Remote central heater control

Yes -

Heatgenius works. But it's slightly smarter that a straight "on-off".

The basic "Genius Hub" will replace your programmer, and the hall stat (the stat supplied is ZWave/RF and can be put in a better location).

The other small box in an RF boiler relay - replace the existing room stat and/or programmer with this (trivial wiring job if you have L,N, demand available.

The bigger box needs mains (or USB 5V) and a cable connection to your internet router.

If you google for web relay there are plenty of products available.

I use a Barix Barionet 50.

I can tell if my boiler is running, switch it off an on, and monitor various 1-wire temperature sensors inside and outside my house.

I use a Heatmiser CH thermostat. About £100 and controllable via a smartphone/tablet, computer, or by the wall mounted touch controlled panel.

Wiring it in should be straightforward if replacing an existing thermostat. Setting up was easy enough after reading (and rereading) a couple of guides, and subscribing to (I think they're called) a port forwarding service, couple of quid a year.

Maybe clarify what you've got and what you want (cost/complexity for example), and ask here again for advice.

I have just fitted a couple of Honeywell single zone thermostats linked to a mobile gateway (you can link a max of 2 of these to one gateway)

The thermostat is really easy to use and with the mobile getaway, you can then set up to 6 temperature changes per day, but only using the mobile app, which is great for me as it means people in the office it is installed in, can't fiddle with it! - All they can do it turn the thermostat up and down, but the programming will revert it back at the next change time ;)

Thanks to you and all those who responded. I have a standard condenser boiler for central heating which seems to me to work pretty well. (It was installed a few months ago.) I also have 2 immersion heaters in two bathrooms.

All the suggested solutions seem rather complicated to me. Why can I not just have a wi-fi actuated switch which simple switches off or on the power supply to the CH boiler - or equally, to the immersion heaters? I saw such a switch in Lidl a couple of weeks ago for ?25. I didn't buy one because I wasn't sure if simply switching off CH or immersion heater was wise.

"If you google for web relay there are plenty of products available."

In the case of the immersion heaters, just make sure that the switch is able to handle the load. You might need to use an additional relay.

I don't see a problem with switching off the CH or HW. It is what the thermostats / time switches do anyway. If power is needed for any pump over run you need to ensure that this is still available.

Which model? Are you aware that the WiFi ones have been withdrawn due to being wide-open for abuse if exposed direct to the the internet?

Can you please explain the nature of this abuse?

Some remote control systems have an ethernet rather than WiFi connection to the internet router. Are these safer?

In short, anyone on the internet can scan for the controllers, and turn heating on/off or change programming remotely without needing to know username or password.

The thermostat requires username/password to *view* the web interface, but these are *not* required to submit changes to the thermostat, in addition the port used by the smartphone interface requires only a four digit PIN and you can send attempts at full speed without getting delayed or locked out for the wrong PIN, so it doesn't take long to find by brute force, then you can make changes using it.

Heatmiser's previous wired products were RS485 rather than Ethernet, the weakness in the WiFi models was not related to WiFi vs Ethernet, but at the http layer. I would expect security is weak on several of these type of systems.

s/several/all/

In this day and age I am incredulous as to how a company with a fairly niche product can f*ck it up so utterly and totally when doing it right would not have been particularly hard!

If the damn thing can authenticate a web interface, it would have been trivial to use the same authentication on it's API (which I assume is also HTTP based?).

Throttling failed attempts is not too hard either.

There's something about SCADA type systems that seems to attract people with a 1960s view of access security.

Welcome to the IoT.

Presumably they are primarily an electronics company with a couple of employees who fancied having a go at adding the smarts to the products, (the WiFi module is soldered-onto the PCB, so presumably just a bought-in part) with relatively little clue about the corresponding security they should have added too.

I know that, you know that ...

They haven't publicised this much, first I noticed was that they'd removed the products from sale, the customer has the option to

send it back for full refund

or

let them send you replacement inards, which you swap and return to them, they bung you a few quid in compensation.

The replacement PCB removes the web interface completely, they didn't apparently want to fix it, it does add rate-limiting to the PIN entry, so it's "safer" to leave the port forwarding for the smartphone interface open to the internet.

I decided to do neither, as I can access mine through VPN, actually knowing I can send it requests has been a benefit to me, the clocks tended to drift quite severely and didn't have an NTP option, so now I run an hourly cron job

DT=`date "+setT=%H%%3A%M&setD=%d%%2F%m%%2F%Y"` curl -sd $DT http://192.168.1.90/statSetup.htm -o /dev/null curl -sd $DT http://192.168.1.91/statSetup.htm -o /dev/null

to keep them synced :-)

I saw it a while back:

???

It *should* be a case of updating the firmware - and not by much to get at least basic security. Strewth - they really don't know what they are doing!

Gawd - how half arsed...

I think, now that HeatGenius (who do seem to have a much better idea of what they are doing) have come on board with a ZWave+Internet system that is very much "as much or as little as you want", HeatMiser are going to lose the niche that they almost had...

Sad - but so typically British.

No way to do that over the WiFi or USB connection, I think they offer a method where they send you some sort of dongle you clip onto the PCB to update it, then you send back the programmer.

Probably.

Their "new and improved" Neo product has an external box you connect via wired ethernet, I think it communicates using 868Hz radio to one or more thermostats.

Mmmm yes, it does seem mine is one of the ones affected (PRT-TS). I've sent them an email - thanks for the link.

PRT-TS or PRT-TS-WiFi? The former doesn't have Internet connectivity ...

Notwithstanding - you still have the option to firewall it :)

Hmm. So they sold an Internet-of-things device with no field upgrade option (well not a sensible one).

Those guys *really* have no clue...

Proprietary or something *semi open* like Zwave? (I know, Zwave is not open as in speech, or beer, but it is at least multi vendor friendly and actually seems to work quite well IME for something that has to cope with basic low bit rate RF packets and sleeping battery powered devices.