search

SAIC-iSmart-API / saic-python-mqtt-gateway

MIT License
66 stars 20 forks source link

Sensitive information in mqtt payloads #243

Closed bj00rn closed 3 months ago

bj00rn commented 3 months ago

Seems that password in clear text and tokens are sent via mqtt. It it possible to mask/redact this information?

nanomad commented 3 months ago

Hi Bjron,

can you specify which topic? We have data masking in place already so it's a matter of extending the rules if we missed something

On Wed, 15 May 2024 at 15:55, Björn Dalfors @.***> wrote:

Seems that password in clear text and tokens are sent via mqtt. It it possible to mask/redact this information?

— Reply to this email directly, view it on GitHub https://github.com/SAIC-iSmart-API/saic-python-mqtt-gateway/issues/243, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIT3RST6OYZPPTVVEEVXW3ZCNSMTAVCNFSM6AAAAABHYHJGQ2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TQMBRGE3TCNA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

bj00rn commented 3 months ago

Hi Bjron, can you specify which topic? We have data masking in place already so it's a matter of extending the rules if we missed something On Wed, 15 May 2024 at 15:55, Björn Dalfors @.> wrote: Seems that password in clear text and tokens are sent via mqtt. It it possible to mask/redact this information? — Reply to this email directly, view it on GitHub <#243>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIT3RST6OYZPPTVVEEVXW3ZCNSMTAVCNFSM6AAAAABHYHJGQ2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TQMBRGE3TCNA . You are receiving this because you are subscribed to this thread.Message ID: @.>

topics: saic/501_513/json/request saic/501_513/json/response

request

{
  "applicationData": {
    "password": "<REDACTED>"
  },
  "body": {
    "applicationID": "501",
    "eventCreationTime": 1706864825,
    "messageID": 1,
    "applicationDataLength": null,
    "applicationDataProtocolVersion": 513,
    "uid": "<REDACTED>",
    "eventID": 0,
    "testFlag": 2,
    "iccID": "<REDACTED>",
    "simInfo": "<REDACTED>",
    "messageCounter": {
      "uplinkCounter": 1,
      "downlinkCounter": 0
    }
  },
  "header": {
    "protocolVersion": 17,
    "dispatcherMessageLength": null
  }
}

response

{
  "applicationData": {
    "userName": "<REDACTED>",
    "token": "<REDACTED>",
    "refreshToken": "<REDACTED>",
    "tokenExpiration": {
      "seconds": 1709456825
    },
    "vinList": [
      {
        "vin": "<REDACTED>",
        "series": "ZS EV S",
        "brandName": "b'MG'",
        "modelName": "b'ZS EV'",
        "isAcivate": false,
        "isCurrentVehicle": 1,
        "modelYear": "2021",
        "colorName": "YORK WHITE",
        "bindTime": {
          "seconds": 1658929091
        }
      }
    ],
    "languageType": "english"
  },
  "body": {
    "applicationID": "501",
    "eventCreationTime": 1706864825,
    "messageID": 2,
    "applicationDataLength": 878,
    "applicationDataProtocolVersion": 513,
    "uid": "<REDACTED>",
    "token": "<REDACTED>",
    "eventID": 0,
    "applicationDataEncoding": "perUnaligned",
    "testFlag": 2,
    "result": 0,
    "iccID": "<REDACTED>",
    "simInfo": "<REDACTED>",
    "messageCounter": {
      "uplinkCounter": 1,
      "downlinkCounter": 1
    }
  },
  "header": {
    "protocolVersion": 17,
    "dispatcherMessageLength": 129,
    "dispatcherBodyEncoding": 0,
    "securityContext": 0
  }
}
nanomad commented 3 months ago

Those are legacy topics not published anymore (unless you're using the legacy version).

You can delete them

bj00rn commented 3 months ago

Those are legacy topics not published anymore (unless you're using the legacy version).

You can delete them

Ah, I see now that the messages are retained, that's why they are still there, dates are from february