Open cpitclaudel opened 5 years ago
craftyguy
commented
5 years ago As with any IoT thing, it's generally not advisable to put the device 1) on a network with an internet connection, and 2) on a network connected to other devices you care about.
cpitclaudel
commented
5 years ago As with any IoT thing, it's generally not advisable to put the device 1) on a network with an internet connection
Unclear. Many of the better-designed ones get updates from the internet, so keeping them off isn't necessarily a good idea.
on a network connected to other devices you care about.
The device in question can be operated either through an app connected to the internet, or through the same app via LAN. If you want to control it with the manufacturer's app and your own phone, both your phone and the device will have to be connected to the same network at some point.
I do agree with you, though: you can mitigate the issue by disconnecting the device from the internet and properly isolating it. I think mitigation suggestions would be great to add to the README, too.
craftyguy
commented
5 years ago Good points.
I'll try to draft something up in the next few days to add to the README. Thanks for reaching out, I appreciate it!
skimj
commented
5 months ago The device in question can be operated either through an app connected to the internet, or through the same app via LAN. If you want to control it with the manufacturer's app and your own phone, both your phone and the device will have to be connected to the same network at some point.
Note that Radio Thermostat has since discontinued the mobile web app support for these thermostats. (which is exactly why I like these type of devices that have a "local" API so that when the 3rd party quits, the device is still useful)
Hi there,
Thanks for this nice library. It might be good to mention in the readme that the whole CT family is insecure, so that people don't develop incorrect expectations (your library is great, so I expect few people will read the manual, and fewer still realize that the device is insecure).
There are currently two CVEs (https://www.cvedetails.com/cve/CVE-2013-4860/ and https://www.cvedetails.com/cve/CVE-2018-11315/) against the CT line, and apparently the manufacturer hasn't fixed or responded to either. The first one allows any website you visit while connected to the Wifi to turn the heating or AC on or off, or change the target temperature; the second one additionally allows websites that you visit to exfiltrate data (the first one is a cross-site scripting vulnerability; the second one is a DNS rebinding issue).
Of course, none of these issues come from your neat library; but it's still things that users may want to know about.