Archive

Archive for December, 2017

How not to implement smarthome security – Connected A/C

December 17, 2017 1 comment

Recently I added a few Mitsubishi minisplit A/C systems to my home and because I travel a lot (and I’m incredibly lazy) wanted to be able to control them from my phone (and the couch). I’ve had previous history with the Honeywell RedLink system (which requires yet-another-hub) and was pleased to find that mini-splits with native wifi connectivity are available.

My installer had never set up such “new” technology so this week he arrived with a number of tiny plug-in boxes, and the installer training video to connect up my units.

Halfway through following the steps on the video, the app presents us with an “Enter Installer Pin” challenge – cool I think, “some security at least to stop…”

what exactly?

I’ll get to that topic later – but needless to say, the pin wasn’t mentioned in the training video, nore the one-page install guide in the package.

Never to be defeated, I turn to my trusty advanced hacking toolkit and universal IoT password finder..

google.com

A search for “Mitsubishi installer pin” yields some helpful results – one, in particular, catches my eye, since it’s hosted on that vendor’s support URL

Here’s a picture of the result – note how helpfully they put the pin in bold text!

Installer Pin

So strike one and two for this vendor –

  1. never use a fixed pin, for anything!
  2. never print your passwords, especially not in public-facing documentation

I’ll let the 9999 pin pass, given it’s not in the top 10 of most common pin codes (it’s #11) – http://www.datagenetics.com/blog/september32012/

So, back to the question of what exactly the installer pin is protecting? Mostly, it’s protecting the homeowner from adding a new unit to their online account, and it’s protecting them from being able to re-link a unit if for some reason it loses connection. In my case, there were no “dangerous” options I could mess around with – and reading the documentation, it seems that the installer protected options are really a crutch for a system which should be able to learn for itself what options are present and configure itself automatically.

So for me, the “installer pin” protects my installer, otherwise, I’d be able to configure my A/C unit without him. He’s a nice guy, but I don’t want to be scheduling a site-visit every time I change my wifi password.

This seems to be a trend within the Air Conditioning industry – for example, Honeywell’s Redlink Gateway (which is effectively plug-and-play) also should only be installed by a “trained experienced service technician” – at least with these gateways the PIN is unique and printed on the bottom of the device.

As an aside, the Honeywell VisionPro Thermostat also has installer-only options protected by a code, which also is printed on the back of the clip-on device. But if you’re REALLY lazy and don’t even want to unclip it, there’s a menu option on the screen which will helpfully tell you the code.

Believe me – The Redlink gateway takes 30 seconds to install and configure, and you don’t need any “AC training” to understand how to link a thermostat to a mobile app.

Honeywell Redlink Gateway Pin Code

I’m not very tolerant of this kind of “protectionist” behaviour – how many people paid a few hundred dollars for someone to plug in a hub, or “add” their minisplit head unit to their online account – things which require no expertise, have no risk, and generally should be automatic?

How successful would Nest have been if it required a service call to install?

Did you pay for someone to add a trivial IoT device to your home? Comment below.

Advertisements