Major Security Flaw - Emailing of Mobile Portal Link

[bwalter]

Email is inherently insecure and eyez on is emailing the mobile portal link from a server that does not support TLS. This means the email is sent from their mail server as plain text making it possible to intercept the email including the hash in the link. Even if the Eyez On mail server were using TLS, there is no guarantee that the receiver is or that all the mail relays involved are.

The issue is the link can be used to connect to a user's account without a username/password and observe the status of the system. The hash from the link can also be used with the web API.

The mobile portal has the capability for the user to log on so sending the link containing the hash is unnecessary. Sending the link as simply https://www.eyez-on.com/EZMOBILE/ would be an easy solution to the vulnerability. Since the hash is placed in the URL after logging on, users could bookmark the mobile site after logging on if they didn't want to be prompted in the future.

Users can also use the above method to retrieve the hash to use with the web API, though it might be nice to make the hash available on the main portal.

It would also be nice to have the possibility of enabling the Mobile Portal without any email being sent. Instead the main portal could provide the link and/or hash.

[smyers119]

Grrr....mail does not travel through multiple random relays. mail is delivered from mail server to mail server. If your mail passes through more then 1 "mail relay" it is because you are probably using a big mail service like gmail or you are a small company that pays to use somebody elses larger mail server. (mail server and mail relay can be used interchangeably) the fault lies 100% on the eyez-on mail server or your mail server for not initiating and/or accepting TLS. Both can easily be fixed and if you own your own mail server and are worried about insecure mail you an force TLS or reject mail. In this instance the fault is with eyez-on.

[telecomgeek]

Understand that this problem exists because you don't want people to find out your "hash". You are trying to obscure your "hash" number. The problem with obsurity is that it does NOT make a system secure. Even if eyes-on emails securely OR presents the mobile url to you on-line via a TLS protected webpage. Somebody can still write a script and guess your hash, and then access your alarm page. I agree the email issue is problematic, but the bigger problem is that anybody can access your alarm page if they guess your mobile url "hash" number. That's not security.

[bwalter]

I agree the way the hash is used to access the system is insecure in general, because as pointed out, it's possible to keep trying hashes and it won't take long until you gain access to someone's system.

Perhaps the username should required as part of the URL as well? At that point finding a working username/hash combination would take a similar amount of effort as brute forcing the username/password plus access could be locked out after a certain number of failed attempts for a specific user.

[smyers119]

This post has been up almost 24 hours and no reply from a eyez-on employee/moderator? I guess if you don't acknowledge there is an issue you can pretend one does not exist??

[PurdueGuy]

With a hash, someone can look at my system, and see that it is armed.
However, they can also look through the window at my house and see the keypad on the other side of the room!

They can't disarm it without a PIN, and they can't sniff the HTTPS connection when I am entering my PIN.

They *might* be able to arm it, depending on settings.

I'm not very worried.

[rustyk]

I know I'll catch flak here for distracting from the hash issue at hand, but I'm thinking that if somebody has the skills and access to intercept your email on a relay server, then know how to use the hash data in it to view your system status, then figure out where you live and actually go there... then they're more likely to just steal your credit card online than to break your window in person. So I'd say this is something they might want to look at, but the poster over-hypes the immediate danger a bit.

[bwalter]

With a hash, someone can look at my system, and see that it is armed.
However, they can also look through the window at my house and see the keypad on the other side of the room!

They can't disarm it without a PIN, and they can't sniff the HTTPS connection when I am entering my PIN.

They *might* be able to arm it, depending on settings.

I'm not very worried.

With regards to the keypad they can see inside, presumably they'd have a very limited amount of time to attempt to enter PINs after accessing your keypad before the alarm sounds. With your system exposed via the internet, they can use a script to try PINs in an automated manner. They could even spend days trying to guess you PIN without worrying about triggering the alarm or even you knowing they are trying to figure out your PIN.

[GrandWizard]

With regards to the keypad they can see inside, presumably they'd have a very limited amount of time to attempt to enter PINs after accessing your keypad before the alarm sounds. With your system exposed via the internet, they can use a script to try PINs in an automated manner. They could even spend days trying to guess you PIN without worrying about triggering the alarm or even you knowing they are trying to figure out your PIN.

No, you can't do that. On DSC systems, for example, after a number of unsuccessful attempts to enter a code the panel enters "Keypad Lockout". The panel will not accept any more attempts until a 10 minute window has expired. Your also get an Enivsalert every time this happens.

The issue of convenience over security has already been hashed out ad nauseum on the forum. I'll summarize; You can either choose to use the mobile link for quick access to your account, or log in normally with your credentials. It is your choice.

We added the quick access hash authentication method a couple of years ago because of overwhelming demand to avoid logging in with username/password on mobile devices.

[smyers119]

Thanks for the reply wizzard, but you didn't cover eyez on lack of using tls for emailing the hash.