Comments (6)
Shaquu
commented on July 21, 2024
1
@NickBorgers thanks for the report!
First of all, here is the new link for discord https://discord.gg/uvYac5u
Regarding the issue, is it related to the pin code? If yes, I believe the code despite being called security code from time to time is partially public. On official homekit accessories, you will find it on the sticker on the device itself. In the end, only one client can pair at once.
from node-red-contrib-homekit-bridged.
Shaquu
commented on July 21, 2024
1
Just wanted to clarify, I am open to improving security on our node ;) Just let's discuss the steps first so we can proceed!
from node-red-contrib-homekit-bridged.
Shaquu
commented on July 21, 2024
1
It is basen on HomeKit documentation.
from node-red-contrib-homekit-bridged.
NickBorgers
commented on July 21, 2024
1
I'm going to close this issue, as I'm personally dropping the concern. I think your explanation that only one device can be paired with the accessory (the node red module) is reasonable.
One observation from the Apple specification is that they require you to use a CSPRNG to generate the PIN, which would suggest they view it as an important credential. However, the misuse case they're guarding against may be as simple as not making it too easy for someone to "damage" a shipment of Homekit devices by guessing all of their PINs and pairing with them before an end-user opens the box.
It won't make any difference for me personally because I'm working on automatically publishing screenshots of my flows (just stuck on a weird Actions problem) like this:
from node-red-contrib-homekit-bridged.
NickBorgers
commented on July 21, 2024
I will confess ignorance on the security implications of the code. One distinction to make RE them being printed on accessories is that viewing the code would require physical access inside my home vs the Projects feature encourages me to make the PIN code public on the Internet.
If only one client can pair at once, this is probably not a big deal.
If the PIN code is not security relevant, why do you suggest that certain weak codes are problematic? I actually took that documentation as "signal" that the value should not be so public.
I'll dig into this in greater detail as I'd like to understand Homekit's security model better. I'm not raising this as a serious issue at this point, but also not clear enough to feel entirely comfortable.
from node-red-contrib-homekit-bridged.
Shaquu
commented on July 21, 2024
Thanks for the input @NickBorgers
I hope to see you around :)
from node-red-contrib-homekit-bridged.
Related Issues (20)
- [Help needed]: bind EADDRINUSE <someIP>:5353 on macOS HOT 8
- [Bug]: High and increasing CPU usage over time HOT 20
- [Help needed]: Set a device as unreachable HOT 2
- [Bug]: Output of TV service repeated every time nodered is deployed HOT 2
- UnhandledPromiseRejectionWarning: .../nrchkb does not exist HOT 2
- [Feature]: Pass through `meta` from `msg` HOT 8
- [Bug]: Service re-uses last received topic value HOT 3
- [Help needed]: Camera - no stream with rtmp:// and rtsp:// HOT 3
- [Bug]: Since v1.5 Siri tells me that my devices react slow HOT 1
- [Help needed]: Failed to install HOT 2
- [Bug]: Window Covering -> Multiple Ouput Payloads at the same Time with the same Value HOT 5
- Update failed to 1.5.0 HOT 7
- [Bug]: Cannot link sensors to AirPurifier. HOT 15
- [Help needed]: Can't install homekit-bridge HOT 2
- [Bug]: FFMPEG HOT 16
- [Help needed]: Connection problems - Home app stops responding shortly after initial setup HOT 20
- Simple status update for devices HOT 4
- [Feature]: new buttons in the tv remote HOT 3
- [Help needed]: live camera streaming doesn't work on apple tv 4k 1gen HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from node-red-contrib-homekit-bridged.