Kios should not connect to an external MQTT server without permission

kerberos-io / kios

A Linux OS created by Buildroot which runs Kerberos Open Source out-of-the-box.

https://www.kerberos.io

Other

196 stars 38 forks source link

Kios should not connect to an external MQTT server without permission #46

Open jeroenjacobs79 opened 3 years ago

jeroenjacobs79 commented 3 years ago

Preliminary Docs

I confirm that I have read the CONTRIBUTING guide before opening this issue.

I confirm that I have read the FAQ before opening this issue.

motionEyeOS Version

Board Model

I am using the following board/model: (insert your board model here, e.g. Raspberry PI 3B+).

Camera

Log Files

Actual issue

I'm seeing connections to an external MQTT server (159.65.215.225) after installing kerberos on my Raspberry Pi. Since this is data gathering without explicit permission from the user, this is probably a GDPR violation and therefore illegal in Europe.

Proposed solution

Make this opt-in during install.

litij commented 3 years ago

Is there any workaround about this issue ?

cedricve commented 3 years ago

hey, it's actually setting this connection up for our cloud application, butt if you didn't configured it, it will not do anything. For next version we will make sure the connection is not established when not needed. However if you are suspicious you can always block the ip in the firewall.

jeroenjacobs79 commented 3 years ago

I had blocked those devices from connecting to the internet in my firewall, because there is absolutely zero reason it should connect to the internet without my permission.

@cedricve ~~Sorry, but I don't think that's true. I never setup the cloud stuff, and it still connects to that MQTT server on the internet. I have my firewall logs to prove it.~~ (misunderstood your previous remark, sorry) If someone ever logs a GDPR complaint about this, they probably have a case.

jeroenjacobs79 commented 3 years ago

@cedricve I would suggest to make either disable this completely, or inform the user during install that this happens (and clarify what data is being sent to this MQTT server).

cedricve commented 3 years ago

@cedricve I would suggest to make either disable this completely, or inform the user during install that this happens (and clarify what data is being sent to this MQTT server).

That is the point I try to make.

@jeroenjacobs79 you should look into the source code, to see what it is doing. It establish the connection, but doesn't receive or send data if the cloud credentials are not entered. Anyhow, as mentioned this is something we will definitely will fix in next version, as it doesn't make sense to establish the connection anyhow (it's not good for anyone).

https://github.com/kerberos-io/machinery/blob/master/src/kerberos/cloud/ForwardStream.cpp#L7

https://github.com/kerberos-io/machinery/blob/master/src/kerberos/Kerberos.cpp#L84