From agx at sigxcpu.org  Sun Nov 30 19:05:56 2014
From: agx at sigxcpu.org (Guido =?iso-8859-1?Q?G=FCnther?=)
Date: Sun, 30 Nov 2014 19:05:56 +0100
Subject: [munin-pelletronic] FHEM integration
Message-ID: <20141130180556.GA4840@bogon.m.sigxcpu.org>

Hi,
losely based on code from our modules JueFi is working on FHEM
support. Interesting for all those who also want to set values:

    http://forum.fhem.de/index.php/topic,28844.0.html%22%3Ehttp://forum.fhem.de/index.php/topic,28844.0.htm

Cheers,
 -- Guido

From agx at sigxcpu.org  Sun Nov 30 19:07:31 2014
From: agx at sigxcpu.org (Guido =?iso-8859-1?Q?G=FCnther?=)
Date: Sun, 30 Nov 2014 19:07:31 +0100
Subject: [munin-pelletronic] Security: Oekofen Pelletronic phones home
	password and mac
Message-ID: <20141130180731.GA4971@bogon.m.sigxcpu.org>

Hi,
At least the Pelletronic Touch V2.03 20140723 phones home your
username (being the mac address) and password in clear text to the
Oekofen server my.oekofen.info:

It performs HTTP GET requests like

  GET /cgi-bin/anlage.pl?action=url&user=P<macaddress>&password=<password> HTTP/1.1
  User-Agent: Java/1.6.0_10
  Host: my.oekofen.info
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive

In the above request the macaddress is replaced by your Oekofen's MAC
and the password is the password you set up in the Touch (defaults to
oekofen). The data is sent in clear over the internet so it can be
captured quiet easily which might give attackers the ability to modify
the settings of your heating system.

In order to protect against that you can e.g. set a firewall rule on
your router preventing any http packages to my.oekofen.info (currently
78.46.252.234) on Linux this looks like:

    iptables -A INPUT -p tcp -j REJECT --src=<oekofenip> --dst=78.46.252.234 --dport http

where oekofenip is the ipaddress of your Pelletronic.

I've informed Oekofen about that via our local supporter on 1.10.2014
but got no feedback so far about the status.
Cheers,
 -- Guido