I was interested in the EVL-3 and I have some questions about the ESP service. The biggest question I have is how is my data and system protected on the back-end? How much of my system data is stored? Who has access to my account - meaning can employees or administrators access any users system? The idea that a remote stranger could access and arm/disarm my alarm system is one thing, but I was thinking of integrating a camera or two and the idea that someone can access a live stream of my house is kinda creepy. I have searched as best I can to answer these questions but all I can find is info on how the connection to the mobile site is secure by ssl, but I can't seem to find any info about how my data is secure on your servers.
In the event that I did not want to use your portal could I just VPN into my house and control the system through the local web server. Does the EVL-3 automatically send data to your sites regardless.
I'm sure I'm just being paranoid, but I had to ask. Any info you could give would be great.
ESP Service Question
Moderators: EyezOnRich, GrandWizard
-
GrandWizard
- Posts: 2375
- Joined: Tue Nov 16, 2010 4:08 pm
Re: ESP Service Question
Good questions.
If you subscribe to the Envisalerts service through the Eyezon portal, by necessity event and status information is relayed and stored on our alerting servers. We store 6 months worth of event data and the current state of your security system. Events are communicated in real-time, and status information is updated roughly every 30 seconds.
No employees or admins have direct access to your portal account but we can obviously access the status and event data through our admin portal to help with tech support issues only.
How we handle this data is explained in our privacy policy (main eyezon page at the bottom) but in short, we won't use your data for anything other than to report that data to you in the "alerts" and to present the status information through the ESP.
You do not have to use Envisalerts and many Envisalink owners don't. They use it for the TPI or one of the third-party applications that are available. You could also VPN into your home and use the local interface but it's features are limited. The TPI provides all the features you find on the portal.
If you do not subscribe to the service then no security system information is transmitted to the servers. The only communication is a "heartbeat" that happens every 10-30 minutes which is used by the Envisalink to see if firmware updates are available. If you don't want this either then block outgoing port 4020 on UDP.
The Envisalink is a great product and Envisalerts is a great service. We wouldn't be where we are now if we didn't take our customers' privacy and security very seriously.
If you subscribe to the Envisalerts service through the Eyezon portal, by necessity event and status information is relayed and stored on our alerting servers. We store 6 months worth of event data and the current state of your security system. Events are communicated in real-time, and status information is updated roughly every 30 seconds.
No employees or admins have direct access to your portal account but we can obviously access the status and event data through our admin portal to help with tech support issues only.
How we handle this data is explained in our privacy policy (main eyezon page at the bottom) but in short, we won't use your data for anything other than to report that data to you in the "alerts" and to present the status information through the ESP.
You do not have to use Envisalerts and many Envisalink owners don't. They use it for the TPI or one of the third-party applications that are available. You could also VPN into your home and use the local interface but it's features are limited. The TPI provides all the features you find on the portal.
If you do not subscribe to the service then no security system information is transmitted to the servers. The only communication is a "heartbeat" that happens every 10-30 minutes which is used by the Envisalink to see if firmware updates are available. If you don't want this either then block outgoing port 4020 on UDP.
The Envisalink is a great product and Envisalerts is a great service. We wouldn't be where we are now if we didn't take our customers' privacy and security very seriously.
Re: ESP Service Question
Hello; another paranoiac going to buy an EnvisaLink here 
Do please bear with my questions, based, most probably, on my misunderstanding of the system. Also, let me emphasise I really like what I read here — the support is excellent (just like the device itself)!
Now, I wonder. Let's presume some evil person manages to crack into my LAN, e.g., through WiFi — far as I understand, WPA2 is far from unbreakable. Let's presume he happens to know I have an EnvisaLink, and knows both its HTTP and TPI protocols well.
(a) could he brute-force the access through the local password? Or would the device employ some (increasing?) delay if it encounters too many failed attempts, be it through HTTP or TPI?
(b) could he perhaps even remove the local password? I might be misunderstanding something, but it seems to be technically possible, based on http://forum.eyez-on.com/FORUM/viewtopi ... ab6f3daaaf
(c) if he is in, could he further brute-force my disarm key and disarm? More precisely, is there anything EnvisaLink-side which would prevent him to? (I believe my DSC can be configured to delay attempts to disarm upon getting a couple of wrong keys, so there's some extra security at this side.)
Thanks a lot!
Do please bear with my questions, based, most probably, on my misunderstanding of the system. Also, let me emphasise I really like what I read here — the support is excellent (just like the device itself)!Now, I wonder. Let's presume some evil person manages to crack into my LAN, e.g., through WiFi — far as I understand, WPA2 is far from unbreakable. Let's presume he happens to know I have an EnvisaLink, and knows both its HTTP and TPI protocols well.
(a) could he brute-force the access through the local password? Or would the device employ some (increasing?) delay if it encounters too many failed attempts, be it through HTTP or TPI?
(b) could he perhaps even remove the local password? I might be misunderstanding something, but it seems to be technically possible, based on http://forum.eyez-on.com/FORUM/viewtopi ... ab6f3daaaf
(c) if he is in, could he further brute-force my disarm key and disarm? More precisely, is there anything EnvisaLink-side which would prevent him to? (I believe my DSC can be configured to delay attempts to disarm upon getting a couple of wrong keys, so there's some extra security at this side.)
Thanks a lot!