Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues #42

Open
cpitclaudel opened this issue Oct 11, 2018 · 4 comments
Open

Security issues #42

cpitclaudel opened this issue Oct 11, 2018 · 4 comments
Labels
enhancement

Comments

@cpitclaudel
Copy link

Hi there,

Thanks for this nice library. It might be good to mention in the readme that the whole CT family is insecure, so that people don't develop incorrect expectations (your library is great, so I expect few people will read the manual, and fewer still realize that the device is insecure).

There are currently two CVEs (https://www.cvedetails.com/cve/CVE-2013-4860/ and https://www.cvedetails.com/cve/CVE-2018-11315/) against the CT line, and apparently the manufacturer hasn't fixed or responded to either. The first one allows any website you visit while connected to the Wifi to turn the heating or AC on or off, or change the target temperature; the second one additionally allows websites that you visit to exfiltrate data (the first one is a cross-site scripting vulnerability; the second one is a DNS rebinding issue).

Of course, none of these issues come from your neat library; but it's still things that users may want to know about.
@craftyguy
Copy link
Contributor

As with any IoT thing, it's generally not advisable to put the device 1) on a network with an internet connection, and 2) on a network connected to other devices you care about.

@cpitclaudel
Copy link
Author

cpitclaudel commented Oct 12, 2018
edited
Loading

As with any IoT thing, it's generally not advisable to put the device 1) on a network with an internet connection

Unclear. Many of the better-designed ones get updates from the internet, so keeping them off isn't necessarily a good idea.

on a network connected to other devices you care about.

The device in question can be operated either through an app connected to the internet, or through the same app via LAN. If you want to control it with the manufacturer's app and your own phone, both your phone and the device will have to be connected to the same network at some point.

I do agree with you, though: you can mitigate the issue by disconnecting the device from the internet and properly isolating it. I think mitigation suggestions would be great to add to the README, too.

@craftyguy
Copy link
Contributor

Good points.

I'll try to draft something up in the next few days to add to the README. Thanks for reaching out, I appreciate it!

@skimj
Copy link
Contributor

skimj commented Apr 19, 2024

The device in question can be operated either through an app connected to the internet, or through the same app via LAN. If you want to control it with the manufacturer's app and your own phone, both your phone and the device will have to be connected to the same network at some point.

Note that Radio Thermostat has since discontinued the mobile web app support for these thermostats. (which is exactly why I like these type of devices that have a "local" API so that when the 3rd party quits, the device is still useful)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@craftyguy @cpitclaudel @skimj