Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggestion/Request Please encrypt the iComfort credentials using oAuth token as seed #23

Open
mikegofman opened this issue Mar 26, 2018 · 8 comments

Comments

@mikegofman
Copy link

Thank you for creating this skill. Shame on Lennox for not dedicating their time and resources to add this support to their very Expensive products.

Bearing that in mind, I am security conscious person and really am concerned about the fact that the credentials are stored as open text in JavaScript file. Please add at least some sort of encryption to make hacking into the the Thermostat at least a little harder. While it is true that there is no private info in the thermostat, there is still a risk.
The thermostat is a fully fledged tablet (at the very least someone could damage the expensive equipment, and at the worse get access/control of your network.

One potential way of implementing that I could see is using the Alexa OAuth token (that you currently ignore) to encrypt/de-crypt a string that store in a file. I realize that it is still not great, but it's better then nothing.
I have some familiarity with OAuth and I could perhaps help out with that. Let me know if I can be of any assistance.

Thank you again , for putting this together. I hope I can help make this into something that more people would be comfortable with.

MG.

@kate-hall
Copy link
Owner

Hi @mikegofman, please, feel free to make a pull request against the repo if you have a security improvement! I consider this a public project :)

@StarfighterJ
Copy link

StarfighterJ commented Mar 27, 2018

I got a Better Idea Make the Program have us input User ID and Password at the point of Enabling the icomfort Skill. Like the other Lennex themperature control Skills in Alexa. That way Kate can Publish this. and we are all good to go. LOL I wish I knew how to do that.

@mikegofman
Copy link
Author

Here is a simple oAuth2 library that implements both flows with detailed instructions on how the whole thing works.
https://github.com/lelylan/simple-oauth2#password-credentials-flow

@piconut
Copy link

piconut commented Sep 20, 2018

Is anyone still working on this? I am trying to get it to work but need some help. It appears that no one has added any comments in a while. I am also concerned about the raw passwords hard coded into the script but I'm not a programmer and so don't know how to fix this. Anyone here?

@kate-hall
Copy link
Owner

@piconut I don't think anyone is working on the encryption portion. The hardcoded password is annoying, but it's a closed loop back to your own devices, only you have access to the developer skill in which the password exists.

@piconut
Copy link

piconut commented Sep 20, 2018

Doesn't the username and password have to pass through the public internet everytime the Alexa skill is invoked by the user? Not arguing here since I'm not a programmer and may not understand all the moving parts. Just wondering how the command gets from Alexa and then into the iComfort without at some point going over the internet?

@kate-hall
Copy link
Owner

kate-hall commented Sep 20, 2018

@piconut all good questions and I'm not sure I have a great answer for you. The AWS skill is encrypted at rest, so your password can't be discovered that way, but part of the reason I can't make this skill "official" is that Lennox's security is too primitive to work with Alexa's requirements. Translation: if you use the mobile app, your username and password are being sent over the public internet in the same way this skill sends them. Ditto logging into their website to control settings.

That said: security is NOT my forté and I'm not really stressed about hacks to my heating system. The password I use for my iComfort isn't one I reuse. Please keep in mind that this was a fun personal project for me to tackle and share, and I take no responsibility for what happens if you attempt to use it yourself.

@piconut
Copy link

piconut commented Sep 20, 2018

That makes sense and I totally understand. I use a different username/password combo for most things too so I guess I'm not too worried. I am going to try to pick up where I left off on the installation later today. Thank you for sharing and for your labor of love and fun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants