Page 24 of 36 FirstFirst ... 14192021222324252627282934 ... LastLast
Results 231 to 240 of 357

Thread: Evohome app broken

  1. #231
    Automated Home Legend paulockenden's Avatar
    Join Date
    Apr 2015
    Location
    South Coast
    Posts
    1,594

    Default

    I have a lan2rf gateway communicating with my Eco RF 36.

    For me, http://<<ip address>>/heaterlist.json returns:

    {"heaterlist":["id_of_my_boiler",null,null,null,null,null,null,null]}

    You need http://<<ip address>>/data.json to get the actual data.

    More details here.
    Last edited by paulockenden; 26th February 2019 at 12:40 PM.

  2. #232
    Automated Home Legend paulockenden's Avatar
    Join Date
    Apr 2015
    Location
    South Coast
    Posts
    1,594

    Default

    Quote Originally Posted by rjtucker View Post
    The lan2rf device is completely disconnected at the moment, my main concern being the security of the connection. I really want to know how I can be sure that Intergas have made the device secure.
    These are the people who wrote the app, so will almost certainly know more about this than Intergas UK.

    From that page, Google Translate says:

    Privacy and security guarantee
    Privacy and security is always a challenge and especially when it comes to boilers that are at home with people. You do not want random people to gain access to your central heating boiler and thus change your thermostat. To prevent this, we have built in several safety checks that ensure that the chance that a central heating boiler is operated by third parties is kept to a minimum.

    Which doesn't really say anything!

    That fact that the device accepts inbound connections with no or known passwords is obviously a security risk. For most users it'll be hidden behind NAT, which offers a degree of firewalling. But if someone gained access to another device on your network they would be able to access the Lan2RF gateway.

    It's a risk I'm prepared to take.

  3. #233
    Automated Home Jr Member
    Join Date
    Feb 2019
    Location
    Salford, Greater Manchester, United Kingdom
    Posts
    18

    Default

    Quote Originally Posted by paulockenden View Post
    You need http://<<ip address>>/data.json to get the actual data.
    Someone on another forum put a link to a filesharing site with the instructions in Dutch.

    It's the filedropper link on this page:
    https://community.home-assistant.io/...ateway/23967/2
    Last edited by rjtucker; 26th February 2019 at 01:29 PM.

  4. #234
    Automated Home Jr Member
    Join Date
    Feb 2019
    Location
    Salford, Greater Manchester, United Kingdom
    Posts
    18

    Default

    Quote Originally Posted by paulockenden View Post
    Thanks for the info.

    Quote Originally Posted by paulockenden View Post
    That fact that the device accepts inbound connections with no or known passwords is obviously a security risk. For most users it'll be hidden behind NAT, which offers a degree of firewalling. But if someone gained access to another device on your network they would be able to access the Lan2RF gateway.
    According to my email provider, smtp messages are often used to send information to these devices. Since these only send information, that my email account accepted them is not unexpected. Web logins, which were the first two logins, are more suspicious, and why did it go for my email account?
    Last edited by rjtucker; 26th February 2019 at 01:44 PM.

  5. #235
    Automated Home Legend paulockenden's Avatar
    Join Date
    Apr 2015
    Location
    South Coast
    Posts
    1,594

    Default

    You've completely lost me with that last paragraph!

    I don’t think many IoT devices contain an SMTP server! I suspect someone is confused about PCs becoming infected because someone opened an attachment in an infected email.

  6. #236
    Automated Home Jr Member
    Join Date
    Feb 2019
    Location
    Salford, Greater Manchester, United Kingdom
    Posts
    18

    Default

    Quote Originally Posted by paulockenden View Post
    You've completely lost me with that last paragraph!

    I donít think many IoT devices contain an SMTP server! I suspect someone is confused about PCs becoming infected because someone opened an attachment in an infected email.
    A screeenshot of a reply I got from Fastmail:

    fastmail_ticker.jpg

  7. #237
    Automated Home Legend paulockenden's Avatar
    Join Date
    Apr 2015
    Location
    South Coast
    Posts
    1,594

    Default

    Without knowing the background it's hard to understand that. Especially "logins via SMTP".

    P.
    Last edited by paulockenden; 26th February 2019 at 06:53 PM.

  8. #238
    Automated Home Jr Member
    Join Date
    Feb 2019
    Location
    Salford, Greater Manchester, United Kingdom
    Posts
    18

    Default

    Quote Originally Posted by paulockenden View Post
    Without knowing the background it's hard to understand that. Especially "logins via SMTP".
    The boiler was installed on 12th February 2019. An electrician set up an account on/via the lan2rf (as I didn't have a smartphone at that time) on 14th February. Later that day, I discovered I could install Android on VMware and found I could get some functions of the Android app to work that way. On Monday 18th, I took delivery of a smartphone and accessed the lan2rt device with it. I completely disconnected the device from the mains power and Internet on 21st February. I have never been able to access it with a browser or GET command.

    On Monday 18th, it became obvious I was not receiving mail on my Fastmail account. It would receive a test mail I sent from my Yahoo email account, but not from elsewhere. Here are some screenshots of my logins log on Fastmail:

    Attachment 1386
    Attachment 1387

    Maybe I can upload the full .csv if necessary.

    There are no successful logins before the U.S.ones on Feb 17th. There are no successful ones but mime after 20th February.

  9. #239
    Automated Home Guru
    Join Date
    Dec 2016
    Posts
    134

    Default

    Don't really know how that SMTP stuff is supposed to be related to Evohome, but SMTP is the internet mail transfer protocol. This starts with your client and ends with the mail server that hosts your email address and from which you collect your email using reader protocols like IMAP or POP3 (or MAPI, the horror!). Emails may be handed through several mail transfer agents (MTA) before reaching their destination postbox (which is an MTA itself) but this never includes sending login credentials. The only point in this chain where credentials are sent are at the source, so if you see successful logins from external sources on your email server (i.e. MTA) that means that someone else is using your server to send emails - which will most likely be spam.

  10. #240
    Automated Home Jr Member
    Join Date
    Feb 2019
    Location
    Salford, Greater Manchester, United Kingdom
    Posts
    18

    Default

    Quote Originally Posted by gordonb3 View Post
    Don't really know how that SMTP stuff is supposed to be related to Evohome
    Nor me, not even after reading and trying to understand this:
    https://developer.ibm.com/articles/i...alware-attack/

    I guess what I might need to try to do is to play around with the lan2rt connected to the Wi-Fi and Internet using my smartphone but with my desktops shutdown – only they hold sensitive passwords. But until Intergas get in touch to say the apps are fixed (and supply me with a lan2rf with a readable password?), I'm not too sure it's worth doing that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •