smart thermostats & remote access

[agarb]

I figured I'd post this networking-type question here since it is not strictly related to cameras.

I have my cameras on a private network to a BI PC that has two network cards. One card is for the cameras and one is for a network connection for remote access. So the cameras can never directly access the internet.

I want to install a smart thermostat that I can remotely access. Is there a way to leverage my camera network to do this?

What do other people do with their thermostats to provide convenience yet not compromise security?

(I have not yet picked out a specific thermostat brand.)

 

[Starglow]

The smart thermostats require internet access via Wi-Fi, however you wish to provide that interface. I have two Ecobee smart thermostats and prefer them over the Nest brand.

 

[David L]

I have been looking at:

https://www.amazon.com/Honeywell-Intrusion-TH6320ZW2003/

No Cloud service, no WiFi, no forced account, only good old Z-Wave connected to a Z-Wave Hub and automated by Home Assistant.

 

[Starglow]

I have been looking at:

https://www.amazon.com/Honeywell-Intrusion-TH6320ZW2003/

No Cloud service, no WiFi, no forced account, only good old Z-Wave connected to a Z-Wave Hub and automated by Home Assistant.

Your Amazon link is broken.

 

[David L]

Sorry:

https://www.amazon.com/gp/product/B07HFL7R44/

 

[jec6613]

Sorry:

https://www.amazon.com/gp/product/B07HFL7R44/

I have a slightly different model but functionally the same. Biggest advantages of this are that you have a really good thermostat to start with, better than the Wi-Fi ones; and that as Z-Wave it's 100% offline and just handled through your HA system du jour.

It does require a Z-Wave controller though. Home Assistant is fine, but as I've discovered it has upper limits on expandability and some other gotchas. I use one from Universal Devices that's much more scalable/reliable, but makes HA configuration look simple. And there are many others depending on if you want a fancy App or whatever. Even Crestron and Elan will happily control a Z-Wave device. I'd probably only go Z-Wave if I was planning on adding additional home automation later, otherwise I'd select a Residio Wi-Fi thermostat (Honeywell spin-off).

 

[Starglow]

Sorry:

https://www.amazon.com/gp/product/B07HFL7R44/

You'd better read the reviews on that puppy because they're not good. I'm not saying your Z-Wave idea is flawed, but I wouldn't touch THAT T-stat product based on the negative reviews. One big kicker is that it cannot do autotemp control between heat and cool if having that feature is important to you.

 

[jec6613]

You'd better read the reviews on that puppy because they're not good. I'm not saying your Z-Wave idea is flawed, but I wouldn't touch THAT T-stat product based on the negative reviews. One big kicker is that it cannot do autotemp control between heat and cool if having that feature is important to you.

You an do that from Z-Wave but not on the physical Tstat.

 

[David L]

There has been an improvement with HA 2023.9 on the Thermostat controlling from what I have read/seen. I have a Nest at our old house that will be left there for the new owners. I never connected it since Google has a small charge and I never liked Google in my business.

We are now in a new house and am also looking for a Thermostat solution. I am a big Zigbee/Z-Wave fan.

 

[Starglow]

There has been an improvement with HA 2023.9 on the Thermostat controlling from what I have read/seen. I have a Nest at our old house that will be left there for the new owners. I never connected it since Google has a small charge and I never liked Google in my business.

We are now in a new house and am also looking for a Thermostat solution. I am a big Zigbee/Z-Wave fan.

There are no fees associated with the Ecobee thermostats and the support techs can access it remotely when necessary for any problem debug. My new AC system did not cool even though it had been working shortly before. I called Ecobee tech support and he was able to access the thermostat remotely and recommended a few changes in the settings that magically fixed the problem. Those thermostats can also run system diagnostics and that one five minute phone call saved me from paying an HVAC company service call fee to come out to diagnose and maybe fix the problem.

 

[The Automation Guy]

Just keep in mind that just like CCTV cameras, you really don't want to give your thermostat access to the internet or expose it to remote access from the internet by port forwarding. This is another use case for a self-hosted VPN. If you can use a mobile device to control the thermostat while on your local network, a VPN will allow you to control it remotely as well. This means a cloud service or subscription is not needed or really wanted.

 

[Starglow]

Just keep in mind that just like CCTV cameras, you really don't want to give your thermostat access to the internet or expose it to remote access from the internet by port forwarding. This is another use case for a self-hosted VPN. If you can use a mobile device to control the thermostat while on your local network, a VPN will allow you to control it remotely as well. This means a cloud service or subscription is not needed or really wanted.

There is no port forwarding required for remote access to Ecobee thermostats. They must have their own proprietary access methods built into the product for support purposes...but who knows. I can use the Ecobee app to see and control the thermostats remotely as well.

 

[TonyR]

Sorry:

https://www.amazon.com/gp/product/B07HFL7R44/

FWIW, I have that same Honeywell T6 Pro 'stat but the amazon part # is H6320ZW2003, mine is TH6320WF2003. Not sure what the letters are for but mine is for 3 heating / 2 cooling stages so it can switch from heat pump heating to propane gas heating if ambient falls below 30° F (there's an outdoor temp sensor).

About a year later (Oct. 22?) Honeywell changed the name of the app to "Resideo". It's been a decent 'stat, once the tech figured out how to configure it with the also new (Oct. 21) Amana dual fuel unit (it uses a Bluetooth setup!).

 

[The Automation Guy]

There is no port forwarding required for remote access to Ecobee thermostats. They must have their own proprietary access methods built into the product for support purposes...but who knows. I can use the Ecobee app to see and control the thermostats remotely as well.

That doesn't give me a lot of warm and fuzzy feelings...... As you mention, Ecobee must be using their own proprietary methods which we know nothing about. They likely doesn't require a matching encryption key however, so right away it is less secure than a typical VPN connection. Did Ecobee get their security "right" or is there a flaw in it? Honestly no one can be sure, but is it open source so people (ie security experts) can check? I honestly don't know the answer to that questions because I don't use Ecobee, but I doubt it. Do you have the option to turn off this "remote access"? (If not, I certainly would not want it on my network).

Regardless of how data gets onto your network (VPNs included), you are only one exploit away from having problems. Personally I trust the open source VPN options out there more than any single IOT manufacture's solution. That's not meant to be a dig on Ecobee specifically. I don't trust any IOT device to keep my network safe. In fact, I assume they are all security risks and plan accordingly. I have a lot of IOT devices too, so I'm not against that type of device being on my network.

 

[jec6613]

Just keep in mind that just like CCTV cameras, you really don't want to give your thermostat access to the internet or expose it to remote access from the internet by port forwarding. This is another use case for a self-hosted VPN. If you can use a mobile device to control the thermostat while on your local network, a VPN will allow you to control it remotely as well. This means a cloud service or subscription is not needed or really wanted.

There is no port forwarding required for remote access to Ecobee thermostats. They must have their own proprietary access methods built into the product for support purposes...but who knows. I can use the Ecobee app to see and control the thermostats remotely as well.

That's not just correct of Ecobee, but of Nest, Resideo, and all of the other easily obtained residential thermostats; they use a token/certificate based modern auth and open a stateful connection to a cloud service for remote management, and have zero local control and zero ports to open. This also makes them a bit slow to respond to commands, but it's a thermostat, a few seconds or even a minute shouldn't matter. They should still be isolated on an VLAN with only internet access, along with any other cloud-only devices, but their architecture makes them very difficult to attack and very difficult to start lateral movement from. They are all cloud dependent for remote control, but Resideo is the only one of the major three that is designed to work fully offline for an indefinite period of time (they're a spin-off of Honeywell).

The type that require port forwarding and management like an IP camera requires are rare (though not unheard of) in the residential space and are mostly used in commercial applications. Carrier, Schneider, and some others make them, they are for large multi-zoned systems to be managed via a larger BMS system. They are de facto an IP based version of the Z-Wave thermostats for when the facility is too large for Z-Wave, or some new multi-zone installs that require coordination between the tstats and a central controller - direct control, managed firmware, and no cloud control. The only residential installs of these I've seen have been alongside a Crestron system, and if you have one of those you're not asking for advice here.

As mentioned above, my personal choice was to use Z-Wave with a central controller, but if you're not going to install a central HA controller at any point in the future, it's a better choice to get a good WiFi thermostat, and just replace it periodically when they stop providing security patches for it.

 

[jec6613]

FWIW, I have that same Honeywell T6 Pro 'stat but the amazon part # is H6320ZW2003, mine is TH6320WF2003. Not sure what the letters are for but mine is for 3 heating / 2 cooling stages so it can switch from heat pump heating to propane gas heating if ambient falls below 30° F (there's an outdoor temp sensor).

About a year later (Oct. 22?) Honeywell changed the name of the app to "Resideo". It's been a decent 'stat, once the tech figured out how to configure it with the also new (Oct. 21) Amana dual fuel unit (it uses a Bluetooth setup!).

The ZW is Z-Wave local control (bring your own controller), the WF is Wi-Fi cloud control (App). Resideo was a spin-off of Honeywell residential products into their own company so the main company can concentrate on things like turbines for the M1 Tank.

 

[jec6613]

That doesn't give me a lot of warm and fuzzy feelings...... As you mention, Ecobee must be using their own proprietary methods which we know nothing about. They likely doesn't require a matching encryption key however, so right away it is less secure than a typical VPN connection.

Nothing proprietary, it's certificate authenticated HTTPs with full symmetric keying using a TPM-like device. As such, it's as secure as a VPN using the TPM in your device, and more secure than almost all traditional VPNs. With no payment processing and almost no surface area, their back-end security is tough enough to be in the, "Don't bother trying," category, and also they're not large targets compared to most other cloud providers. They do occasionally have user accounts compromised through the usual suspects (password re-use mostly), but I have high confidence in the security of their cloud system.

Their reliability, on the other hand, I have issues with. Outages are not unheard of, and they rely on a working internet connection for any remote control, even within your home. As I'm typing this on 9/11, I know for certain that for anything critical I'm not going to rely on my internet connection, and HVAC falls just above that critical bar for me.

 

[The Automation Guy]

I have to remember that I'm an oddball. I use RS-485 controlled thermostats from RCS that is tied into my larger home automation system. It's not not Crestron, but it's not Google Home either.

Of course I've been using this system for well over a decade too. RSC doesn't even make those thermostats anymore as they have moved on to Z Wave, Zigbee and Wi-Fi controls.

 

[Mike A.]

With Home Assistant and the Homekit integration you can run the ecobee locally without any cloud dependency. I haven't tried it but I assume that means that it would work locally with native Homekit also.

 

[Sybertiger]

I have a Trane thermostat (Nexia) that came with my installed Trane HVAC system. I use the Trane app to control it. It's okay but it's cloud based (doesn't need VPN to access it). It has no bearing or relationship to my BI system other than they are both connected to my main home network.