EyezOn Forum

With a hash, someone can look at my system, and see that it is armed. However, they can also look through the window at my house and see the keypad on the other side of the room! They can't disarm it without a PIN, and they can't sniff the HTTPS connection when I am entering my PIN. They *might* be...

I'm hopping to avoid the vulnerability by setting up OpenVPN server on my router and OpenVPN client on my Android phone and then using mikep's DSC Security Keypad app. I'd consider using mikep's server app, but aside from my router, I don't keep any device on my home network on all the time. It woul...

I agree the way the hash is used to access the system is insecure in general, because as pointed out, it's possible to keep trying hashes and it won't take long until you gain access to someone's system. Perhaps the username should required as part of the URL as well? At that point finding a working...

Done

Email is inherently insecure and eyez on is emailing the mobile portal link from a server that does not support TLS. This means the email is sent from their mail server as plain text making it possible to intercept the email including the hash in the link. Even if the Eyez On mail server were using ...

I also did some testing as well. I used the TLS check site, and Gmail uses TLS, as expected, but has certificate issues (host name doesn't match). Eyez On doesn't seem to support TLS. This is the email header from a message sending me the mobile URL Received: by 10.58.90.39 with SMTP id bt7csp27852v...

TLS is not end-to-end, it's mail server to mail server. http://en.wikipedia.org/wiki/Email_encryption The STARTTLS SMTP extension is a TLS (SSL) layer on top of the SMTP connection. While it protects traffic from being sniffed during transmission, it is technically not encryption of emails because t...

"Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This me...

Every mail server along the way would need to use valid certificates and verify them so even if eyez on uses encryption to connect to their mail server, there's no guarantee that any and all intermediate mail servers also use encryption. It's still common for email to be passed between servers as pl...

Is there a way to get the hash without having it sent via email, perhaps instead displaying it somewhere in the main portal? Email is not encrypted during transport and may be stored along the way. As a result, the hash can be intercepted or even remain stored somewhere after you delete the email, s...