Welcome! Here are the website rules, as well as some tips for using this forum.
Need to contact us? Visit https://heatinghelp.com/contact-us/.
Click here to Find a Contractor in your area.

Network Security

Jamie Hall
Jamie Hall Member Posts: 24,849
in THE MAIN WALL
There are several threads current regarding wi-fi and internet connected thermostats. I've noted this before, in individual threads, but perhaps a more general message is in order.

If you implement a wi-fi or internet connected thermostat, pay attention to security!

Set the strongest access password you can possibly think up for the device, both for changing settings and for reading information off it. Just do it!
Br. Jamie, osb
Building superintendent/caretaker, 7200 sq. ft. historic house museum with dependencies in New England
PC7060

Comments

  • Robert O'Brien
    Robert O'Brien Member Posts: 3,562
    What makes you say that?
    To learn more about this professional, click here to visit their ad in Find A Contractor.
  • Jamie Hall
    Jamie Hall Member Posts: 24,849
    You really don't want someone else out there to be running your heat up and down! Nor, on the ones which sense when the structure is occupied, do you want someone else out there seeing when it is empty, and helping themselves to the family silver (or big screen TV!).

    And trust me -- if you password is, let's say "1234567, they will!
    Br. Jamie, osb
    Building superintendent/caretaker, 7200 sq. ft. historic house museum with dependencies in New England
  • pecmsg
    pecmsg Member Posts: 5,291
    Jamie Hall said:
    And trust me -- if you password is, let's say "1234567, they will!
    Why did you post my password? o:)
    reggiCLambSlamDunk
  • pecmsg
    pecmsg Member Posts: 5,291
    I agree a strong password is needed but don't be fooled, there is NO foolproof internet security!
  • PC7060
    PC7060 Member Posts: 1,443
    Best practice is to use a password manager with dual factor authentication. The password manager can generate very secure password for each account.  
     I prefer KeePass since the database is local to my system but I’ve heard good things about last pass. 
  • ethicalpaul
    ethicalpaul Member Posts: 6,661
    People can't get into your home network unless you go way out of your way to set up your home router to allow it, but yes, a good password never hurt anyone.

    NJ Steam Homeowner.
    Free NJ and remote steam advice: https://heatinghelp.com/find-a-contractor/detail/new-jersey-steam-help/
    See my sight glass boiler videos: https://bit.ly/3sZW1el

  • WMno57
    WMno57 Member Posts: 1,408
    Old thread, new spammer, soon to be banned spammer.
    ethicalpaulPC7060
  • Zman
    Zman Member Posts: 7,611
    It doesn't necessarily end with turning temps up and down. How would you like to be the guy Fazio Mechanical trying to explain this one?
    https://slate.com/technology/2022/04/breached-excerpt-hartzog-solove-target.html
    "If you can't explain it simply, you don't understand it well enough"
    Albert Einstein
  • Dave Carpentier
    Dave Carpentier Member Posts: 620
    Its easy to see how the hack existed on the Fazio computers, but how is it that the Fazio log-in allowed an unrestricted path into the Target corp computers ? If the sole purpose was monitoring or altering the HVAC system, should that logon (or the Fazio IP) not have been restricted to just a few ports (on Target) that only go the controller(s) on site ?
    Fazio provided the spark for the fire, but Target had piled all the wood and paper up (and then found their extinguishing system somewhat ineffective).

    30+ yrs in telecom outside plant.
    Currently in building maintenance.
    PC7060
  • CLamb
    CLamb Member Posts: 325
    I set up my router to only allow the Mac IDs of my devices.
    PC7060
  • reggi
    reggi Member Posts: 523
    PC7060 said:
     I’ve heard good things about last pass. 
    Not so sure.. again..
    https://www.google.com/amp/s/techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/amp/
    One way to get familiar something you know nothing about is to ask a really smart person a really stupid question
    JakeCK
  • PC7060
    PC7060 Member Posts: 1,443
    reggi said:
    PC7060 said:
     I’ve heard good things about last pass. 
    Not so sure.. again..
    https://www.google.com/amp/s/techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/amp/
    @reggi - whew.  Glad I use KeePass. If it’s in the cloud it can be stolen. Another reason multi factor (what you know and what you have) is important. Can’t just rely on a good password.  

    I also a) digitally backup and b) print my password vault out in clear text and store in bank safety deposit box.  Important have recovery path in case of accident damage to computer (or me). 
    gmcinnes
  • ChrisJ
    ChrisJ Member Posts: 16,315
    edited December 2022
    CLamb said:

    I set up my router to only allow the Mac IDs of my devices.

    I used to do that, but stopped about 10 years ago as it became an unnecessary royal pain in the butt. Not to mention any modern device can easily spoof mac addresses via wifi now.

    Single pipe 392sqft system with an EG-40 rated for 325sqft and it's silent and balanced at all times.

  • CLamb
    CLamb Member Posts: 325
    ChrisJ said:


    Not to mention any modern device can easily spoof mac addresses via wifi now.

    Yes, but it would have to monitor the devices' broadcasts to know their MAC IDs. Just guessing one would be darn near impossible.
    PC7060
  • ChrisJ
    ChrisJ Member Posts: 16,315
    CLamb said:

    ChrisJ said:


    Not to mention any modern device can easily spoof mac addresses via wifi now.

    Yes, but it would have to monitor the devices' broadcasts to know their MAC IDs. Just guessing one would be darn near impossible.

    Probably a lot easier than cracking WPA2.

    Single pipe 392sqft system with an EG-40 rated for 325sqft and it's silent and balanced at all times.

  • gmcinnes
    gmcinnes Member Posts: 120
    Y'all are forgetting that I don't have to have access to your WiFi.

    If I can get you to download an exploit like  EDR_CALCULATOR.EXE and have it silently open a connection to me when it runs, you're pwned, as the kids say.

    Once I'm there I can explore your network.  I guarantee those consumer IoT devices on your network a) have horrible security to begin with and b) will never be patched to fix vulns.

    Would be a lot of bother just to play with your thermostat though 🤣
  • gmcinnes
    gmcinnes Member Posts: 120
    PC7060 said:
    reggi said:
    PC7060 said:
     I’ve heard good things about last pass. 
    Not so sure.. again..
    https://www.google.com/amp/s/techcrunch.com/2022/12/22/lastpass-customer-password-vaults-stolen/amp/
    @reggi - whew.  Glad I use KeePass. If it’s in the cloud it can be stolen. Another reason multi factor (what you know and what you have) is important. Can’t just rely on a good password.  

    I also a) digitally backup and b) print my password vault out in clear text and store in bank safety deposit box.  Important have recovery path in case of accident damage to computer (or me). 
    This warms the cockles of my heart 😉

    I'm doing this today.
    PC7060

Categories