[munin-pelletronic] Security: Oekofen Pelletronic phones home password and mac
Guido Günther
agx at sigxcpu.org
Sun Nov 30 19:07:31 CET 2014
Hi,
At least the Pelletronic Touch V2.03 20140723 phones home your
username (being the mac address) and password in clear text to the
Oekofen server my.oekofen.info:
It performs HTTP GET requests like
GET /cgi-bin/anlage.pl?action=url&user=P<macaddress>&password=<password> HTTP/1.1
User-Agent: Java/1.6.0_10
Host: my.oekofen.info
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
In the above request the macaddress is replaced by your Oekofen's MAC
and the password is the password you set up in the Touch (defaults to
oekofen). The data is sent in clear over the internet so it can be
captured quiet easily which might give attackers the ability to modify
the settings of your heating system.
In order to protect against that you can e.g. set a firewall rule on
your router preventing any http packages to my.oekofen.info (currently
78.46.252.234) on Linux this looks like:
iptables -A INPUT -p tcp -j REJECT --src=<oekofenip> --dst=78.46.252.234 --dport http
where oekofenip is the ipaddress of your Pelletronic.
I've informed Oekofen about that via our local supporter on 1.10.2014
but got no feedback so far about the status.
Cheers,
-- Guido
More information about the munin-pelletronic
mailing list