Suggestion/Request Please encrypt the iComfort credentials using oAuth token as seed

[mikegofman]

Thank you for creating this skill. Shame on Lennox for not dedicating their time and resources to add this support to their very Expensive products.

Bearing that in mind, I am security conscious person and really am concerned about the fact that the credentials are stored as open text in JavaScript file. Please add at least some sort of encryption to make hacking into the the Thermostat at least a little harder. While it is true that there is no private info in the thermostat, there is still a risk. The thermostat is a fully fledged tablet (at the very least someone could damage the expensive equipment, and at the worse get access/control of your network.

One potential way of implementing that I could see is using the Alexa OAuth token (that you currently ignore) to encrypt/de-crypt a string that store in a file. I realize that it is still not great, but it's better then nothing. I have some familiarity with OAuth and I could perhaps help out with that. Let me know if I can be of any assistance.

Thank you again , for putting this together. I hope I can help make this into something that more people would be comfortable with.

MG.

[kate-hall]

Hi @mikegofman, please, feel free to make a pull request against the repo if you have a security improvement! I consider this a public project :)

[StarfighterJ]

I got a Better Idea Make the Program have us input User ID and Password at the point of Enabling the icomfort Skill. Like the other Lennex themperature control Skills in Alexa. That way Kate can Publish this. and we are all good to go. LOL I wish I knew how to do that.

[mikegofman]

Here is a simple oAuth2 library that implements both flows with detailed instructions on how the whole thing works. https://github.com/lelylan/simple-oauth2#password-credentials-flow

[piconut]

Is anyone still working on this? I am trying to get it to work but need some help. It appears that no one has added any comments in a while. I am also concerned about the raw passwords hard coded into the script but I'm not a programmer and so don't know how to fix this. Anyone here?

[kate-hall]

@piconut I don't think anyone is working on the encryption portion. The hardcoded password is annoying, but it's a closed loop back to your own devices, only you have access to the developer skill in which the password exists.

[piconut]

Doesn't the username and password have to pass through the public internet everytime the Alexa skill is invoked by the user? Not arguing here since I'm not a programmer and may not understand all the moving parts. Just wondering how the command gets from Alexa and then into the iComfort without at some point going over the internet?

[kate-hall]

@piconut all good questions and I'm not sure I have a great answer for you. The AWS skill is encrypted at rest, so your password can't be discovered that way, but part of the reason I can't make this skill "official" is that Lennox's security is too primitive to work with Alexa's requirements. Translation: if you use the mobile app, your username and password are being sent over the public internet in the same way this skill sends them. Ditto logging into their website to control settings.

That said: security is NOT my forté and I'm not really stressed about hacks to my heating system. The password I use for my iComfort isn't one I reuse. Please keep in mind that this was a fun personal project for me to tackle and share, and I take no responsibility for what happens if you attempt to use it yourself.

[piconut]

That makes sense and I totally understand. I use a different username/password combo for most things too so I guess I'm not too worried. I am going to try to pick up where I left off on the installation later today. Thank you for sharing and for your labor of love and fun.