Heatermeter and Heartbleed (SSL)


 

Phillip P

TVWBB Fan
I haven't had a chance to fire up my box since the Heartbleed bug has been announced.

Do we have anything to worry about?
 
~# openssl version
OpenSSL 1.0.1e 11 Feb 2013

We're doomed!

Note: There is no SSL enabled by default, so your heatermeter username and password is always being transmitted in clear text over the big bad internet if you choose to log into it from outside of your home's wifi network.
 
Last edited:
Or if you have a bunch of NSA dudes show up right after your BBQ is done, you know you've been hacked.
 
Yeah the library on HeaterMeter has the vulnerability as it is built with heartbeat support. You'd be best suited to not exposing your HTTPS or SSH on the device to the outside world. I kinda think that leaving the clear HTTP is best, considering that would take someone sniffing your traffic to expose the password. The HTTPS and SSH would be exploitable by any script kiddie anywhere.
 
While re-doing some of my VPN configs for home, I managed to add an SSL layer to my HeaterMeter, though it does require an intermediary computer to do so. For me, this isn't a problem as I've got an always-on RaspberryPi that does various things for me.

I ended up using the stunnel package, which basically creates an SSL tunnel and will proxy the connection to anything else.

I now forward port 443 (https) on my router to port 443 on my RaspberryPi. The RaspberryPi accepts SSL connections on port 443 and then proxies the connection to my heatermeter at 192.168.1.88 on port 80

Took about 5 minutes to setup.

My stunnel.conf file is:

Code:
sslVersion = all
options = NO_SSLv2
chroot = /var/lib/stunnel4/
pid = /stunnel4.pid
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

[heatermeter]
accept = 443
connect = 192.168.1.88:80
cert=/etc/stunnel/server.pem
key=/etc/stunnel/server.key
 

 

Back
Top