External Dashboard

Yep - its all about how you prioritise the threat and what you believe is appropriate.

Julian works in security for a living so i like his solution.

My solution is to use Zerotier - i have my NR box as one point on the ZT network and my other devices (laptop, phone, tablet) as other devices on the network - no inter device comunication allowed. Obviously the login to the ZT portal is a complex password that is only stored in my password manager, which in turn is locked and requires 2FA to access.

I have the NR box access disabled by default and need to firstly login to the ZT portal to enable it on the network and then it can be reached by each of the devices for full access

I also use Telegram to interact remotely with a limited range of functions from my phone.

I assess someone getting hold of my NR box as a very big issue so have taken a very heavy hammer to access to the box

Craig

2 Likes

As Craig has mentioned, I have a more than passing interest in security. I also work with critical national infrastructure and in that capacity get to see threats that most people fail to recognise (don't get me started on Moscow hotels!).

The threats on mobile devices (including laptops) are far higher than most people realise.

But I've made my point and as you say, each person has to recognise and respond to their own threats and risks. I just wouldn't be comfortable if I didn't outline some unexpected threats and risks when I know about them.

Whether NGROK scores highly as a security tool isn't what is at stake here. I wouldn't ever use it in a professional capacity. But because it is turned off for all but the tiniest period, the risk is virtually zero. When active and configured as I recommend elsewhere, it is perfectly adequate for any home automation use.

Node-RED could indeed start/stop a different VPN assuming that Node-RED has sufficient admin rights. One of the differences here is that a VPN would run typically as a system service on either your router or your Node-RED server. Node-RED should NOT have the ability to change its running status as that would itself be dangerous. NGROK however can be run in user space as the same user as Node-RED. Since it doesn't need to run all the time. That also limits what it has access to which is an added benefit (as long as you aren't trying to change things that need root access of course - there are ways round that if you need to).

Nothing other than they would have to know how to do it and the command isn't listed so as long as you haven't done it recently, it wouldn't be visible.

In addition, on a mobile device, the Telegram client app is itself reasonably secure so malware compromise is unlikely.

We aren't trying to make a perfect system here (hint: as you probably already know, such a thing doesn't exist). But we are trying to reduce the potential attack surfaces and make any attacks too much to be bothered with.

More importantly, we are trying to make sure that we reduce the opportunity for US to mess up our configurations, so leaving ourselves vulnerable when we think we are secure. VPNs, Firewalls, Certificates and so on are notoriously difficult both to get right in the first place and to keep secure over time. And that's with professional help in enterprise settings. Even those of us in the know don't spend that much time on things in our home environments.

K.I.S.S. - once you've set up NGROK securely there are all sorts of ways you could trigger it temporarily with little effort, no firewall/router changes needed, no extra services to run on your server. Telegram is convenient for me because I already run several bots. For others, a different tool or even email would be better. If you have a VPN already set up and secure, by all means use that since any vulnerabilities are already there! Just be sure to take care of your remote devices - which is where I think I started with this conversation.

Sounds good, you do you. When people I respect who work in security start recommending hiding vulnerable services behind a Telegram-controlled web proxy, sign me up! Pick someone - NIST, CISA, a Fortune 500 company, anyone starts doing what you are recommending - Iā€™m in. Until then Iā€™ll stick with the solution used by everyone who works in security in any sector of infosec... business and/or government. Access is VPN authenticated by certificate.

Do you work for OPM?

Thx.

As I've said, this isn't a suggestion for an enterprise, it is a compromise for non-security people who may well not have the skills to maintain security across multiple platforms and services. Please don't confuse the 2. If you have the skills, great. But not everyone does and these simpler solutions maintain a decent level of security by minimising exposure while avoiding the complexity of trying to set up a secure VPN. I'm sure you are aware just how many enterprises get this wrong too and end up with long-term compromises.

I've already given other alternatives in this thread as well. This solution works well for me because it requires no maintenance, minimises risk and complexity. But as I've said, I virtually never actually need external access.

Security is complex, assessing risk is difficult. A forum like this does not give professional security advice for obvious reasons.

2 Likes

If you are going to use 2 pi rather that have a network connection between the two you could just use the header pins to push the button. The internal network would not have to have any connection to the web.

You could also use a pin to send data out with I2C etc. Should be fairly much imposable to hack then

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.