Info on how the ERGY Energy Plugin is handling your Data

guessed · June 21, 2012, 2:20pm

Actually, it looks like Vera is sending data to ERGY in clear-text. That includes Data and the ERGY Key. Probably not the best to take private data and let everyone see it.

ie. NO encyrption.

[code]07:12:54.114410 IP 192.168.x.xxx.46217 > mios.eemanager.net.80: Flags [P.], seq 241:834, ack 26, win 1095, length 593
0x0000: …
0x0010: …
0x0020: …
0x0030: 0447 e8c3 0000 3c3f 786d 6c20 7665 7273 .G…<?xml.vers 0x0040: 696f 6e3d 2231 2e30 223f 3e3c 656e 6572 ion="1.0"?><ener
0x0050: 6779 3e3c 6369 643e 333c 2f63 6964 3e3c gy>3<
0x0060: 6769 643e 3330 3030 3132 3230 3c2f 6769 gid>30000666</gi
0x0070: 643e 3c6b 6579 3e5b … … … … d>[…

… data redacted …

0x00e0:  .... .... .... .... ..5d 3c2f 6b65 793e  ...]</key>
0x00f0:  3c64 6576 6963 6573 3e3c 6465 7669 6365  <devices><device
0x0100:  3e3c 6465 7669 6365 5f69 643e 3932 3c2f  ><device_id>92</
0x0110:  6465 7669 6365 5f69 643e 3c64 6576 6963  device_id><devic
0x0120:  655f 6e61 6d65 3e42 7275 6c74 6563 6820  e_name>Brultech.
0x0130:  506f 7765 7220 4d65 7465 723c 2f64 6576  Power.Meter</dev
0x0140:  6963 655f 6e61 6d65 3e3c 7661 6c75 653e  ice_name><value>
0x0150:  3231 303c 2f76 616c 7565 3e3c 7365 7276  210</value><serv
0x0160:  6963 653e 456e 6572 6779 4d65 7465 7269  ice>EnergyMeteri
0x0170:  6e67 313c 2f73 6572 7669 6365 3e3c 7661  ng1</service><va
0x0180:  7269 6162 6c65 3e57 6174 7473 3c2f 7661  riable>Watts</va
0x0190:  7269 6162 6c65 3e3c 666c 6167 3e30 3c2f  riable><flag>0</
0x01a0:  666c 6167 3e3c 6672 6f6d 4361 6368 653e  flag><fromCache>
0x01b0:  303c 2f66 726f 6d43 6163 6865 3e3c 7061  0</fromCache><pa
0x01c0:  7265 6e74 3e30 3c2f 7061 7265 6e74 3e3c  rent>0</parent><
0x01d0:  6361 7465 676f 7279 3e3c 2f63 6174 6567  category></categ
0x01e0:  6f72 793e 3c72 6f6f 6d3e 4272 756c 7465  ory><room>Brulte
0x01f0:  6368 3c2f 726f 6f6d 3e3c 7768 6f6c 655f  ch</room><whole_
0x0200:  686f 7573 653e 303c 2f77 686f 6c65 5f68  house>0</whole_h
0x0210:  6f75 7365 3e3c 746f 7461 6c5f 7265 6e65  ouse><total_rene
0x0220:  7761 626c 653e 303c 2f74 6f74 616c 5f72  wable>0</total_r
0x0230:  656e 6577 6162 6c65 3e3c 6461 7465 3e31  enewable><date>1
0x0240:  3334 3032 3837 3937 333c 2f64 6174 653e  340287973</date>
0x0250:  3c74 7a4f 6666 7365 743e 2d30 3730 303c  <tzOffset>-0700<
0x0260:  2f74 7a4f 6666 7365 743e 3c2f 6465 7669  /tzOffset></devi
0x0270:  6365 3e3c 2f64 6576 6963 6573 3e3c 2f65  ce></devices></e
0x0280:  6e65 7267 793e 0a                        nergy>.[/code]

guessed · June 21, 2012, 2:28pm

Florin,
It also ships, in cleartext, descriptions of a number of non-power management devices over to ERGY.

ie. I saw the device descriptions for my SQBlaster, my Alarm System components (Motion Sensors etc)

Why is this plugin permitted to send soo much of my data to a third party? I don’t believe I ever signed up to let it know anything other than Power data

I’ve removed the plugin since it’s leaking WAY too much data to a third party to be considered trusted.

Has the MCV Team reviewed the code of this Plugin, and validated what it’s doing against any contract you have in place with them?

garrettwp · June 21, 2012, 3:32pm

This is a huge security concern and MCV should be in contact with ERGY to rectify the situation!

Garrett

guessed · June 21, 2012, 4:31pm

[quote=“garrettwp, post:3, topic:171865”]This is a huge security concern and MCV should be in contact with ERGY to rectify the situation!

Garrett[/quote]
Yeap, glad I ran it on a test system first. All plugins have access to the Network your Device is sitting on, so they run with a high level of trust on behalf of the users.

To me, they’ve violated that trust by ignoring very basic Security-principals (least data-exposure, protect data in-flight).

I won’t be installing it again, and I’d recommend others also steer clear - at least until there’s been an appropriate disclosure of the data being copied to their servers, and rudimentary protections/controls for data in-flight. If they publish the client’s source-code, for example, then it could be vetted for these things (both now, and over time)

The ERGY paid service is hosted, so they’ll keep their secret sauce and continue to make money. There should be no reason not to publish [logically or physically] what the client-code is doing/collecting to allay concerns and get a rudimentary security stance in place.

… come to think of it, how is the data protected at-rest when it’s on their infrastructure?
… and has anyone done an overall security audit of their efforts?

guessed · June 21, 2012, 4:56pm

[quote=“garrettwp, post:3, topic:171865”]This is a huge security concern and MCV should be in contact with ERGY to rectify the situation!

Garrett[/quote]

Filed Bug 2434 to track the security/privacy exposure:
http://bugs.micasaverde.com/view.php?id=2434

mcvflorin · July 3, 2012, 11:13am

This has been addressed in version 1.2 of the plugin. All the data sent to the Ergy servers is now encrypted.

garrettwp · July 3, 2012, 11:24am

I believe the other concern is that it is sending all of the data and not only the data that is needed.

Garrett

mcvflorin · July 3, 2012, 11:33am

@garrettwp

I’ll try to find about this too.

guessed · July 3, 2012, 1:19pm

The standard security list:

[ul][li]Protection on data in flight
[/li][li]Protection on data at rest
[/li][li]Minimal data sent, based upon absolute need
[/li][li]Disclosures on what is transmitted/collected/stored
[/li][li]Mechanism to purge
[/li][list][/list][/ul]

BOFH · July 3, 2012, 4:33pm

MCVFlorin:

I was under the impression that ERGY and MCV were more or less related. Wa sI incorrect in this assumption?

Guessed:
Hmm, I’m ruinning version 1.1 so no encryption. Thanks for the heads up. I’ll uninstall it when I get home and wait for 1.2 to emerge.

automator.app · July 3, 2012, 5:10pm

ergy and mios show the same hq address, “echo labs, LLC”

mcvflorin · July 4, 2012, 8:46am

Ergy runs an occasional simple poll of the entire device list in order to account for the device list updates and changes. This is computed server side in order to keep the Ergy code light. The only information that it’s sent for devices that do not report energy is the device name, number and category.

Where did you find that? AFAIK EchoLabs is not related to MiOS or Mi Casa Verde.

sparkejj · July 4, 2012, 9:20am

Ergy and TrickTV appear related; perhaps that’s what @automator.app meant?
http://www.ergyenergy.com/contact-us/
http://www.tricktv.com/contact/

Ergy and MiOS are presented as partners.
http://mios.com/news_echo_labs_alliance.html

automator.app · July 4, 2012, 1:30pm

Ergy and TrickTV appear related; perhaps that’s what @automator.app meant?
http://www.ergyenergy.com/contact-us/
http://www.tricktv.com/contact/

Ergy and MiOS are presented as partners.
http://mios.com/news_echo_labs_alliance.html[/quote]

Yep, shows how good my memory is. It is ergy and tricktv that appear the same. I thought that was quite curious, as tricktv has the same tech support ssh tunnel system as MCV through tsx.mios.com

guessed · July 4, 2012, 2:49pm

It’s trivial to build the list of wattage based devices, at startup, and only transmit that. There is absolutely no need to transmit anything else.

It’ll be a tiny amount of Lua code, a much smaller on-the-wire representation, and less SSL overhead overall.

My Vera2 has well over 100 devices, and less than 14 energy ones (2x Brultech ECM-1240’s). A more typical setup is only going to have 1 or 2 power meeting devices, so why transmit all that unneeded data (regularly)?

BTW: even with everything being transmitted, they still don’t use the standard power metering service, so they still cannot see the Brultech (presumably also the CC and TED) plugin devices…