On our most recent IoT Podcast, Billy called in to our podcast hotline with a security question. He’s using an Insteon ISY99-4i Home Automation Controller along with Home Assistant to power his smart home. Since the Insteon controller uses Telnet for communications, Billy is wondering if he should be concerned from a security perspective.
We’ve covered Telnet security exploits a number of times, for as long as we’ve done this podcast. And there’s a reason for that.
According to Beyond Security, Telnet security flaws are a “… low-risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve, or prone to being overlooked entirely.”
As a result, we tend to advocate not using Telnet in the smart home, mainly because there are more secure, modern communications protocols available. Along the same lines and for similar reasons, we’re not fans of older IP-based webcams. We’ve seen many exploits on these devices too, allowing for hackers to gain access to the camera and microphones in your home.
This doesn’t mean Billy has to rip out his older Insteon gear and replace it. In fact, I used the very same ISY99-4i controller that Billy uses when I set up my first smart home in 2010. I loved it!
But he should be aware that his security risk level is higher as long as he keeps using this gear. The good thing here is that Billy’s Insteon gear isn’t directly connected to the internet. However, any breach of his home network could lead to Telnet troubles.
It wouldn’t be a bad idea for Billy to modernize his smart home just to remove this potential threat vector. Personally, I’d consider migrating devices over to Home Assistant in this case, since he’s already using it, but it’s a personal choice.
I decided a long time ago that I just don’t want any Telnet in my home if I can help it. But that’s my home and Billy’s home is his home. Additionally, I haven’t seen or read about any Telnet exploits in the smart home.
It really comes down to the question of: Do you want to keep taking the chance that a relatively insecure communications protocol doesn’t get exploited in the smart home?
Again, it’s Billy’s choice and it’s great that he has the awareness to ask about this concern. And to be fair, Home Assistant has optional Telnet support that users can enable, illustrating that the protocol is still desired and used in the smart home.
To hear Billy’s question in full, as well as our discussion on the topic, tune in to the IoT Podcast below:
It looks like the ISY994 uses telnet but the Insteon hub 245-222 does not. I use a 2314u PLM with third party software which I feel is very secure.
Wow. Talk about misplaced priorities. If a bad guy gets into one’s network having the intruder screw around with the lights is about as low on the list of concerns as there could be.
A much larger IoT security issue is that of WiFi IoT gear. Phoning home and whatever else goes on. Run a pi-hole and see how even legitimate companies are trying to gather data. What are those unknown sellers of cheap devices trying to do?
Meanwhile I’m fine with the imperfect, yet very low risk, security of my ultra reliable RadioRA 2 Telnet enabled lighting system.