Search found 10 matches
- Fri Mar 22, 2013 4:35 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: Major Security Flaw - Emailing of Mobile Portal Link
- Replies: 16
- Views: 20112
Re: Major Security Flaw - Emailing of Mobile Portal Link
With a hash, someone can look at my system, and see that it is armed. However, they can also look through the window at my house and see the keypad on the other side of the room! They can't disarm it without a PIN, and they can't sniff the HTTPS connection when I am entering my PIN. They *might* be ...
- Thu Mar 21, 2013 12:27 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
I'm hopping to avoid the vulnerability by setting up OpenVPN server on my router and OpenVPN client on my Android phone and then using mikep's DSC Security Keypad app. I'd consider using mikep's server app, but aside from my router, I don't keep any device on my home network on all the time. It ...
- Thu Mar 21, 2013 12:15 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: Major Security Flaw - Emailing of Mobile Portal Link
- Replies: 16
- Views: 20112
Re: Major Security Flaw - Emailing of Mobile Portal Link
I agree the way the hash is used to access the system is insecure in general, because as pointed out, it's possible to keep trying hashes and it won't take long until you gain access to someone's system. Perhaps the username should required as part of the URL as well? At that point finding a working ...
- Wed Mar 20, 2013 7:08 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
- Wed Mar 20, 2013 7:07 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: Major Security Flaw - Emailing of Mobile Portal Link
- Replies: 16
- Views: 20112
Major Security Flaw - Emailing of Mobile Portal Link
Email is inherently insecure and eyez on is emailing the mobile portal link from a server that does not support TLS. This means the email is sent from their mail server as plain text making it possible to intercept the email including the hash in the link. Even if the Eyez On mail server were using ...
- Wed Mar 20, 2013 5:47 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
I also did some testing as well. I used the TLS check site, and Gmail uses TLS, as expected, but has certificate issues (host name doesn't match). Eyez On doesn't seem to support TLS. This is the email header from a message sending me the mobile URL Received: by 10.58.90.39 with SMTP id ...
- Wed Mar 20, 2013 5:17 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
TLS is not end-to-end, it's mail server to mail server. http://en.wikipedia.org/wiki/Email_encryption The STARTTLS SMTP extension is a TLS (SSL) layer on top of the SMTP connection. While it protects traffic from being sniffed during transmission, it is technically not encryption of emails because ...
- Wed Mar 20, 2013 4:54 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
"Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method ...
- Wed Mar 20, 2013 4:28 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
Every mail server along the way would need to use valid certificates and verify them so even if eyez on uses encryption to connect to their mail server, there's no guarantee that any and all intermediate mail servers also use encryption. It's still common for email to be passed between servers as ...
- Wed Mar 20, 2013 3:44 pm
- Forum: EnvisaLink ( IP100D, IP170D, 2DS, 3, 4)
- Topic: New JQM Smartphone & Tablet Portal - Available Now
- Replies: 32
- Views: 46763
Re: New JQM Smartphone & Tablet Portal - Available Now
Is there a way to get the hash without having it sent via email, perhaps instead displaying it somewhere in the main portal? Email is not encrypted during transport and may be stored along the way. As a result, the hash can be intercepted or even remain stored somewhere after you delete the email ...