How can we help?


PSA: Support may make remote changes to your device without asking for permission or letting you know

Comments

12 comments

  • Avatar
    aa_aan

    I absolutely agree. They can access your device without a pin or password which means that if remote access is enabled they automatically have full access. It certainly seems like a security a privacy concern to me (devices contain location data as well as potentially photos of private areas). I contacted support once to ask why I didn't see a software update and they then updated my device without my permission. Another time I was getting weird NOAA data and they went and changed my weather settings again without my permission. I have since disabled remote access, but the whole thing is unprofessional and insecure and exactly what I have come to expect from this company. I've mentioned my concerns to support but they just ignored that part of my message. 

    2
    Comment actions Permalink
  • Avatar
    drmm8

    The state of IoT devices is very sad in terms of security and privacy, bugs, poor QA and rushed software.

    In this case it is very concerning to me that they can get access to my LAN by tunneling via the RM. It is time to set up a separate WiFi network with device isolation and a separate VLAN from my main LAN. Luckily I already have the hardware to support all this, I just have to do the config work.

    Can't trust anyone to do the reasonable thing by default!

    0
    Comment actions Permalink
  • Avatar
    aa_aan

    I know, I have done exactly what you described because the whole thing just doesn't sit right with me. I also setup DDNS on a domain and port forwards to allow me easy remote access.

    0
    Comment actions Permalink
  • Avatar
    drmm8

    It is irresponsible on their part to continue this practice when multiple users tell them to stop. They can easily be hit with a class action lawsuit when CCPA comes into effect January 2020. They can loose their entire business in the process.

    0
    Comment actions Permalink
  • Avatar
    drmm8

    > I also setup DDNS on a domain and port forwards to allow me easy remote access.

    I'm not even sure I want to do this at all. Do you trust they are doing the right thing with authentication for remote access? How buggy could the implementation be from a security perspective? Some script kiddie may not be able to get to your LAN but they could turn on the sprinklers and run them non-stop while you're on vacation.

    I'd be a lot more comfortable setting up VPN to get to my LAN and connecting to the unit via VPN instead of opening a port in the firewall/router.

    0
    Comment actions Permalink
  • Avatar
    aa_aan (Edited )

    I am probably taking a small risk, but I have firewall rules set to only allow connections from the mac addresses of my phone and laptop. 

    0
    Comment actions Permalink
  • Avatar
    drmm8 (Edited )

    Not sure how you do that because MAC addresses do not make it to the server when connecting remotely from the internet via a bunch of routers in between. IP addresses and packets are layer 3, MAC addresses are layer 2.

    0
    Comment actions Permalink
  • Avatar
    aa_aan

    You're right, I set it up a while ago and the rules are only applying to LAN traffic. I need to take a closer look when I get a chance...

    0
    Comment actions Permalink
  • Avatar
    drmm8

    Safest way would be VPN, such as Wireguard, and not enable remote access/port forwarding on the RM. Then you connect your phone/laptop via VPN when away from home and then connect to the RM as if you were on the LAN. But still, the RM can connect remotely and open a tunnel back for anyone to connect via the tunnel. That's why it's also important to put it on its own VLAN, on a different WiFi network set to do "device isolation" so that devices on that WiFi network cannot talk to each other.

    0
    Comment actions Permalink
  • Avatar
    drmm8 (Edited )

    If you want to make sure there are no persistent outgoing connections, make sure the process `sprinklerDaemonLinux` is not running, it's the reverse proxy that keeps a connection open to the remote rainmachine servers running on AWS.

    You have to restart the watchdog too otherwise it will think `sprinklerDaemonLinux` crashed and it will reboot the unit, you don't want to be stuck in a reboot loop every few minutes.

    This is what I have as part of a script called from /etc/rc.local:

    /etc/init.d/rainmachine-cloud-client stop
    rm -rf /tmp/watchdog-pipe
    /etc/init.d/rainmachine-watchdog restart
    0
    Comment actions Permalink
  • Avatar
    RainMachine Nicholas

    The remote access daemon won't connect if you disable "Remote Access". 

    RainMachine doesn't store your configuration on our servers, actually all that we have is an email address, a serial number and if connected to our service or not. In the past support team had to request an access PIN from user to get access but since it was limited to 48 hours there were annoying cases where support must ask again for a PIN.

     Since most of the support requests were about weather issues, remote services developers added an option to get Weather/Update information and push weather/update config  to the support interface. Theoretically the protocol that support should follow requires that support person ask if the user is ok with having RainMachine accessed and configuration change.

    I already sent this thread and issue to support management so that they can take action.

    That being said, this will soon change since we have been working on a better way to share access and each support login on your device will be conditioned by an email with "Accept" button being sent to owners.

     

    1
    Comment actions Permalink
  • Avatar
    drmm8

    Glad to hear you are listening and making changes.

    Disabling "Remote Access" seems to stop Notifications from working. Can these 2 features be split as they are not related to each other? For Notifications the device needs to make outgoing calls to your servers which is fine, but it should not require allowing incoming requests. I'm fine with not having Remote Access via your servers but I still want Notifications to work, these 2 features should not be coupled.

    0
    Comment actions Permalink

Please sign in to leave a comment.