Lock security

[jkwasny]

Hello, thank you for great help in integrating smartthings with openhab. I'd like to clarify how secure is to use locks with smartthings binding. During configuration I've added my openhab ip address and port to smartthings, since they are on the same network I've used internal ip address of the openhab. I don't know how the two communicate but I assume this connection is not encrypted. Is it possible then to intercept it, analyze and then generate fake requests to smarthings to unlock door? If so, is it possible to configure binding so that the communication is read-only (smartthings send lock status to openhab but not accepting lock change requests from openhab)? Much appreciated, Thank you, Janusz

[BobRak]

Hi Janusz:

Sorry I didn't see your comment earlier. The data between the smartthings hub and your openHAB server are not encrypted. But this should all be taking place on your local network which should be private to your network. I guess there are ways to break into your local network through hacking into your router or hacking in through your PC. There is no way to secure this connection as the ST hub doesn't support SSL.

[jkwasny]

Hello, Thank you for your answer. This is kind of what I expected and while I agree that it should be relatively safe withing my own network I like to take precautions. Going back to my question, would it be possible to set up smartthings<->binding communication in a read-only way, either for selected items or for all of them? By read only I mean SmartThings sending updates to OpenHab but not accepting any requests for changes? This would fix the problem for me as I don't really need to unlock door from openhab, having lock status would be enough. Thank you, Janusz

[BobRak]

Hi Janusz:

Smartthings defines two different lock capabilities. One is called Lock and the other is called Lock-only. Lock-only is a read only lock. I have implemented that but not correctly. Here is that definition. Would Lock-only meet your needs? If so, let me know and I can make that enhancement tomorrow. Then would you test it and make sure it does what you want?

Bob

[jkwasny]

Yes, the lock only would be something that would work for me. I think that's how integration between Alexa and various locks works, it allows locking but not unlocking through voice command. I assume SmartThings will still update openhab with lock status when it changes? Thank you

[BobRak]

Hi Jansuz:

I updated the binding to correctly enforce read-only for the lock-only capability. Can you download the new jar. You will also have to download the file at contrib\smartthings\SmartApps\OpenHabAppV2 and install it into the smartthings hub. Please let me know how it works. Once I've heard from you I will do another pull-request to openHAB and hopefully get this added to the openHAB builtin bindings. Thanks, Bob

[jkwasny]

Thank you but it will need to wait at least a couple of days. I have hard day at work tomorrow and my fridge just stopped working (it is warm in Florida now). I will check it as soon as I can, I promise. I'll let you know as soon as I have results.

[BobRak]

Take your time. I'll do some testing on my side too and will to the best of my ability make sure it should work. It is somewhat difficult (and time consuming) to test devices I don't actually own. Good luck with your fridge. Stay safe.

[BobRak]

Hi Jansuz: I've been trying to create a simulated lock and lockOnly. It seems to me that the lockOnly capability isn't really available. Maybe I'm missing something but I don't think so. When you have time could you please do the following:

1. Open the Smartthings Developer website and login. Here is the url..
2. Click on "My Devices"
3. Find your door lock in the list and click on it.
4. Tell me what the "current states" are.

Here is a sample

No rush. I'll try some other things in the mean time.

Bob

[jkwasny]

Hello, I've replied over email but I'm not sure if you receive it. The lock I have is Kwikset Zwave Deadbolt 888. I have two of those and they both show states similar to this: Janusz

[BobRak]

I've made a few additional changes to the code. When you have time can you please download the new jar file and install it. And, download the smartApp and install it. The smartApp is in the contrib\smartthings\SmartApps directory.

Are you configuring through the paperui or through files? If you are using files you might be able to make the lock a lock-only type. The line for the lock in your .things file would look something like: lockOnly SimulatedLockOnly [ smartthingsName="Simulated Lock" ] Change SimulatedLockOnly to what you want to call ir. And, change "Simulated Lock" to what you specified in the app on your phone.

Hope you got your fridge taken care of and work is a little easier now. The world is crazy right now. Be safe. On the plus side I'm retired so it isn't so hard to hunker down. On the minus side I'm approaching 70 so am more susceptible to having a bad outcome if I'm infected.

Thanks,

Bob

[jkwasny]

The fridge is working (well almost). I couldn't find the controller I needed so I took the closest there was. All the main functions are working only the water dispenser is not but at least the emergency is taken care of. Going back to smartthings. I've updated smart app. The problem however is that in the OpenHabAppV2 on my phone I see both my locks in "Locks" devices but in "Lock Only" there is "No device found". In the smartapps configuration on smartthings dev portal I have nothing in neither the capability.lock nor capability.lockOnly. Maybe I'm missing something or maybe the update did not work as it should. Is there anything I should turn on in the locks to make it working?

Thank you, Janusz

[jkwasny]

Update 2. This is how far I got today: I've enabled one of my locks in OpenHab smart app on my phone. I'm using PaperUI and things discovery did not find any new things. When I configured it manually using smartthings bridge I got the following thing: smartthings:lockOnly:6136dfd1:lock I created Text type item and when I'm changing lock manually it changes between: Lock and unlock (one is capitalized and one is not) I'm not really sure how to lock it. I've created simple switch button and then a rule that when button is switched to ON I'm sending an update : sendCommand(BackDoorLock_status, "locked") My BackDoorLock_status is: String BackDoorLock_status "Back door [%s]" (ContactSensors) {channel="smartthings:lockOnly:6136dfd1:lock"}

This update causes two different things: When I'm sending 'lock' in update my openhab.log shows: 2020-04-14 23:03:24.601 [INFO ] [s.internal.SmartthingsHandlerFactory] - Sent message "{"capabilityKey": "lockOnly", "deviceDisplayName": "Back door", "capabilityAttribute": "lock", "value": "lock"}" with path "/update" to the Smartthings hub, recieved HTTP status 202 (This is the normal code from Smartthings)

when I'm sending 'locked' in update I'm sometimes getting a message similar to the above but more often an exception: 2020-04-14 23:04:16.429 [INFO ] [rnal.handler.SmartthingsThingHandler] - Attempt to send command to the Smartthings hub failed with exception java.util.concurrent.TimeoutException: Total timeout 3000 ms elapsed The lock does done move in neither case. I'm probably doing something wrong but I have not worked with locks before and I'm not fully compatible with Things yet, I've switched from OH1 not that long ago. What is the correct way to lock it through OH item?

Thank you and have a good night, Janusz

[jkwasny]

Update 3 While the Text item still shows values 'Locked' and 'unlocked' (one capitalized one not) the following mappings show lock status correctly in a switch item: Switch item=BackDoorLock_status mappings=[locked="Locked",unlocked="Unlocked"] Still no luck with locking it from OH.

[BobRak]

I went back and retested my Lock implementation and I do believe it is working correctly. Here are config file samples. You will of course have to change the names to match what your setup.

// Things lock SimulatedLock [ smartthingsName="Simulated Lock" ]

// Items String SimulatedLockItem "Simulated lock [%s]" { channel="smartthings:lock:Home:SimulatedLock:lock" }

// Sitemap Frame label="Lock and LockOnly" { Switch item=SimulatedLockItem }

Here is what my screen looks like

See if you can get that to work.

Part 2 If you want to only have the ST hub respond to Lock then I think I could create a Device Handler that would intercept the LockOnly from openHAB and the talk to your real lock. If you want that I'll see if I can write one. But, first let's get the basic lock capability working. I have attached a diagram about how this might work.

LockDeviceHandler.docx

Bob

[jkwasny]

I did some more testing today and have a few results to share:

1. In order to correctly receive updates I had to restart openhab any time I add or change thing related to lock.
2. If I define my Thing as lock (not lockOnly) then everything works. I can lock and unlock using either the buttons from item (the one you have shown on print screen) or I can also have a simple switch and do sendCommand with value locked and unlocked. Works fine.
3. If I define my Thing as lockOnly then I'm receiving updates from smartthings to OH2 (so when I manually lock or unlock it my item changes state) but I cannot change it using OH2, neither 'lock' nor 'unlock' works. I even tried sending 'Lock' instead of 'lock' but it didn't work either. This is kind of what I wanted in a first place (read only access to lock status) but now when you have made it even more appealing with a possibility to lock then well, it would be nice to have :-)

Thank you, Janusz

[BobRak]

Hi Janusz:

I've gotten bogged down working on air conditioner operations for another user. Turning into what I call a shit storm. Smartthings has one list of commands but some of them don't work. And that user is getting a different set of commands from his Samsung AC. Really a big time suck.

But, I will work on a device handler that will look like LockOnly to OH2 and will look like a lock to your lock device. It will ignore all incoming commands except lock. And, it will return what ever actions it receives from the real lock.

I'll get it done sometime next week.

Bob

[jkwasny]

That's ok, take your time. I got what I wanted and it works fine for monitoring doors in OH2. For the AC I'm using Ecobee controller with OH2 binding. It works through cloud instead of LAN, which is the part I don't like, but it does everything I need it to and that's what matters.

Thank you, Janusz

[BobRak]

Hi Janusz:

After working on it work quite a while I came to the conclusion that it isn't possible to have a Device Handler control a device other than the one assigned to it. Therefore it is not possible to create a virtual lock that is Lock-only and then have it control a lock. It might be possible to create a device handler and a smartapp that work together but that is beyond my skill level. Sorry.

[jkwasny]

No problem. Thank you for looking at it. What I have so far is enough for my needs and the binding itself is useful in so many ways.

Take care, Janusz