Skip navigation

Category Archives: Physical Security

I listen to @NPR throughout the day (on most days) and a story on Ohmconnect piqued my interest (it aired 5 days prior to this post). The TLDR on Ohmconnect is that it ostensibly helps you save energy by making you more aware of consumption and can be enabled to control various bits of IoT you have in your abode to curtail wanton power usage.

OK. So…?

Such a service requires access to (possibly many) accounts and devices to facilitate said awareness and control. Now, it’s 2017 and there’s this thing called OAuth that makes giving such access quite a bit safer than it was in the “old days” when you pretty much had to give your main username and password out to “connect” things.

It — apparently — is not 2017 wherever Ohmconnect developers reside since they ask for your credentials to every service and integration you want enabled. Don’t believe me? Take a look:

That’s just from (mostly) the non-thermostat integrations. They ask for your credentials for all services. That’s insane.

I can understand that they may need power company credentials since such industries are usually far behind the curve when it comes to internet-enablement. That doesn’t mean it’s A Good Thing to provide said credentials, but it’s a necessary evil when a service provider has no support for OAuth and you really want to use some integration to their portal.

Virtually all of the possible Ohmconnect-supported service integrations have OAuth support. Here’s a list of the ones that do/dont:

OAuth Support:

Appears to have no OAuth Support:

  • Lennox
  • Lutron
  • Radio Thermostat (Filtrete)
  • Revolv
  • WeMo

NOTE: The ones labeled as having no OAuth support may have either commercial OAuth support or hidden OAuth support. I’ll gladly modify the post if you leave a comment with official documentation showing they have OAuth support.

On the plus side, Ohmconnect developers now have some links they can follow to learn about OAuth and fix their woefully insecure service.

Why Are Credentials Bad?

Ohmconnect has to store your credentials for other services either in the clear or in some way that’s easy for them to reverse/decode. That means when criminals breach their servers (yes, when) they’ll get access to all the credentials you’ve entered on all those sites. Even if you’re one of the few who don’t use the same password everywhere and manage credentials in an app like @1Password it’s still both a pain to change them and you’ll be at risk during whatever the time-period is between breach and detection (which can be a very long time).

In the highly unlikely event they are doing the OAuth in the background for you (a complete violation of OAuth principles) they still take and process (and, likely store) your credentials for that transaction.

Either way, the request for and use of credentials is either (at best) a naive attempt at simplifying the user experience or (at worse) a brazen disregard for accepted norms for modern user-service integration for non-obvious reasons.

NOTE: I say “when” above as this would be a lovely target of choice for thieves given the types of data it can collect and the demographic that’s likely to use it.

What Can You Do?

Well, if you’re a current Ohmconnect you can cancel your account and change all the credentials for the services you connected. Yes, I’m being serious. If you really like their service, contact customer support and provide the above links and demand that they use OAuth instead.

You should absolutely not connect the devices/services that are on the “Appears to have no OAuth Support” list above to any third-party service if that service needs your credentials to make the connection. There’s no excuse for a cloud-based service to not support OAuth and there are plenty of choices for home/device control. Pick another brand and use it instead.

If you aren’t an Ohmconnect user, I would not sign up until they support OAuth. By defaulting to the “easy” use of username & password they are showing they really don’t take your security & privacy seriously and that means they really don’t deserve your business.

FIN

It is my firm belief that @NPR should either remove the story or issue guidance along with it in text and in audio form. They showcased this company and have all but directly encouraged listeners to use it. Such recommendations should come after much more research, especially security-focused research (they can ask for help with that from many orgs that will give them good advice for free).

In case you’re wondering, I did poke them about this on Twitter immediately after the NPR story and my initial signup attempt but they ignored said poke.

I’m also not providing any links to them given their lax security practices.

Last night, the kids left the garage open after sledding all afternoon and I failed to perform my usual rounds due to still being horrendously ill. At some point between 23:00 & 05:30, miscreants did a snatch & grab on some electronics and other items. Ugh. This was both a physical security failure and a risk management issue, but I’ll keep this post on-topic and expound on the other items at a later date.

The first thing I did after noticing something was amiss was to take an inventory of what was missing from both the vehicles and then the garage in general. Once I had that list, it was time to start making the calls to the police department and insurance company. If you’ve ever been a vitcim of such a loss, you know the one question that comes up almost immediately: “Do you have the serial #’s and approximate value of the items taken?”. Most people, unfortunatley, don’t.

While you do not necessarily need anything more than a file folder and some note paper (plus receipts), using a tool like Evernote can really help. You first need to create a folder called (something like) “Home Inventory”. Then, on or very near the date of acquisition do the following:

  • Take a picture of the object (television, GPS, camera, road bike, guitar, etc) and put it the Evernote home inventory folder as a new note with the title being the actual, full brand/product name. This is made even easier if you use a smart phone that has an Evernote app on it. Take more than one picture if you want to include more of the location it was ultimately placed in. I would also suggest having yourself or another owner be in one of the pictures.
  • Add to the note the actual date of purchase. It also helps to either take a picture of or scan the printed receipt or paste in the e-mail with the receipt (if purchased online).
  • Locate the serial number and manufacturer id number and put those in. It helps to take an actual picture of this information as well.
  • Include the room or other physical location of where the object was ultimately placed (this makes sense only if it’s a fixed-asset like a TV, stereo or car GPS).
  • If you have the technical know-how, make an MD5 hash of all attachments (pictures/scans) and include the MD5 sums in the entry. This validates the integrity of the stored information as best as possible
  • Do not forget to include any SD cards, docking stations, GPS mounts, cables, custom road bike wheelsets etc in your list. I would recommend associating them with the entry for the main object you are documenting
  • If you have any account, financial or other personal infomation (e.g. e-mail address, usernames, passwords) stored on the object – and even TV’s hold this type of data these days – document those as well and include any remediation steps or contact info (such as bank phone number)
  • If the object is something like a media center (e.g. Apple TV) or media hard drive, you will need to keep a separate inventory of the non-replaceable, paid content on it and include that in any loss document if you do not have backups

Now, when you do become the victim of such a crime or incur damage as a result of a fire/flood/etc, you have all the data any agency or company will need to document the loss. This information may also be useful to help law enforcement find the stolen objects (if a theft), especially if there are unique markings.

While this was not a fun experience, it did validate my time and effort building and maintaining this inventory and will hopefully be helpful to others, though I sincerely hope you never have to go through anything similar.