homebridge-rinnai-controlr icon indicating copy to clipboard operation
homebridge-rinnai-controlr copied to clipboard

Published 20 hours ago verified publisher icon dustindclark

Encrypt our Rinnai Control-R password

Open buckzilla opened this issue 3 years ago • 2 comments

I am concerned with my Rinnai login credentials sitting in plain text on the Homebridge config file. Is it possible that they can be point in time encrypted/decrypted? This is how most network vendors handle this problem (passwords in text config files).

buckzilla avatar Feb 07 '22 20:02 buckzilla

While this is absolutely a valid request, I'd like to point out a couple of things.

  1. The Rinnai API is not in anyway secured...so anyone with your email address and IP address can control your water heater. This is a huge vulnerability that I can't believe that they haven't addressed. This plugin, however, enforces authentication before allowing control.
  2. A would-be attacker would have to have access to your local network to see this information. If they have this, they can already control your devices and/or modify your Homebridge config.

dustindclark avatar Feb 11 '22 01:02 dustindclark

Rinnai finally secured their API, so point 1 made above is no longer valid.

dustindclark avatar Aug 24 '22 15:08 dustindclark