search

albertogeniola / meross-homeassistant

Custom component that leverages the Meross IoT library to integrate with Homeassistant
MIT License
687 stars 76 forks source link

Meross Cloud Credentials saved in plain text #486

Closed mwalterskirchen closed 2 months ago

mwalterskirchen commented 4 months ago

Describe the bug The integration saved the credentials for authenticating with the meross cloud in plain text in /config/.storage/core.config_entries

Your environment HomeAssistant version: 2024.3.0.dev0 Hardware environment: Mac OSX Sonoma 14.2.1

Logs taken when the issue happened

{
        "entry_id": "f5755df6bdb86f04a66392457b11ca77",
        "version": 1,
        "minor_version": 1,
        "domain": "meross_cloud",
        "title": "https://iot.meross.com",
        "data": {
          "username": "--REDACTED--",
          "password": "homeassistant_iot",
          "http_api_endpoint": "https://iot.meross.com",
          "override_mqtt_endpoint": null,
          "stored_credentials": {
            "domain": "https://iotx-us.meross.com",
            "mqtt_domain": [
              "mqtt-us.meross.com"
            ],
            "token": "--REDACTED--",
            "key": "4572ec9267d62a00e5a1face072e6a07",
            "user_id": "--REDACTED--",
            "user_email": "--REDACTED--",
            "issued_on": "2024-02-07T14:52:27.962865",
            "mfa_lock_expire": 0
          },
          "skip_mqtt_cert_validation": true
        },
        "options": {},
        "pref_disable_new_entities": false,
        "pref_disable_polling": false,
        "source": "user",
        "unique_id": "https://iot.meross.com",
        "disabled_by": null
      }
albertogeniola commented 4 months ago

Hi @mwalterskirchen ,

That's intended. In order to keep your session up and running across reboots of HomeAssistant, the Meross integration needs to keep an access token stored locally, as the meross app does. Encrypting the credentials would require an encryption key to be stored somewhere: again that would just shift the problem, as we would store the encryption key for decrypting the credentials.

Most of the HomeAssistant components store credentials this way. The point is that nobody except admins should be ever able to access the SSH console or the SD contents of the HA directory.

In any case, we are not storing your user's password, but just the issued token (this is how browsers and apps work) in order to improve the security (you should not be able to do major account changes with only the token, you'll need the actual user's password)

mwalterskirchen commented 4 months ago

Hi @albertogeniola, Thanks for getting back to me and clarifying your point of view! 🙌🏻 But my user password iot_homeassistant is saved in clear text in the config file. This would best be avoided by just using a token all together and never saving the user password but rather just the token. This way IF a potential attacker were to get access to the HA directory somehow they could only abuse one service and not potentially obtain a clear text password that users tend to reuse across applications.

albertogeniola commented 4 months ago

Hi @mwalterskirchen , my mistake, I was wrong. You are right, the current version of this component is storing the user's password. Now that I think about it, I remember this was necessary as the token did not report its expiration timestamp, so it was hard to say when it would have expired. Nor it was possible to renew it without user-password combination.

However, that was long time ago, so it might be the right time to get back to the Meross Engineering team to get info about the token expiration and see if we can store only the token instead of email-password combination.

I'll mark this discussion as feature request to improve the overall security of this component.

Thanks for the spot!

albertogeniola commented 2 months ago

Hi @mwalterskirchen , I got back to the Meross Engineers. It looks like the token expiration is handled on their side: every time you use the same token, its expiration is extended. This means that we can assume the token never expires, if the HA system is kept running and connected to the Internet. Therefore, I performed the necessary changes to the library and to the component so that user/password credentials are no longer stored. Instead, we just use the token.

I've released a beta version for you to try it out: v1.3.1beta1. Would you please try it and provide some feedback? Please note: you need to completely remove the integration, restart HA, then install the new integration. In this way, the previous stored info is wiped away and username/password won't be there any longer.

albertogeniola commented 2 months ago

Fixed in v1.3.1. Closing!