From agx at sigxcpu.org Sun Nov 30 19:05:56 2014 From: agx at sigxcpu.org (Guido =?iso-8859-1?Q?G=FCnther?=) Date: Sun, 30 Nov 2014 19:05:56 +0100 Subject: [munin-pelletronic] FHEM integration Message-ID: <20141130180556.GA4840@bogon.m.sigxcpu.org> Hi, losely based on code from our modules JueFi is working on FHEM support. Interesting for all those who also want to set values: http://forum.fhem.de/index.php/topic,28844.0.html%22%3Ehttp://forum.fhem.de/index.php/topic,28844.0.htm Cheers, -- Guido From agx at sigxcpu.org Sun Nov 30 19:07:31 2014 From: agx at sigxcpu.org (Guido =?iso-8859-1?Q?G=FCnther?=) Date: Sun, 30 Nov 2014 19:07:31 +0100 Subject: [munin-pelletronic] Security: Oekofen Pelletronic phones home password and mac Message-ID: <20141130180731.GA4971@bogon.m.sigxcpu.org> Hi, At least the Pelletronic Touch V2.03 20140723 phones home your username (being the mac address) and password in clear text to the Oekofen server my.oekofen.info: It performs HTTP GET requests like GET /cgi-bin/anlage.pl?action=url&user=P&password= HTTP/1.1 User-Agent: Java/1.6.0_10 Host: my.oekofen.info Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive In the above request the macaddress is replaced by your Oekofen's MAC and the password is the password you set up in the Touch (defaults to oekofen). The data is sent in clear over the internet so it can be captured quiet easily which might give attackers the ability to modify the settings of your heating system. In order to protect against that you can e.g. set a firewall rule on your router preventing any http packages to my.oekofen.info (currently 78.46.252.234) on Linux this looks like: iptables -A INPUT -p tcp -j REJECT --src= --dst=78.46.252.234 --dport http where oekofenip is the ipaddress of your Pelletronic. I've informed Oekofen about that via our local supporter on 1.10.2014 but got no feedback so far about the status. Cheers, -- Guido