PSA: Support may make remote changes to your device without asking for permission or letting you know
It just happened to me, Support enabled "Beta Updates" on my Pro-8 without asking for my permission first or even letting me know what they changed. I discovered the setting was enabled after a firmware update was applied.
I'm perfectly capable of checking a box and it is my choice whether to do it or not.
This is not cool behavior on their part :(
In general it does not sit well with me that they can access the device without authorization.
-
I absolutely agree. They can access your device without a pin or password which means that if remote access is enabled they automatically have full access. It certainly seems like a security a privacy concern to me (devices contain location data as well as potentially photos of private areas). I contacted support once to ask why I didn't see a software update and they then updated my device without my permission. Another time I was getting weird NOAA data and they went and changed my weather settings again without my permission. I have since disabled remote access, but the whole thing is unprofessional and insecure and exactly what I have come to expect from this company. I've mentioned my concerns to support but they just ignored that part of my message.
-
The state of IoT devices is very sad in terms of security and privacy, bugs, poor QA and rushed software.
In this case it is very concerning to me that they can get access to my LAN by tunneling via the RM. It is time to set up a separate WiFi network with device isolation and a separate VLAN from my main LAN. Luckily I already have the hardware to support all this, I just have to do the config work.
Can't trust anyone to do the reasonable thing by default!
-
> I also setup DDNS on a domain and port forwards to allow me easy remote access.
I'm not even sure I want to do this at all. Do you trust they are doing the right thing with authentication for remote access? How buggy could the implementation be from a security perspective? Some script kiddie may not be able to get to your LAN but they could turn on the sprinklers and run them non-stop while you're on vacation.
I'd be a lot more comfortable setting up VPN to get to my LAN and connecting to the unit via VPN instead of opening a port in the firewall/router.
-
Safest way would be VPN, such as Wireguard, and not enable remote access/port forwarding on the RM. Then you connect your phone/laptop via VPN when away from home and then connect to the RM as if you were on the LAN. But still, the RM can connect remotely and open a tunnel back for anyone to connect via the tunnel. That's why it's also important to put it on its own VLAN, on a different WiFi network set to do "device isolation" so that devices on that WiFi network cannot talk to each other.
-
If you want to make sure there are no persistent outgoing connections, make sure the process `sprinklerDaemonLinux` is not running, it's the reverse proxy that keeps a connection open to the remote rainmachine servers running on AWS.
You have to restart the watchdog too otherwise it will think `sprinklerDaemonLinux` crashed and it will reboot the unit, you don't want to be stuck in a reboot loop every few minutes.
This is what I have as part of a script called from /etc/rc.local:
/etc/init.d/rainmachine-cloud-client stop
rm -rf /tmp/watchdog-pipe
/etc/init.d/rainmachine-watchdog restart -
The remote access daemon won't connect if you disable "Remote Access".
RainMachine doesn't store your configuration on our servers, actually all that we have is an email address, a serial number and if connected to our service or not. In the past support team had to request an access PIN from user to get access but since it was limited to 48 hours there were annoying cases where support must ask again for a PIN.
Since most of the support requests were about weather issues, remote services developers added an option to get Weather/Update information and push weather/update config to the support interface. Theoretically the protocol that support should follow requires that support person ask if the user is ok with having RainMachine accessed and configuration change.
I already sent this thread and issue to support management so that they can take action.
That being said, this will soon change since we have been working on a better way to share access and each support login on your device will be conditioned by an email with "Accept" button being sent to owners.
-
Glad to hear you are listening and making changes.
Disabling "Remote Access" seems to stop Notifications from working. Can these 2 features be split as they are not related to each other? For Notifications the device needs to make outgoing calls to your servers which is fine, but it should not require allowing incoming requests. I'm fine with not having Remote Access via your servers but I still want Notifications to work, these 2 features should not be coupled.
Please sign in to leave a comment.
Comments
12 comments