requires the user to be physically inside their home with access to their local network and to press a button on the Case?ta Smart Bridge to create their Account. In daily use, the system requires the username and password (stored in the App), set by the user at initial set-up, for remote access to their lighting. Just as the user protects the username and password to their other on-line accounts, the Case?ta Wireless username and password must also be protected so that no one else can access the user’s Case?ta Wireless account, lighting, and other connected systems.


    Lutron recommends that users not share their username and passwords, not write them down where others could access them , or use easy to guess passwords such as “password”, home address, birthday, or the same passwords used with other online websites. If the user believes that their password may have been compromised, they should change it immediately.
    That is very disappointing to hear. I was in the process of planning my deployment of the Lutron Caseta system in my home. My plan was to purchase the Lutron Smart Bridge, 6 Caseta dimmers and 8 Caseta on/off switches. I wanted to use the app, but only via my home LAN. For remote access I planned to use a VPN connection back to my home LAN.
    Would it be possible for the next version of the app and Smart Bridge to interface directly with each other? I do not want to be reliant on Lutron to secure access to my lighting system.

  8. #16
    Junior Member
    Join Date
    Jan 2017
    Posts
    7
    Quote Originally Posted by dsfranken View Post
    That is very disappointing to hear. I was in the process of planning my deployment of the Lutron Caseta system in my home. My plan was to purchase the Lutron Smart Bridge, 6 Caseta dimmers and 8 Caseta on/off switches. I wanted to use the app, but only via my home LAN. For remote access I planned to use a VPN connection back to my home LAN.
    Would it be possible for the next version of the app and Smart Bridge to interface directly with each other? I do not want to be reliant on Lutron to secure access to my lighting system.
    The App does talk directly to the Lutron SmartBridge. I actually can VPN in to manage my own via the Lutron app. I'm going more with using HomeKit, and making that my only "trusted" remote management method for any/all IoT where possible.

    Something I've been meaning to post is a network analysis I spent a little time on. It may help those looking to secure their Lutron hubs, or at least understand what it's doing/talking to. I'm attaching a ZIP here with two CSV files, showing the DNS hostname it's using to connect to IPs, what port and protocol it's communicating with, and some additional notes of things I observed (in some cases inspecting actual packets).

    Primarily, for those looking to lock things down, enable the update related IPs and the AWS IPs it uses, so you can get updates. Lock down most other things with Internet access. NTP (time) uses a bunch of services, including some I suspect they hard code by IP address. I don't generally block NTP (port 123/udp), and few people do.

    If you have your bridge on a separate subnet internally from the rest of your systems, and you want to do HomeKit integration, you'll need to look into mDNS repeating with your router. Unless you run something more advanced than most basic home routers, this wouldn't be an option for you, but then again, you probably don't have isolated subnets. :) Also, you will want to put your mobile device (with the Lutron app) on the same subnet when pairing it. That way it knows what IP to find your Smart Bridge at when it's not seeing locally broadcast info (could be an issue with a VPN IP range, unless they're bridged). I forget if there were any issues with a possible IP re-assignment, or if I tested that. I statically assign IPs (via DHCP), so it's a non-issue for me.

    Anyway... I hope that helps for those looking to be more complex and/or secure/restrictive with their networks.

    Oh... btw... with what I did see, security wise, things don't look too bad (minor issues). I would like to see the firmware update hash files to be over TLS and not something that could be Man-in-the-middle attacked. But an attack on that would also require compromise to the firmware updates sources AND a MitM attack. So, lower risk, but still not best practice.

    I still would like to see Lutron formally publish this kind of info, rather than someone like me having to monitor network traffic and correlate DNS queries to get it.

    Cheers,
    -Alex

    Attachment 614

  9. Thanks leefc thanked for this post
    Likes leefc liked this post
  10. #17
    Junior Member
    Join Date
    Mar 2017
    Posts
    2
    First off, you sir are awesome! Thank you.

    I have a couple of questions.

    1) You mentioned that you VPN in, to remotely manage your lighting using the app. Does that mean if you blocked the bridge from accessing the internet you would still be able to manage it with the app? I am planning on completely blocking it from the internet. Have you tried this?

    2) When internet access is blocked will any functionality be lost or will there be any nagging warnings in the app to restore internet connectivity?

    I don’t mind a device receiving automatic updates, but in this case Lutron seems to indicate that the bridge is remotely controllable via their cloud(AWS). This is especially worrisome as their devices will be in control of power systems in my home. Even if I isolated the bridge from the rest on my network, used a destination NAT to send NTP to my server and filtered the DNS with something like OpenDNS, I would still be concerned about external backdoor access.

    All these concerns would be allayed if you can confirm that it can function without any internet access at all.

  11. #18
    Junior Member
    Join Date
    Jan 2017
    Posts
    7
    Quote Originally Posted by dsfranken View Post
    First off, you sir are awesome! Thank you.
    Thanks. You're welcome.

    Quote Originally Posted by dsfranken View Post
    1) You mentioned that you VPN in, to remotely manage your lighting using the app. Does that mean if you blocked the bridge from accessing the internet you would still be able to manage it with the app? I am planning on completely blocking it from the internet. Have you tried this?
    I can VPN in. I tested that early on when I was setting this up. The bridge had no access to the Internet at all (except time) when I tested that. Currently, it does have access for firmware updates. I just re-tested it a little to be able to answer this accurately. I had some issues, but have confirmed that my VPN connection was able to communicate directly with the bridge through my VPN link. I had some issues when connecting in from a different network, but I'm certain that is entirely something with my network config, and likely related to mDNS not being repeated to my VPN link (although not verified).

    What I have tested just now is that with the Lutron having no access (I temporarily disabled even the access to updates), I could directly control the lights via the bridge when my iPhone was connected to a different internal subnet (mDNS repeated), and from my VPN zone when I connected to that. I verified this with traffic logs and what fw rules were triggering for the connections.

    So, if you do have issues, it will likely be related to any complexity of your home network. Here, I fully isolate my IoT from my home computers and from my entertainment type systems (i.e. media center and Apple TVs), such as they are on different subnets (i.e. 192.168.44.x vs. 192.168.45.x), with firewall rules enforcing zone separation and specific rules. My VPN is just another zone with another set of rules. This is more complex than most people will have setup at home though. Most likely, people will have a single flat internal network, and fw rules that restrict access for specific devices to the Internet. And if your VPN dumps you onto the same subnet, then you shouldn't have any issues.

    I still really wish it was an option, at least, to be able to specify internal IP addresses for your Lutron bridge(s) rather than ONLY negotiated via mDNS or other broadcast.

    Quote Originally Posted by dsfranken View Post
    2) When internet access is blocked will any functionality be lost or will there be any nagging warnings in the app to restore internet connectivity?
    Not that I've seen. If it fails to connect, it tells you so, but if it connects, it seems to work normally. Again, for me, it's a limited test cases with direct use of the Lutron app. My primary use is to connect with HomeKit, and then I use the HomeKit interfaces, including HomeKit method of remote access (without having to VPN in). For me, this consolidates the many ways devices my "enable access" to my network, and I generally trust Apple's approach with HomeKit remote management over the various IoT vendors (no offense intended, Lutron). Going with HomeKit for that also let's me use a Raspberry Pi as a bridge where I can define devices and let Siri control them if I can have the Pi control them (i.e. an IP power strip that can be controlled via ssh commands, or ANY other method of control).

    Quote Originally Posted by dsfranken View Post
    I don’t mind a device receiving automatic updates, but in this case Lutron seems to indicate that the bridge is remotely controllable via their cloud(AWS). This is especially worrisome as their devices will be in control of power systems in my home. Even if I isolated the bridge from the rest on my network, used a destination NAT to send NTP to my server and filtered the DNS with something like OpenDNS, I would still be concerned about external backdoor access.
    In most cases with IoT vendors, I fully agree. For example a SmartMeter (electricity) bridge I have tries to establish an outbound VPN link as their method of pushing updates. While possibly a very secure method to push updates if you trust the vendor's network control, it's frightening to think that vendors think it's okay to establish VPN links into other people's networks.

    However, Lutron does this a bit better than most, I have to say. They have completely separated the services for remote management and firmware updates. If you look at the CSV data I shared, you'll see they have separate hostnames for the different functions, AND they don't seem to have overlap in the respective IP ranges. So, you can reasonably assume that if they connect to 52.216.0.0/16, it's for the access to the firmware update hash file (hopefully actually used for an integrity check when it gets the FW update, and not just to see if there is one to DL). Or 54.243.115.89 would be for the firmware update itself. The 52.23.255.232 IP (along with a handful of others) seem to be the ones they use for the bridge to authenticate against the service. But the remote control service itself seems to be entirely managed through 52.23.255.0.24 with the xively.com service.

    So, with that reasonable separate they seem to be using, you can allow some things, but not others. Of course, since they don't maintain a published list of IPs/subnets (poke poke, Lutron!), this could change. This data is based on a couple months of capturing traffic while I allowed it to talk to the Internet openly.

    Quote Originally Posted by dsfranken View Post
    All these concerns would be allayed if you can confirm that it can function without any internet access at all.
    This I can confirm. I would be annoyed if Internet access was required just to work. I absolutely avoid any IoT devices where it only works if their service is available online. That creates a dependency where your stuff stops working if the company goes out of business or discontinues a service, and I won't accept that when I put good money into something.

    I would recommend letting it do firmware updates, though. Even without it having broader access to the Internet, keep in mind that vulnerabilities over time could still be exploited if something else gets on your network, and then could use the outdated (assuming security vulnerabilities and firmware updates haven't applied) Lutron bridge to infect and maintain a foothold.

    Anyway... again... hope that helps. With a more advanced network config, you may need to do some extra leg work, especially if you do full subnet isolation like I do. But the Lutron device itself (and app) CAN work even in my config, so if you hit issues that occur when crossing network segments, look to network structure and/or mDNS/broadcast packet repeater needs.

    Cheers,
    -Alex

  12. Thanks leefc thanked for this post
    Likes leefc liked this post
  13. #19
    Junior Member
    Join Date
    Aug 2022
    Posts
    1
    Quote Originally Posted by asleeis View Post
    I think this grossly overestimates the technical abilities of those buying home automation products. Even the more skilled could protect their computers and devices they actually have more control over. But items like the Caseta SmartBridge, and the plethora of other devices being heavily marketed and sold do not offer a lot of control.

    And worse, few document what their ACTUAL network requirements are (needing access to ALL of the Internet on numerous ports is absurd, and would be rejected at my company for use; just DOCUMENT it... not like it has a LOT of requirements for access), and many have incredibly insecure implementation despite all the marketing BS published (and often written) by those who don't have a clue what they're talking about. The word "encryption" does not make things secure, secure implementation of encryption can. "telnet" pretty much says "insecure". telnet is not an encrypted protocol. So that means that IP camera someone bought and which was hacked within 5 minutes of connecting (because that device opened up ports on the home router/fw with outdated firmware), can now sniff the local traffic.

    Seriously... the whole "IoT" thing is pretty terrifying, and really unfortunate that companies (including Lutron) fail to reasonably document what they do to actually MAKE it secure for their consumers, or what network access needs are actually needed (not the broad, we need these 10 ports to ALL of the Internet). So even those who KNOW what they're talking about, could try to secure things and protect some devices from others. Heck, I segment my home network (because I can; wouldn't expect most to) to isolate these devices, but they're still exposed to each other. I'm not about to do micro segmentation on a device-by-device basis at home.

    Anyway... two things would be nice...

    1. Document the actual network requirements (IP ranges if possible, hostnames configured if IPs/subnets are not possible, and ports for each [not just any of these ports to any of these IPs]); It's sad that the customers are having to post the IPs and ports they're observing. I may add my own to a thread on that, since I log all network access in either direction crossing any network segments (allowed or not).

    2. Transparency about security controls - document it in reasonable detail (not just marketing/legal BS someone posted earlier). Heck, if someone's done a fair 3rd party assessment, publish that!
    I set this up today. I have a separate IoT network (VLAN and WiFi) on my firewall for IoT devices. On my network all of my trusted WiFI is allowed into the IoT network, but all IoT network communications are blocked unless I explicitly permit them. I had to enable *source* port 8081, 5353, and 4548 from IoT devices to my LAN to get the app working.

    Note that the smartbridge requires NTP and also tries to communicates to AWS on port 8883. No idea what it's doing in the latter case but I'm gonna leave that disabled.

  14. #20
    Senior Member
    Join Date
    Dec 2013
    Posts
    579
    What exactly is the concern here? You're behind a firewall and a NAT at home there is no way for someone outside your network to access the bridge without the bridge contacting them first- ie. Lutron's servers. Either you trust Lutron or you don't. And really, what's the worst that can happen? Hackers try to break into your home wifi so they can turn on your dining room lights?

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Any Smart Bulbs compatable with Lutron Smart Bridge
    By m11rphy in forum General Discussion - CAS
    Replies: 7
    Last Post: 12-19-2023, 08:06 AM
  2. Replies: 12
    Last Post: 11-26-2018, 08:40 PM
  3. Differences between Smart Bridge and Smart Bridge Pro
    By me262 in forum General Discussion - CAS
    Replies: 5
    Last Post: 09-20-2017, 06:02 PM
  4. Questions about smart bridge/smart bridge Pro
    By TheVince in forum General Discussion - CAS
    Replies: 13
    Last Post: 09-30-2016, 01:33 AM
  5. lutron smart bridge vs smart brigde pro
    By bastor in forum General Discussion - CAS
    Replies: 3
    Last Post: 08-06-2014, 05:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •