This article is one example -- here hackers (in the good sense of the word - really security researchers) demonstrate a real-time exploit that allowed them to control a Jeep on the highway 10 miles away; don't worry the driver was a willing participant - the author of the story.
http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
I realize this is a car, yes, but it does show that researchers, and likely malicious hackers, are broadening their scope of attacks. Vulnerabilities like this will likely become more and more common, though in the real world I doubt a hacker goes after a car as there is little profit there. A house, however, could be an inviting target.
Far from an exhaustive list, here are some of the home-automation-specific suggestions that I've had along with those from other forum members that have been mentioned before. Might behoove everyone to do a quick check of their system's security every so often...
- Physical Security - make sure your door locks are reliable; best case is that they have feedback though for many this will need to wait until Indigo supports door locks
- Security System - ideally your security system should be a known vendor and will work independently of the Indigo server running (even with reduced functionality you want something to happen!)
- Security System - alerts should work with power out ideally, though there are certainly situations that you can't control. Some users use a backup notification system so that it can send a notification via cellular, phone and network
- Camera Systems - make sure you can record all the time or on motion, but just most importantly that it works! Some prefer standalone systems here, some integrated to Indigo and some a hybrid approach. All have advantages and disadvantages, but all are better than none!
- Network - secure your wireless with WPA2 and a decent passphrase; if you enable a guest network ensure it cannot get to internal network devices
- Indigo System - enable digest authentication, don't use basic or none
- Indigo System - disable remote access if not using it, use reflector service if you are. If you REALLY know what you are doing then a reverse proxy in Apache can enable secure access. If you need to access Indigo remotely via Mac Client, consider a good network router that supports VPN connections instead of opening additional ports to the world
- Indigo System - some users place a screensaver and password requirement, some secure physical access to the device. nothing is perfect here, but at LEAST hide the server from plain sight!
- Indigo System - use a good password for both the Mac and Indigo... in general a longer password that is not made up of standard words/phrases is stronger than a shorter password with more diverse characters. Even better, use a password manager with a very secure password and utilize the random password generator feature.
- Indigo's Computer - really applies to any, but turn off any services you are not using. If you aren't using File Sharing or Back to My Mac, turn them off
- Attached Network Devices - use a good password; it can be inconvenient but is really a small thing. Don't allow unauthenticated access to anything (e.g. file shares)!
- Control Pages -- obvious but overlooked... don't put a "Disarm Alarm" button on a wall-mount iPad next to the door. Stop laughing, you would be surprised at how many don't think about that.
- All Passwords - change your passwords on a schedule & enable two factor authentication anywhere it is supported
I'm SURE I've missed some other suggestions from the forums; if you have any more please feel free to add them!
Adam
