search

dustindclark / homebridge-rinnai-controlr

Rinnai Control-R interface for homebridge
Apache License 2.0
12 stars 7 forks source link

Encrypt our Rinnai Control-R password #3

Open buckzilla opened 2 years ago

buckzilla commented 2 years ago

I am concerned with my Rinnai login credentials sitting in plain text on the Homebridge config file. Is it possible that they can be point in time encrypted/decrypted? This is how most network vendors handle this problem (passwords in text config files).

dustindclark commented 2 years ago

While this is absolutely a valid request, I'd like to point out a couple of things.

  1. The Rinnai API is not in anyway secured...so anyone with your email address and IP address can control your water heater. This is a huge vulnerability that I can't believe that they haven't addressed. This plugin, however, enforces authentication before allowing control.
  2. A would-be attacker would have to have access to your local network to see this information. If they have this, they can already control your devices and/or modify your Homebridge config.
dustindclark commented 1 year ago

Rinnai finally secured their API, so point 1 made above is no longer valid.