search

Aircoookie / WLED

Control WS2812B and many more types of digital RGB LEDs with an ESP8266 or ESP32 over WiFi!
https://kno.wled.ge
MIT License
14.58k stars 3.13k forks source link

Remote WebSocket Connection #4118

Open phillclark opened 2 weeks ago

phillclark commented 2 weeks ago

Add the ability for WLED to make a connection to a remote WebSocket so on boot it will attempt to connect to a designated location and then recieve commands from that source. JSON structure would remain the same for the actual controls.

softhack007 commented 2 weeks ago

@phillclark I don't think that adding a backdoor for remote command & control is a good idea, considering that IOT devices are always a good target for remote exploitation.

We would first need some kind of public key encryption support for JSON commands in WLED, to ensure that the "JSON control" data comes from a trusted source.

Otherwise the server (name or ip) could be spoofed easily, and a malicious attacker might be able to send some JSON commands that overload your wiring, by simply forcing all your LEDs to bright white.

blazoncek commented 2 weeks ago

Additional note: As WLED already supports websockets (as a host) you can update a client to reconnect to WLED when it becomes available and control it.

phillclark commented 2 weeks ago

@softhack007 I think this is a real edge case scenario - there would be protections, as you state that could be added. It might not even need that level of security; you could set a salt on the device and then as part of the payload sent include a hashed value combining the JSON and the salt for a checksum comparison when received on the device.

Ultimately, the implementation of this would be down to the user to ensure they have secured the process between the device and the remote WS server in a suitable way. It would be a lot of effort for an attacker to find, spoof and then send commands to realistically change the colour of some LEDs! In terms of overloading wiring, well anyone installing should be factoring maximum power potential and installing it with suitable wiring, power supplies and protections anyway! ;-)

@blazoncek this is fine if you have access to the local network where the devices operate; I have scenarios where I cannot get remotely into the network due to firewall rules so then have to run additional kit to act as the go between making the remote connection outbound and then relaying commands to the devices locally. My suggestion was to remove all the additional complexity on this front to then allow the device itself to make the connection direct outbound.

blazoncek commented 2 weeks ago

You have a usermod for that. Called something like "Http pull request".

phillclark commented 2 weeks ago

@blazoncek I couldn't see anything obvious in the usermods along this line - if you can point me at it that would be great!

blazoncek commented 2 weeks ago

Look at 0_15 branch.