{"id":5146,"date":"2017-03-12T11:26:56","date_gmt":"2017-03-12T16:26:56","guid":{"rendered":"https:\/\/rud.is\/b\/?p=5146"},"modified":"2018-03-10T07:54:15","modified_gmt":"2018-03-10T12:54:15","slug":"think-twice-before-using-ohmconnect","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/","title":{"rendered":"Think Twice Before Using Ohmconnect"},"content":{"rendered":"<p>I listen to @NPR throughout the day (on most days) and a <a href=\"https:\/\/www.npr.org\/sections\/alltechconsidered\/2017\/03\/07\/518175670\/energy-savings-can-be-fun-but-no-need-to-turn-off-all-the-lights\">story on Ohmconnect<\/a> piqued my interest (it aired 5 days prior to this post). The TLDR on Ohmconnect is that it ostensibly helps you save energy by making you more aware of consumption and can be enabled to control various bits of IoT you have in your abode to curtail wanton power usage.<\/p>\n<h3>OK. So\u2026?<\/h3>\n<p>Such a service requires access to (possibly many) accounts and devices to facilitate said awareness and control. Now, it&#8217;s 2017 and there&#8217;s this thing called <a href=\"https:\/\/en.wikipedia.org\/wiki\/OAuth\">OAuth<\/a> that makes giving such access quite a bit safer than it was in the &#8220;old days&#8221; when you pretty much had to give your main username and password out to &#8220;connect&#8221; things.<\/p>\n<p>It \u2014 apparently \u2014\u00a0is not 2017 wherever Ohmconnect developers reside since they ask for your credentials to <strong>every service and integration you want enabled<\/strong>. Don&#8217;t believe me? Take a look:<\/p>\n\n\t\t<style type=\"text\/css\">\n\t\t\t#gallery-1 {\n\t\t\t\tmargin: auto;\n\t\t\t}\n\t\t\t#gallery-1 .gallery-item {\n\t\t\t\tfloat: left;\n\t\t\t\tmargin-top: 10px;\n\t\t\t\ttext-align: center;\n\t\t\t\twidth: 33%;\n\t\t\t}\n\t\t\t#gallery-1 img {\n\t\t\t\tborder: 2px solid #cfcfcf;\n\t\t\t}\n\t\t\t#gallery-1 .gallery-caption {\n\t\t\t\tmargin-left: 0;\n\t\t\t}\n\t\t\t\/* see gallery_shortcode() in wp-includes\/media.php *\/\n\t\t<\/style>\n\t\t<div data-carousel-extra='{&quot;blog_id&quot;:1,&quot;permalink&quot;:&quot;https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/&quot;}' id='gallery-1' class='gallery galleryid-5146 gallery-columns-3 gallery-size-thumbnail'><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-9\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-9.png?fit=150%2C150&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5147\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-9\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-9.png?fit=612%2C610&amp;ssl=1\" data-orig-size=\"612,610\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect Credentials Craziness\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-9.png?fit=510%2C508&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-8\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-8.png?fit=150%2C150&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5148\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-8\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-8.png?fit=612%2C606&amp;ssl=1\" data-orig-size=\"612,606\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 8\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-8.png?fit=510%2C505&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-7\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"147\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-7.png?fit=150%2C147&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5149\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-7\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-7.png?fit=618%2C606&amp;ssl=1\" data-orig-size=\"618,606\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 7\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-7.png?fit=510%2C500&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><br style=\"clear: both\" \/><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-6\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"147\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-6.png?fit=150%2C147&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5150\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-6\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-6.png?fit=614%2C602&amp;ssl=1\" data-orig-size=\"614,602\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 6\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-6.png?fit=510%2C500&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-5\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-5.png?fit=150%2C150&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5151\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-5\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-5.png?fit=622%2C620&amp;ssl=1\" data-orig-size=\"622,620\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 5\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-5.png?fit=510%2C508&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-4\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-4.png?fit=150%2C150&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5152\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-4\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-4.png?fit=604%2C598&amp;ssl=1\" data-orig-size=\"604,598\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 4\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-4.png?fit=510%2C505&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><br style=\"clear: both\" \/><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-3\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"148\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-3.png?fit=150%2C148&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5153\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-3.png?fit=616%2C608&amp;ssl=1\" data-orig-size=\"616,608\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 3\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-3.png?fit=510%2C503&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-2\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"147\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-2.png?fit=150%2C147&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5154\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-2.png?fit=618%2C606&amp;ssl=1\" data-orig-size=\"618,606\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect 2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-2.png?fit=510%2C500&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><dl class='gallery-item'>\n\t\t\t<dt class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"144\" src=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect.png?fit=150%2C144&amp;ssl=1\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" data-attachment-id=\"5155\" data-permalink=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/ohmconnect\/\" data-orig-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect.png?fit=634%2C610&amp;ssl=1\" data-orig-size=\"634,610\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"OhmConnect\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect.png?fit=510%2C491&amp;ssl=1\" \/><\/a>\n\t\t\t<\/dt><\/dl><br style=\"clear: both\" \/>\n\t\t<\/div>\n\n<p>That&#8217;s just from (mostly) the non-thermostat integrations. They ask for your credentials for all services. That&#8217;s <em>insane<\/em>.<\/p>\n<p>I can understand that they may need power company credentials since such industries are usually far behind the curve when it comes to internet-enablement. That doesn&#8217;t mean it&#8217;s A Good Thing to provide said credentials, but it&#8217;s a necessary evil when a service provider has no support for OAuth and you really want to use some integration to their portal.<\/p>\n<p>Virtually all of the possible Ohmconnect-supported service integrations have OAuth support. Here&#8217;s a list of the ones that do\/dont:<\/p>\n<p><strong>OAuth Support:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/www.ecobee.com\/home\/developer\/api\/documentation\/v1\/auth\/auth-intro.shtml\">Ecobee<\/a><\/li>\n<li><a href=\"https:\/\/developer.honeywell.com\/content\/getting-started-guide\">Honeywell<\/a><\/li>\n<li><a href=\"https:\/\/insteon.docs.apiary.io\/\">Insteon<\/a><\/li>\n<li><a href=\"https:\/\/developers.nest.com\/documentation\/cloud\/how-to-auth\">Nest<\/a><\/li>\n<li><a href=\"https:\/\/www.developers.meethue.com\/philips-hue-api\">Philips Hue<\/a><\/li>\n<li><a href=\"http:\/\/docs.smartthings.com\/en\/latest\/smartapp-web-services-developers-guide\/authorization.html\">Smartthings<\/a><\/li>\n<li>Venstar : has commercial support for OAuth but not easily linkable<\/li>\n<li><a href=\"https:\/\/winkapiv2.docs.apiary.io\/\">Wink<\/a><\/li>\n<li><a href=\"http:\/\/api.wiserair.com\/swagger\/ui\/index\">Wiser Air<\/a><\/li>\n<\/ul>\n<p><strong>Appears to have no OAuth Support:<\/strong><\/p>\n<ul>\n<li>Lennox<\/li>\n<li>Lutron<\/li>\n<li>Radio Thermostat (Filtrete)<\/li>\n<li>Revolv<\/li>\n<li>WeMo <\/li>\n<\/ul>\n<p>NOTE: The ones labeled as having no OAuth support may have either commercial OAuth support or hidden OAuth support. I&#8217;ll gladly modify the post if you leave a comment with official documentation showing they have OAuth support.<\/p>\n<p>On the plus side, Ohmconnect developers now have some links they can follow to learn about OAuth and fix their woefully insecure service.<\/p>\n<h3>Why Are Credentials Bad?<\/h3>\n<p>Ohmconnect <em>has to<\/em> store your credentials for other services either in the clear or in some way that&#8217;s easy for them to reverse\/decode. That means when criminals breach their servers (yes, <em>when<\/em>) they&#8217;ll get access to all the credentials you&#8217;ve entered on all those sites. Even if you&#8217;re one of the few who don&#8217;t use the same password everywhere and manage credentials in an app like @1Password it&#8217;s still both a pain to change them and you&#8217;ll be at risk during whatever the time-period is between breach and detection (which can be a very long time).<\/p>\n<p>In the highly unlikely event they are doing the OAuth in the background for you (a complete violation of OAuth principles) they still take and process (and, likely store) your credentials for that transaction.<\/p>\n<p>Either way, the request for and use of credentials is either (at best) a naive attempt at simplifying the user experience or (at worse) a brazen disregard for accepted norms for modern user-service integration for non-obvious reasons.<\/p>\n<p>NOTE: I say &#8220;<em>when<\/em>&#8221; above as this would be a lovely target of choice for thieves given the types of data it can collect and the demographic that&#8217;s likely to use it.<\/p>\n<h3>What Can You Do?<\/h3>\n<p>Well, if you&#8217;re a current Ohmconnect you can cancel your account and change all the credentials for the services you connected. Yes, I&#8217;m being serious. If you <em>really like<\/em> their service, contact customer support and provide the above links and demand that they use OAuth instead.<\/p>\n<p>You should absolutely not connect the devices\/services that are on the &#8220;Appears to have no OAuth Support&#8221; list above to any third-party service if that service needs your credentials to make the connection. There&#8217;s no excuse for a cloud-based service to not support OAuth and there are plenty of choices for home\/device control. Pick another brand and use it instead.<\/p>\n<p>If you aren&#8217;t an Ohmconnect user, I would not sign up until they support OAuth. By defaulting to the &#8220;easy&#8221; use of username &amp; password they are showing they really don&#8217;t take your security &amp; privacy seriously and that means they really don&#8217;t deserve your business.<\/p>\n<h3>FIN<\/h3>\n<p>It is my firm belief that @NPR should either remove the story or issue guidance along with it in text and in audio form. They showcased this company and have all but directly encouraged listeners to use it. Such recommendations should come after much more research, especially security-focused research (they can ask for help with that from many orgs that will give them good advice for free).<\/p>\n<p>In case you&#8217;re wondering, I did poke them about this on Twitter immediately after the NPR story and my initial signup attempt but they ignored said poke.<\/p>\n<p>I&#8217;m also not providing any links to them given their lax security practices.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I listen to @NPR throughout the day (on most days) and a story on Ohmconnect piqued my interest (it aired 5 days prior to this post). The TLDR on Ohmconnect is that it ostensibly helps you save energy by making you more aware of consumption and can be enabled to control various bits of IoT [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[681,643,784,54,646],"tags":[810],"class_list":["post-5146","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-gadgets","category-iot","category-physical-security","category-security-awareness","tag-post"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Think Twice Before Using Ohmconnect - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Think Twice Before Using Ohmconnect - rud.is\" \/>\n<meta property=\"og:description\" content=\"I listen to @NPR throughout the day (on most days) and a story on Ohmconnect piqued my interest (it aired 5 days prior to this post). The TLDR on Ohmconnect is that it ostensibly helps you save energy by making you more aware of consumption and can be enabled to control various bits of IoT [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-12T16:26:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-10T12:54:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-9.png?fit=150%2C150&amp;ssl=1\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Think Twice Before Using Ohmconnect\",\"datePublished\":\"2017-03-12T16:26:56+00:00\",\"dateModified\":\"2018-03-10T12:54:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/\"},\"wordCount\":846,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"post\"],\"articleSection\":[\"Cybersecurity\",\"Gadgets\",\"iot\",\"Physical Security\",\"Security Awareness\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/\",\"name\":\"Think Twice Before Using Ohmconnect - rud.is\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\"},\"datePublished\":\"2017-03-12T16:26:56+00:00\",\"dateModified\":\"2018-03-10T12:54:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/2017\\\/03\\\/12\\\/think-twice-before-using-ohmconnect\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/rud.is\\\/b\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Think Twice Before Using Ohmconnect\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#website\",\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/\",\"name\":\"rud.is\",\"description\":\"&quot;In God we trust. All others must bring data&quot;\",\"publisher\":{\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/rud.is\\\/b\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/rud.is\\\/b\\\/#\\\/schema\\\/person\\\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\\\/\\\/i0.wp.com\\\/rud.is\\\/b\\\/wp-content\\\/uploads\\\/2023\\\/10\\\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\\\/\\\/rud.is\"],\"url\":\"https:\\\/\\\/rud.is\\\/b\\\/author\\\/hrbrmstr\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Think Twice Before Using Ohmconnect - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/","og_locale":"en_US","og_type":"article","og_title":"Think Twice Before Using Ohmconnect - rud.is","og_description":"I listen to @NPR throughout the day (on most days) and a story on Ohmconnect piqued my interest (it aired 5 days prior to this post). The TLDR on Ohmconnect is that it ostensibly helps you save energy by making you more aware of consumption and can be enabled to control various bits of IoT [&hellip;]","og_url":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/","og_site_name":"rud.is","article_published_time":"2017-03-12T16:26:56+00:00","article_modified_time":"2018-03-10T12:54:15+00:00","og_image":[{"url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/03\/OhmConnect-9.png?fit=150%2C150&amp;ssl=1","type":"","width":"","height":""}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Think Twice Before Using Ohmconnect","datePublished":"2017-03-12T16:26:56+00:00","dateModified":"2018-03-10T12:54:15+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/"},"wordCount":846,"commentCount":3,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["post"],"articleSection":["Cybersecurity","Gadgets","iot","Physical Security","Security Awareness"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/","url":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/","name":"Think Twice Before Using Ohmconnect - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2017-03-12T16:26:56+00:00","dateModified":"2018-03-10T12:54:15+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2017\/03\/12\/think-twice-before-using-ohmconnect\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Think Twice Before Using Ohmconnect"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":"&quot;In God we trust. All others must bring data&quot;","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1l0","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":7466,"url":"https:\/\/rud.is\/b\/2017\/12\/10\/a-workaround-for-when-anti-ddos-also-means-anti-data\/","url_meta":{"origin":5146,"position":0},"title":"A Workaround For When Anti-DDoS Also Means Anti-Data","author":"hrbrmstr","date":"2017-12-10","format":false,"excerpt":"More sites are turning to services like Cloudflare due to just how stupid-easy it is to DDoS --- perform a (possibly Distributed) Denial of Service attack on -- a site. Sometimes the DDoS is intentional (malicious). Sometimes it's because your bot didn't play nice (stop that, btw). Sadly, at some\u2026","rel":"","context":"In &quot;R&quot;","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":658,"url":"https:\/\/rud.is\/b\/2011\/12\/10\/predictions-humbug-resolve-is-where-its-at\/","url_meta":{"origin":5146,"position":1},"title":"Predictions? Humbug! Resolve Is Where It&#8217;s At","author":"hrbrmstr","date":"2011-12-10","format":false,"excerpt":"This is the time of year when pundits and armchair\/amateur analysts make predictions for the coming year. Given that only a tiny fraction of them predicted the Sonage of 2011 (not Sony specifically or the level of pwnage) or the RSA\/Lockeed [\u2191, \u2191, \u2193, \u2193, \u2190, \u2192, \u2190, \u2192, B,\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":981,"url":"https:\/\/rud.is\/b\/2012\/04\/29\/angry-birds-keynote-theme\/","url_meta":{"origin":5146,"position":2},"title":"Angry Birds Keynote Theme","author":"hrbrmstr","date":"2012-04-29","format":false,"excerpt":"If you went to SOURCE Boston this year (2012), attended my security awareness talk and liked the Angry Birds theme to the slides, here's a copy of the Keynote theme (it's not really a true Keynote theme as there are divergent slides I've included). Here's a sample: You're going to\u2026","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2329,"url":"https:\/\/rud.is\/b\/2013\/03\/14\/%cf%80-awareness-datavis-vast-2013-moar-data-greader-machinations\/","url_meta":{"origin":5146,"position":3},"title":"\u03c0, Awareness, DataVis, VAST 2013, Moar data! &#038; GReader Machinations","author":"hrbrmstr","date":"2013-03-14","format":false,"excerpt":"Far too many interesting bits to spam on Twitter individually but each is worth getting the word out on: - It's [\u03c0 Day](https:\/\/www.google.com\/search?q=pi+day)* - Unless you're living in a hole, you probably know that [Google Reader is on a death march](http:\/\/www.bbc.co.uk\/news\/technology-21785378). I'm really liking self-hosting [Tiny Tiny RSS](https:\/\/www.google.com\/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CDEQFjAA&url=https%3A%2F%2Fgithub.com%2Fgothfox%2FTiny-Tiny-RSS&ei=YtlBUfOLJvLe4AOHtoDIAQ&usg=AFQjCNGwtEr8slx-i0vNzhQi4b4evRVXFA&bvm=bv.43287494,d.dmg) so far,\u2026","rel":"","context":"In &quot;Cybersecurity&quot;","block_context":{"text":"Cybersecurity","link":"https:\/\/rud.is\/b\/category\/cybersecurity\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2412,"url":"https:\/\/rud.is\/b\/2013\/03\/30\/its-never-about-the-security\/","url_meta":{"origin":5146,"position":4},"title":"It&#8217;s Never About The Security&#8230;","author":"hrbrmstr","date":"2013-03-30","format":false,"excerpt":"","rel":"","context":"In &quot;Information Security&quot;","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":298,"url":"https:\/\/rud.is\/b\/2011\/03\/07\/behind-the-mask-supporting-the-new-cio-personas\/","url_meta":{"origin":5146,"position":5},"title":"Behind The Mask : Supporting The New CIO Personas","author":"hrbrmstr","date":"2011-03-07","format":false,"excerpt":"This morning, @joshcorman linked to an article in the Harvard Business Review \"The Conversation\" blog that put forth the author's view of The Four Personas of the Next-Genereation CIO. The term persona is very Jungian and literally refers to \"masks worn by a mime\". According to Jung, the persona \"enables\u2026","rel":"","context":"In &quot;Compliance&quot;","block_context":{"text":"Compliance","link":"https:\/\/rud.is\/b\/category\/compliance\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=5146"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/5146\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=5146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=5146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=5146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}