Search CE Pro






Print  |  Email  |  Comments (4)  |  Share  |  News  |  Follow on Twitter, Facebook, Google+ or RSS

Control4 Warns Dealers About Port Forwarding for Home Automation

Control4 warns against port forwarding for remote access to home automation systems, urges use of VPNs or new cloud-based security and remote access service.


image
As we wrote earlier, new bots like Shodan automate the search for IP addresses – virtually everything connected to a network.

Proactively guarding dealers and customers from such threats, Control4 issued a notice to dealers (below) warning about the dangers of port forwarding and urging all integrators to employ secure VPNs or use the company’s new Anywhere Access: Mobile solution via its 4Sight subscription service. 

Control4 launched that cloud-based service to simplify the security and remote access of home networks including home control.

“It’s an instant improvement as it acts as a centralized access point the way using VPN with a DNS service acts with security camera remote viewing,” says long-time Control4 dealer and CE Pro contributor Joe Whitaker. “DNS service has always been a part of the services that run on a Control4 system. Now they are utilizing that for secure remote access through the existing 4Sight service.”

Home control vendors like Control4 have warned against port forwarding for years.

“This is a good reminder that port forwarding is and always has been a bad idea, regardless of what system you are using,” Whitaker says.

For its part, Control4 urges dealers, “Any Control4 Dealer that has enabled its customers’ home networks to allow port forwarding in order to provide access to Control4 systems should immediately contact those homeowners and make them aware of the potential for a security breach of their Control4 system.”

RELATED: How to Protect Clients from Home Automation Hacker Bots

May 4, 2013

Security Advisory

Dear Valued Control4 Dealers,

Owners of home automation systems have desired the ability to remotely access and control their systems through their mobile devices and remote personal computers. In response to this growing market demand, we recently released our Anywhere Access: Mobile solution through our 4Sight® subscription service, which allows homeowners to securely connect to and control their homes over 3G /4G cellular and remote wireless networks. Prior to releasing that solution, our only recommended approach for providing remote access to a Control4 system was through a secure VPN network. We warned our Dealers:

“Control4 does not recommend or approve of port forwarding for remote access using the MyHome application due to the security risks. Dealers and homeowners that use this technique assume any and all associated risks for such actions. Control4 requires Dealers to fully inform the homeowner of all associated risks and acquire written permission from any such homeowner before attempting any remote access through port forwarding from the home.”

Recently, media articles and technical postings have highlighted the growing risks associated with enabling networks to use port forwarding because if the firewall is breached, the entire network – including in the case of a home network, the home automation system – could be vulnerable.  The risks associated with a network that has port forwarding are attributable in large part to new public search tools that can easily detect and expose vulnerable networks as well as devices on those networks, including traffic cameras, corporate servers, home computers and home automation systems (like those of Control4). 

Based on the additional risks associated with this new search capability, we remind all Control4 Dealers worldwide that enabling port forwarding of the home network is not an acceptable method for providing remote access of a Control4 system. Any Control4 Dealer that has enabled its customers’ home networks to allow port forwarding in order to provide access to Control4 systems should immediately contact those homeowners and make them aware of the potential for a security breach of their Control4 system. At this time, the only acceptable methods for remote access to and control of a Control4 system is through a secure VPN or through our new Anywhere Access: Mobile solution via our 4Sight subscription service. 

Now and in the future, if you believe that there is a security issue relating to any Control4 system, or if you have any questions about the security of a Control4 system, please contact us at .(JavaScript must be enabled to view this email address).

Thank you for your continued support, feedback, and confidence in Control4.





Subscribe to the CE Pro Newsletter

Article Topics

News · Product News · Home Automation and Control · Control Systems · Control4 · All topics

About the Author

Julie Jacobson, Co-Founder, EH Publishing / Editor-at-large, CE Pro
Julie Jacobson, recipient of the 2014 CEA TechHome Leadership Award, is co-founder of EH Publishing, producer of CE Pro, Electronic House, Commercial Integrator, Security Sales and other leading technology publications. She currently spends most of her time writing for CE Pro in the areas of home automation, security, networked A/V and the business of home systems integration. Julie majored in Economics at the University of Michigan, spent a year abroad at Cambridge University, earned an MBA from the University of Texas at Austin, and has never taken a journalism class in her life. She's a washed-up Ultimate Frisbee player currently residing in Carlsbad, Calif. Follow her on Twitter @juliejacobson. [More by Julie Jacobson]

4 Comments (displayed in order by date/time)

Posted by Bjørn Jensen  on  05/07  at  01:37 PM

Yay!  People are waking from their slumber!

Posted by Mr. ihiji  on  05/07  at  01:48 PM

Thanks for spreading this news Julie!  We’ve been preaching this and CEDIA education has been teaching this for years. Bjorn at Why Reboot recently wrote a great CE Pro Blog on the topic.  There are plenty of ways to securely provide remote access without port forwards.  Keep spreading the news!

Posted by Jack  on  05/08  at  12:38 PM

” Mobile solution via our 4Sight subscription service. ”  How about teach your dealers how to secure things instead of charging for a subscription service? I find it odd that a VPN with DNS is being made out to be not secure and your subscription service is somehow better?

Posted by Julie Jacobson  on  05/08  at  12:52 PM

Jack, I didn’t interpret C4’s letter that way at all. They did say that VPN is perfectly secure. And by the way, if you’re not one to mess with VPN w/ DNS (and clearly many established dealers fit that category), they now have another option.

At this time, the only acceptable methods for remote access to and control of a Control4 system is through a secure VPN or through our new Anywhere Access: Mobile

Page 1 of 1 comment pages
Post a comment
Name:
Email:
Choose smileys | View comment guidelines
Remember my personal information
Notify me of follow-up comments?

Sponsored Links

  About Us Customer Service Privacy Policy Contact Us Advertise With Us Dealer Services Subscribe Reprints ©2013 CE Pro
  EH Network: Electronic House CE Ideas Store Commercial Integrator ChannelPro ProSoundWeb Church Production Worship Facilities Electronic House Expo Worship Facilities Expo