[munin-pelletronic] Security: Oekofen Pelletronic phones home password and mac

Guido Günther agx at sigxcpu.org
Sun Nov 30 19:07:31 CET 2014


Hi,
At least the Pelletronic Touch V2.03 20140723 phones home your
username (being the mac address) and password in clear text to the
Oekofen server my.oekofen.info:

It performs HTTP GET requests like

  GET /cgi-bin/anlage.pl?action=url&user=P<macaddress>&password=<password> HTTP/1.1
  User-Agent: Java/1.6.0_10
  Host: my.oekofen.info
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive

In the above request the macaddress is replaced by your Oekofen's MAC
and the password is the password you set up in the Touch (defaults to
oekofen). The data is sent in clear over the internet so it can be
captured quiet easily which might give attackers the ability to modify
the settings of your heating system.

In order to protect against that you can e.g. set a firewall rule on
your router preventing any http packages to my.oekofen.info (currently
78.46.252.234) on Linux this looks like:

    iptables -A INPUT -p tcp -j REJECT --src=<oekofenip> --dst=78.46.252.234 --dport http

where oekofenip is the ipaddress of your Pelletronic.

I've informed Oekofen about that via our local supporter on 1.10.2014
but got no feedback so far about the status.
Cheers,
 -- Guido


More information about the munin-pelletronic mailing list