Hacking Evohome... API Vs direct communication with devices

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • MrBoy
    Automated Home Guru
    • May 2017
    • 165

    Hacking Evohome... API Vs direct communication with devices

    This thread details an ongoing community effort (with Honeywell) to hack EvoHome using the official API. This only refers to communicating with the Evohome server so like a home-brew replacement for the smartphone apps (right?) http://www.wordpress-1219309-4387497...ntrol-remotely

    I've also seen people discussing directly talking to the EvoHome devices using stuff like WireShark, RF units. I'm not sure if there is an active community here, or whether they are trying to replace the EvoHome controller or just talk to it?

    Maybe there is a 3rd option - a thread grouping the various homebrew efforts would be amazing so people can decide what route to go.

    ====

    My position is that I love the idea of EvoHome but would like more precise control over each room in a non-traditional "turn on at 7, off at 9" way. We have a large house with only two people, and not particularly predictable schedules who will be in the house in which room at which time - other than when we get up in the morning.
    It's daft that our bathroom is being heated just because the living room is, when I only want it warm to take a bath at some point in the evening. I work from home so typically my office needs heating 9-5 but sometimes in the evening too.

    I love the idea of "scenarios" so I can tell my heating system "I'm going to take a bath". Or "We're going to bed soon". This seems contrary to the normal usage of the controller and app but possible through the API with custom code on top.
    BUT - is that needed when the app will(?) let me just override any zone at any time?

    My big dilemma is that I am strongly opposed to be locked into the EvoHome server. If internet is down, or your server is, or you decide my product is obsolete or even that the API should be retired or replaced with something totally different. I don't want to be beholden to someone else making decisions - anyone who plays multiplayer games knows the frustration that eventually they'll pull the plug on the server.
    Plus, there are privacy issues. It seems an unneeded attack surface I have to send my heating requests to the internet when I'm sitting on the sofa

    If EvoHome would just let me talk to the controller from my private WiFi as well as through the web this would be a non-issue. But since they don't/won't... what are the workable options, and how much DIY is involved in each?
  • DBMandrake
    Automated Home Legend
    • Sep 2014
    • 2361

    #2
    Originally posted by MrBoy View Post
    My position is that I love the idea of EvoHome but would like more precise control over each room in a non-traditional "turn on at 7, off at 9" way. We have a large house with only two people, and not particularly predictable schedules who will be in the house in which room at which time - other than when we get up in the morning.
    It's daft that our bathroom is being heated just because the living room is, when I only want it warm to take a bath at some point in the evening. I work from home so typically my office needs heating 9-5 but sometimes in the evening too.
    There's no need for your bathroom to be heated because your living room is ? Although many people have uncontrolled towel rails or bathroom radiators (no HR92) that just get hot when any other room comes on, I have an HR92 on my bathroom radiator (which doubles as a towel rail - no separate heated towel rail) and much prefer the flexibility of having the bathroom under full control.
    I love the idea of "scenarios" so I can tell my heating system "I'm going to take a bath". Or "We're going to bed soon". This seems contrary to the normal usage of the controller and app but possible through the API with custom code on top.
    BUT - is that needed when the app will(?) let me just override any zone at any time?
    That's up to you - sounds like you want "scenes" - I believe you may be able to implement something like that using the Amazon Alexa integration, if you have an Echo. Or you could have a schedule where the uncertain rooms are set back 2-3 degrees and when you know you are going to use them you turn them up a bit manually using a timed override. That's what I do in some rooms that aren't used a lot or at unpredictable times.
    My big dilemma is that I am strongly opposed to be locked into the EvoHome server. If internet is down, or your server is, or you decide my product is obsolete or even that the API should be retired or replaced with something totally different. I don't want to be beholden to someone else making decisions - anyone who plays multiplayer games knows the frustration that eventually they'll pull the plug on the server.
    Plus, there are privacy issues. It seems an unneeded attack surface I have to send my heating requests to the internet when I'm sitting on the sofa
    I don't see what the attack surface would be - the Evohome makes an outgoing persistent connection to the Honeywell servers, and when you access the Web API yourself (for example with a python binding) you are also making an outgoing connection to the Honeywell servers. The Evotouch doesn't accept any incoming connections and if you do a port scan on it you'll find no open ports.

    About the only attack vector I can think of is if your password was too easy to guess (or if Honeywell's servers got hacked) someone could maliciously heat up or cool down your house.... But I don't see how it could be used as a jumping off point for an attack on your local network as the Web API is pretty limited in what it can do. It's not as if it suddenly gives you root access to the Evotouch...
    If EvoHome would just let me talk to the controller from my private WiFi as well as through the web this would be a non-issue. But since they don't/won't... what are the workable options, and how much DIY is involved in each?
    You have only two options to control the Evotouch outside of the control panel and phone apps provided:

    1) Use the Web API. You can access this many ways - my favourite is using watchforstock's python bindings. If you know python its exceptionally simple to control and monitor your system this way, you can do something like a zone override in a few lines of python. There are bindings for other languages as well. Other options are 3rd party services that also (I believe) also make use of the Honeywell API behind the scenes. These include IFTTT, Conrad Connect, Amazon Echo etc...

    2) Buy an expensive (130ish Euros) HGI80 USB interface. This will talk the native RF protocol of the Evohome system directly to the controller and other devices. At the moment the only software implementation that really works with this is Domoticz. If you can integrate the features you want in Domoticz it may be an option but writing your own support for an HGI80 outside Domoticz would be a major undertaking as the Rameses protocol is complex and only partially reverse engineered.

    Personally of the two I would go for the Web API option - at least at first. Honeywell's API does seem to be very reliable in the last year and you can get something up and running just with a bit of code on a box you already have, no expensive hardware. If you just want to monitor your system and implement some arbitrary custom "scenes" that you can activate, calling the WebAPI from a custom app would be the way I'd do it.
    Last edited by DBMandrake; 6 December 2017, 03:52 PM.

    Comment

    • MrBoy
      Automated Home Guru
      • May 2017
      • 165

      #3
      Thanks for the detailed reply.

      Yes - of course Evo let's me solve the "bathroom and living room" issue out of the box. Already a big win.

      'Scenes' sounds the kind of thing I'd be after. I'd heard Alexa integration was coming but that's more kit and now I'm going through Amazon's servers as well (I assume)!
      If Alaxa can control the Honeywell kit to this degree, why does the app not allow it in the first place - do we know how Alexa and Evo communicate? Through the web API, through some private trusted WiFi link (exactly what I want) or something else?

      Maybe worrying about attack surfaces is paranoid, but as an IT guy, I'm constantly seeing articles about how badly IOT devices are secured. When these things are not done by a software specialist I don't really trust them Plus just on principle, I don't really like my private data going out to the web. My phone and the controller are on the same WiFi, a round-trip to the web is needless!

      Regarding direct RF 'hacking' - is this because it's not secured or because someone cracked the encryption? Are there any ongoing discussions about this here, active users working on it?

      What I suppose I'd really like is to be able to have a 'local Honeywell server' so the controller works as normal but the server is in my house. I wodner if the controller is hard-coded what IP/URL to talk to, or this can be modified? Of course this IS a classic hack attempt, a man-in-the-middle. But again when you're on the same WiFi network that implies greater trust because of course (!) your WiFi is secured.

      Comment

      • DBMandrake
        Automated Home Legend
        • Sep 2014
        • 2361

        #4
        Originally posted by MrBoy View Post
        'Scenes' sounds the kind of thing I'd be after. I'd heard Alexa integration was coming but that's more kit and now I'm going through Amazon's servers as well (I assume)!
        Indeed. I was only suggesting it if you already had an Echo, I wouldn't buy one just for that, but as you say then you're going through Amazon as well. On the plus side you could use voice commands. You can link the Echo directly to Honeywell, (using the Honeywell provided Alexa skill) or via a 3rd party that support both Echo and Honeywell - such as IFTTT for extra flexibility, but then you're going through even more servers.
        If Alaxa can control the Honeywell kit to this degree, why does the app not allow it in the first place - do we know how Alexa and Evo communicate? Through the web API, through some private trusted WiFi link (exactly what I want) or something else?
        If you control it with an Echo the Echo talks to the Honeywell API - although it's not clear whether the Echo itself would connect directly or go via Amazon servers, my guess is the latter but I don't think we know. The Honeywell API lets you do most of the things you would need to do - have a look at the documentation for the python bindings, it documents all the information you can send and receive.
        Regarding direct RF 'hacking' - is this because it's not secured or because someone cracked the encryption? Are there any ongoing discussions about this here, active users working on it?
        Not sure exactly what you mean here. The RF protocol between controller and other devices like HR92/BDR91 is not encrypted in any way, but it also isn't documented either. A number of individuals have reverse engineered enough of the protocol to allow software like Domoticz to "talk the language" directly to the Evohome devices on their proprietary 868Mhz link. So it hasn't been "hacked", but has been largely reverse engineered. Hacked would imply that there was a security mechanism that was defeated, but there isn't one.

        This is completely separate to the Wifi communications from the controller, which only go to your wifi router and then out to Honeywell's servers. These communications are encrypted, both by your wifi connection (assuming it's not an open network...) and I believe by a fairly standard TLS connection. As far as I know this hasn't been hacked or reverse engineered.
        What I suppose I'd really like is to be able to have a 'local Honeywell server' so the controller works as normal but the server is in my house. I wodner if the controller is hard-coded what IP/URL to talk to, or this can be modified? Of course this IS a classic hack attempt, a man-in-the-middle. But again when you're on the same WiFi network that implies greater trust because of course (!) your WiFi is secured.
        If Honeywell has done the encryption and authentication between the Evohome and their servers correctly then you won't be able to do any kind of man in the middle attack on it, just like you wouldn't with a standard TLS browser session. And unlike a PC you have no way to change the root certificate store on the device to get around it that way either...

        Comment

        • paulockenden
          Automated Home Legend
          • Apr 2015
          • 1719

          #5
          I don't think someone who is worried about security should buy an HGI80. They'd quickly realise that although the online comms side of Evohome is nicely locked down, the RF stuff in the house is wide open. Anyone with an HGI80 (or equivalent) can park outside your house and control your heating (or, perhaps more importantly, detect that you've left it in 'away' mode).

          Frankly, I think the risk is low, but it's important that people realise it's there.

          P.

          Comment

          • rvb99
            Automated Home Sr Member
            • Oct 2017
            • 74

            #6
            Surely one such scene would be something like “ I’m arriving home soon” which would imply the need to have some sort or external internet connection. Eg I’m currently using BMW apps and IFTTT to trigger operations based on location or other journey event criteria.

            Comment

            • MrBoy
              Automated Home Guru
              • May 2017
              • 165

              #7
              I still think it's shame you can't have a local server, maybe only on your LAN rather than WAN for security I'm worried what happens in 5 years with Honeywell deprecate this system in favour of a new one they want everyone to buy (it might sound crazy but this sort of thing DOES happen) or just screw it up
              I somehow doubt it would be that hard to hack for a proper hacker, this kit is not going to have the same resources behind it that MS or Amazon do... IoT is a security nightmare waiting to happen according to many analysts because so many non-software companies are bolting on internet-enabled features without a security expert involved.

              Anyway - for now the RF route seems the only local-control option. Is there a long ongoing thread or sub-community anyone knows about so I could read more?
              I was wondering, this wouldn't let you control the controller necessarily would it? There is no reason the controller should be commanded by a "RF API". So it seems to me you'd have to cut the Honeywell controller touch-screen thingy out entirely... you'd have a RF-enabled PC replacing it where you have to write your entire system for zones, valve control, relay activation. Quite a big project! Although there is that OpenTherm project, so I wonder if an open-source system exists. It is a proper nerd project to have total control over all your radiators via your own command interface!

              Comment

              • rvb99
                Automated Home Sr Member
                • Oct 2017
                • 74

                #8
                Is your LAN really more secure than the WAN. There are millions of unpatched wifi routers and bridges out there are just waiting to be hacked. If you are worried about RF hacking from the street then the only real answer is to cover the house with aluminium foil. IOT is indeed a security problem. The solution now in many sectors is to assume that at some point you will be hacked and then devise systems and processes to mitigate the damage. E.g if every part of your house relies on the same underlying cloud service and it all goes down then your whole house will stop functioning. In this example, one solution could be to use varied systems or make decisions as to which elements you could do without in the event the system is hacked or goes down, plus ensure systems and parameters are backed up and the process for rebooting everything is written down.

                I did read a story about a spurned ex-husband that continued to have control over his ex-wife's house that she shared with her new partner. I believe that for more than a year he would change the heating setting. E.g turning is down colder in winter and turning it up in summer. It is these types of "hacks" that are probably more of a concern and should make any buyer of a property with IOT be aware.

                Comment

                • DBMandrake
                  Automated Home Legend
                  • Sep 2014
                  • 2361

                  #9
                  Originally posted by MrBoy View Post
                  I'm worried what happens in 5 years with Honeywell deprecate this system in favour of a new one they want everyone to buy (it might sound crazy but this sort of thing DOES happen) or just screw it up
                  I think we all have that fear for any connected device we use these days. How useful is my Echo Dot if Amazon went bust or decided to depreciate it ? Well, it might make a good Hockey puck, but that's about all. How useful is my iPhone if Apple went belly up ? Well, some parts of it would keep working for a while, but many important features like the app store and push notifications would stop working immediately... and I could never update the OS or reinstall ever again and if it crashed and needed wiping and reinstalling I'm screwed since there is no way to activate it even if I had a copy of iTunes with an already downloaded firmware image...

                  I have a Logitech Harmony One that is 7 years old now, contrary to many universal programmable remotes the programming "application" requires a working connection to Logitech's servers to configure/program it as it is really just a web wrapper and USB driver, with the remote code database and all the configuration logic done via their cloud servers - if they ever went bust, sold the Harmony brand off or decided to give up on them and shut those servers down I'm stuck with a remote that still works but can't ever be reprogrammed!

                  (BTW this almost happened as they were going to sell off their Harmony division, but thankfully they changed their mind and as of 2018 a 2010 Harmony One is still supported...)

                  This is why I tend to stick with big well established companies when it comes to devices that rely absolutely on continued support to be useful. Honeywell is a well established company who aren't going anywhere, and although they have been stingy with firmware upgrades in the past (!) they seem strongly committed to ensuring that old products still work (even if they don't get updated) and maintaining the web API side in fact I think the same API's are shared amongst all their connected thermostat products, not just Evohome.

                  Also consider what a loss of the Web API would mean for you if they went bust or maliciously decided to no longer support Evohome - you wouldn't be able to control your system from your phone, but that is about all. The controller itself is fully functional without any internet connection, (aside from automatically syncing the time and getting outside temperature, and it's ability to sync the time correctly is already questionable ) all the schedules would continue to work, you could add and remove zones, reprogram schedules, control things from the panel etc... In fact if you didn't use the phone app you wouldn't notice any difference!

                  Compare that to some other systems that are completely reliant on an internet connection like Tado - aside from a temporary override in an individual zone your entire interface to control and program a Tado system is a smartphone app, which won't work without a working internet connection as that connects back to Tado servers as does the gizmo they provide that plugs into your router. I think that your existing schedules will continue to work without an internet connection but you certainly can't control it normally or reprogram your schedules if your internet connection (or Tado!) is down. That makes me a lot more nervous about future support than just losing access to the Honeywell iPhone app!

                  I somehow doubt it would be that hard to hack for a proper hacker, this kit is not going to have the same resources behind it that MS or Amazon do... IoT is a security nightmare waiting to happen according to many analysts because so many non-software companies are bolting on internet-enabled features without a security expert involved.
                  Get cracking then (pun intended) - to point you in the right direction it runs Windows CE...
                  Anyway - for now the RF route seems the only local-control option. Is there a long ongoing thread or sub-community anyone knows about so I could read more?
                  I was wondering, this wouldn't let you control the controller necessarily would it? There is no reason the controller should be commanded by a "RF API".
                  Well actually yes, you can command the Evotouch via the RF API. The reason being that the older controller without Wifi used the RFG100 gateway which plugged into your router. With that setup you could use the iPhone/Android app on the older model without Wifi and get the same functionality.

                  So anything you can do via the phone apps or public Web API can also be done by sending direct RF commands to the Evotouch - which is all the RFG100 gateway did.

                  That includes retrieving set points and measured temperatures, current hot water status and system mode. (Away mode, Day Off etc) Also changing the current mode, making individual zone overrides or cancelling them. Viewing(downloading) and Changing(uploading) the hot water and individual zone schedules.

                  Some things cannot be done, for example you can't change anything in the installer or settings menus, you can't change the configured hot water temperature. (or even query what it is - only the current measured hot water temperature)
                  So it seems to me you'd have to cut the Honeywell controller touch-screen thingy out entirely... you'd have a RF-enabled PC replacing it where you have to write your entire system for zones, valve control, relay activation. Quite a big project! Although there is that OpenTherm project, so I wonder if an open-source system exists. It is a proper nerd project to have total control over all your radiators via your own command interface!
                  In theory you could replace the Evotouch with a software driven 3rd party implementation with the right radio as enough is known about communicating with many of the devices like HR92 and BDR91 to emulate what the controller would do.

                  Big project though! And for what gain I'm not sure. Also I think some things like the HCC80 have not been decoded yet and the OpenTherm bridge is only partially understood.
                  Last edited by DBMandrake; 25 January 2018, 04:32 PM.

                  Comment

                  • MrBoy
                    Automated Home Guru
                    • May 2017
                    • 165

                    #10
                    Originally posted by rvb99 View Post
                    Is your LAN really more secure than the WAN. There are millions of unpatched wifi routers and bridges out there are just waiting to be hacked. If you are worried about RF hacking from the street then the only real answer is to cover the house with aluminium foil. IOT is indeed a security problem. The solution now in many sectors is to assume that at some point you will be hacked and then devise systems and processes to mitigate the damage. E.g if every part of your house relies on the same underlying cloud service and it all goes down then your whole house will stop functioning. In this example, one solution could be to use varied systems or make decisions as to which elements you could do without in the event the system is hacked or goes down, plus ensure systems and parameters are backed up and the process for rebooting everything is written down.

                    I did read a story about a spurned ex-husband that continued to have control over his ex-wife's house that she shared with her new partner. I believe that for more than a year he would change the heating setting. E.g turning is down colder in winter and turning it up in summer. It is these types of "hacks" that are probably more of a concern and should make any buyer of a property with IOT be aware.
                    Well my LAN might be vulnerable but it relies on someone hacking my house. Whereas if they hack Honeywell they have everyone, so that's the logical route.

                    But my point is a local Wifi mode where I can cut out reliance on their server has both security and gives me more control. Sure, if I lose the gateway I can use the controller. But being able to use my phone without walking two flights of steps is a big plus. I'm not sure I'd have been willing to spend that much without the phone/API access.

                    A bit like Brexit though "take back control" may not practically mean that much, but the knowledge my heating system's fate is controlled by Honeywell not me is slightly disconcerting

                    Comment

                    • Kevin
                      Moderator
                      • Jan 2004
                      • 558

                      #11
                      It sounds like you would really prefer to build your own system.

                      There are many RF based TRV’s with varying levels of documented control protocols, e.g. ZigBee, Z-Wave, 6LoWPAN* or plain RF 433/868 MHz - even some using infra red. Then there are all the wired versions. As a project it would be much easier to select suitable TRVs and then build your controller around that rather than ‘hacking’ or replacing the controller on an existing system like evoHome.

                      A lot lot of home automation applications and controllers (some free) offer direct support for TRV’s and therefore can be used as a scriptable heating controller. That would be the easiest path although dealing with individual room heating characteristics , efficiency, overshoots, optimisation and aspects like that will be challenging.

                      There’s an awful lot of behind the scenes smarts and experience that Honeywell implement in evoHome via the controller that you would lose via your approach so you may as well just start with a new controller design using your choice of TRVs. HR92s are probably not the best option for such a project.

                      K

                      * The 6LoWPAN ones even claim to never need batteries based on thermal energy harvesting. £30 ! I don’t know if there’s any ‘open’ protocol direct to TRV or if their ‘open’ API will offer any local hub control or just cloud.

                      Last edited by Kevin; 28 January 2018, 04:29 AM.

                      Comment

                      Working...
                      X