MobiLinc HD stopped working with old ISY99

[mikewu99]

I have an old ISY99 at a vacation home that I use solely to control and monitor the thermostats (I do have a new ISY994 at my main house). For several years I have been using MobiLink HD (on iOS10) for remote access. A couple of months ago MobiLink HD stopped working with the ISY99 when connecting from outside the LAN. I get "Network Error - There was a problem sending the request. Please verify the connection settings in My Settings and try again. Error Code 0. Error Message: A connection failure occurred: SSL problem (Possible causes may include a bad/expired/self-signed certificate, clock set to wrong date".

• The clock on the ISY is within a couple seconds of my phone.
• I am using direct connection to the ISY (not MobiLink connect)
• I cannot connect to the ISY via https even locally, all browsers I have tried refuse for security reasons (one metioned the ISY's SSL version was obsolete).
• I can connect fine locally via http, and MobiLinc connects fine locally.
• I am running 3.2.4 on the ISY99 (I believe the latest firmware version).

Is there anything I can do to fix this, or is the ISY99 just hopelessly outdated? Seems crazy to spend the bucks for an ISY994 just to monitor thermostats...

[MWareman]

The old 99i only supports SSL ciphers that are now considered insecure. You mobile device probably does not support these older ciphers, leading to the error you see.

 

Options are to either keep an older version of IOS on your device (but that's insecure), or upgrade your ISY to a 994i. UDI offers a generous upgrade offer on their sales page.

 

Mobilinc cannot connect thru reverse proxies (due to the way it subscribes to ISYs events), otherwise you could deploy a reverse proxy.

[Brian H]

The last ISY99i firmware is 3.3.10

[mikewu99]

I thought the upgrade offer was over quite a while ago. Might be cheaper to just replace the two Insteon thermostats with ones that I can access directly over the internet.

 

 

Sent from my iPad using Tapatalk

[MWareman]

If you got Honeywell connected stats for the remote building, you could access them remotely.

 

There is also talk of integrating these at the ISY Portal layer. Even without that, you could go via IFTTT to have your local ISY manage the remote stats.

[InsteonNut]

Hi mikewu99,

 

Apple dropped support for the older SSL ciphers back in iOS 9 over a year ago. If you were using a direct IP address, HTTPS to the older IYS-99i would have stopped working on iOS 9 last September in 2015. If remote access was working here until recently on iOS 10, then you were using our MobiLinc Connect service or your direct IP connection was using HTTP only.

 

If MobiLinc Connect, I can certainly assist you in getting your ISY back reconnected. Please send me an email to support@mobilinc.com with your ISY's UUID and your MobiLinc Connect email address so I can investigate.

 

Wes

[MWareman]

Worth noting, I don't think Mobilinc Connect is an option on the 99i, it didn't support the module.

[InsteonNut]

Hi MWareman,

 

Just so you have all the info (and other's reading) if one had already installed the MobiLinc portal to the ISY-99i before the UDI store/interface change to discontinue support for the older SSL ciphers, we still support these connected ISYs to MobiLinc Connect. Now, if you have an older ISY-99i without MobiLinc Connect, there isn't a way to add it to the older ISY-99i's today. Only if the older ISY-99i already has MobiLinc Connect installed does it still work and we support them.

 

Wes

[MWareman]

Hi MWareman,

 

Just so you have all the info (and other's reading) if one had already installed the MobiLinc portal to the ISY-99i before the UDI store/interface change to discontinue support for the older SSL ciphers, we still support these connected ISYs to MobiLinc Connect. Now, if you have an older ISY-99i without MobiLinc Connect, there isn't a way to add it to the older ISY-99i's today. Only if the older ISY-99i already has MobiLinc Connect installed does it still work and we support them.

 

Wes

Wes,

 

So - to me this means that the Mobilinc Connect servers that ISY connects to still support SSL3. If so - that's a pretty serious security concern - and one that means all your customers data is at significant risk.

 

Please say it isn't so!

 

Michael.

 

Edit: Update on mitigation: http://forum.universal-devices.com/topic/20902-mobilinc-connect-update-1-12-2017/

ISY 994s now connect to an endpoint that does NOT support the older ciphers, providing strong protections.

[MWareman]

Edit: Please see update to this concern at http://forum.universal-devices.com/index.php?/topic/20705-MobiLinc-HD-stopped-working-with-old-ISY99&do=findComment&comment=200926

 

Edit2: Update on mitigation: http://forum.universal-devices.com/topic/20902-mobilinc-connect-update-1-12-2017/

Wes,

Oh dear... seems I was right. In fact, it's worse than what I thought! Your servers are seriously vulnerable! Please fix them ASAP. Until you do - I simply must advise ALL ISY users to immediately stop using Mobilinc Connect - as this is putting everyone's data at risk - up to and including full access to your customers ISYs....

RC2, 512bit key, RC4...

For example, the following (40 bit!) ciphers can be cracked in seconds these days on comodity hardware (it could be cracked in 2 seconds in 1999 on a custom setup - https://en.wikipedia.org/wiki/40-bit_encryption):

SSL_CK_RC4_128_EXPORT40_WITH_MD5 (0x20080)   INSECURE	40SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 (0x40080)   INSECURE	40TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x3)   INSECURE	40TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x6)   INSECURE	40TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x8)   INSECURE	40TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x14)   DH 512 bits   FS   INSECURE	40

For details on POODLE, see https://www.openssl.org/~bodo/ssl-poodle.pdf. Of note:

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will completely avoid it. If either side supports only SSL 3.0, then all hope is gone, and a serious update required to avoid insecure encryption. If SSL 3.0 is neither disabled nor the only possible protocol version, then the attack is possible if the client uses a downgrade dance for interoperability.

You really have no choice but to drop support for the ISY99i, and totally remove the now old and flawed ciphers.

Also - you should consider your SSL certificate private key compromised. After you fix the ciphers - generate a new private key and have GoDaddy reissue your certificate.

Michael.

[InsteonNut]

Michael,

 

Your charges here about customer's data at risk is serious and one that I take deep offence to. No customer data is at risk. Period. We are well aware of what certs our servers are using.

 

We run several servers that handle the direct ISY connections separate from the web-facing url you pointed to. The web-facing URL has a plan in place to migrate and remove the older SSL support. We have existing customers of our service that cannot migrate yet and we are working with them to move forward. The URL you pointed to is simply a redirect URL to a server where the the ISY actually is managed.

 

Older ISYs that we still support are server isolated from the current ISYs. 

 

Connections from the MobiLinc apps use current approved ciphers and security suites to connect to MobiLinc Connect and thus the destination ISY. Even older ISY-99i, while their private connection to our servers use what ciphers the ISY-99i is capable of, ALL connections from the MobiLinc apps and Admin Console use current cipher suites to MobiLinc Connect. 

 

Please contact me directly if you have any other concerns: DM or support@mobilinc.com

 

Wes

[MWareman]

Edit: Please see my update to this risk here: http://forum.universal-devices.com/index.php?/topic/20705-MobiLinc-HD-stopped-working-with-old-ISY99&do=findComment&comment=200926

 

Edit2: Please also see this post from Wes on mitigation that has taken place. Thank you to Wes! http://forum.universal-devices.com/topic/20902-mobilinc-connect-update-1-12-2017/

Wes,

I've emailed specifics about the several inaccuracies in your statement.

The vulnerabilities are also present on dispatcher.mobilincconnect.com - and it's the same single EC2 instance (not 'several servers'). It's also vulnerable - it's using the same exact EC2 instance (from wherever you are in the world). This *is* the DNS name that the ISY994 connects to....

Take a look at 2.7.1 in the OWASP document: https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Under no circumstances either SSLv2 or SSLv3 should be enabled as a protocol selection:The SSLv2 protocol is broken and does not provide adequate transport layer protection.SSLv3 had been known for weaknesses which severely compromise the channel's security long before the 'POODLE'-Bug finally stopped to tolerate this protocol by October 2014.

I strongly urge you to address the multiple vulnerabilities presented by having very weak ciphers enabled on your servers that are putting your customers data at risk.

Michael.

[mikewu99]

Well, to get back to the original issue: I have a VPN tunnel between the router at home and the router at the vacation house. If I force the "Connect Method" in MobiLinc to HTTP instead of auto, MobiLinc can find the remote 99i over the VPN. On Auto, it tries over the cellular network and fails due to security issues. I lose the ability to control the vacation house thermostats from anywhere other than my home network, but that is probably good enough. If I really need connectivity away from home I can set up a VPN from my phone to the remote router.

 

I am going to disable the port forwarding to the 99i on the remote router for security - it doesn't do me any good anyway.

 

 

Sent from my iPad using Tapatalk

[InsteonNut]

Michael,

 

I've responded to your email with additional internal information and plans for our sunset support of ISY-99i devices.

 

Wes

[Scottmichaelj]

Michael,

 

I've responded to your email with additional internal information and plans for our sunset support of ISY-99i devices.

 

Wes

Michael brought up some valid concerns and instead of taking it private to emails I would suggest you post your response here in the essence of keeping everything transparent.

 

Or Michael if you could post Wes email response and redacted of course private email addresses.

 

Thank you both for your consideration and discussion of this topic. I would like to hear the plan for sunset and resolve.

[InsteonNut]

Hi Scott,

 

I understand and sympathize with the transparency request. The information I'm sharing with Michael is sensitive and non-public. As such, I've requested an NDA with Michael to discuss those details. We had always planned on sunsetting the discontinued ISY-99i's in MobiLinc Connect in 2017. Announcement regarding that plan is coming in Jan. We firmly maintain that no customer data is at risk by supporting the older ISY-99is, however, we do recognize that continuing to support older encryption ciphers for the discontinued ISY-99is is no longer considered best practice.

 

Wes

[MWareman]

Hi Scott,

 

I understand and sympathize with the transparency request. The information I'm sharing with Michael is sensitive and non-public. As such, I've requested an NDA with Michael to discuss those details. We had always planned on sunsetting the discontinued ISY-99i's in MobiLinc Connect in 2017. Announcement regarding that plan is coming in Jan. We firmly maintain that no customer data is at risk by supporting the older ISY-99is, however, we do recognize that continuing to support older encryption ciphers for the discontinued ISY-99is is no longer considered best practice.

 

Wes

Wes,

 

I sent back the signed NDA as requested. Please let me know if you have not received it.

 

For others,

 

As security and future commercial plans are understandingly very sensitive, I'm happy to agree to keep private any information provided to me by Wes, and I'm happy to provide my ideas back to Wes so that he can consider incorporating them - with the goal of bettering the service. That is the purpose of the NDA, to allow Wes and I to talk specifics without Wes having to worry about disclosure issues.

 

Please know that the NDA will not prohibit me from reporting back to the community in general terms what I am allowed to (always with the permission of Wes in this case) or what I am able to observe myself without using ANY information provided to me. Do know that Wes takes security very seriously, and is working to resolve the cryptographic issues.

 

Michael.

[MWareman]

Update:

 

After discussions with Wes, and thought about the entire infrastructure behind Mobilinc, I can assure all that ISY994i communication is *NOT* at risk. This is because it does not support the weaker ciphers, so a downgrade attack cannot succeed. Also, at no point was the dispatcher server subject to any known attack that put the SSL key at risk.

 

Likewise, if you use the current version of Java and a modern operating system, where SSL3 and SSL2 are disabled.

 

Wes has communicated that they are sunsetting ISY99i support later this year, after a formal communication plan.

 

The risk does exist in ISY99i communication, also if any user is using an operating system that still supports SSL3.

 

Mobile app users, again. If the old ciphers are gone from your OS, you are safe. However, f the OS still supports SSL3, then you may be at risk.

 

Moral is, keep your OS up to date! If your phone still has SSL3 and the vendor has not updated to remove it - it's probably time for a new phone!

 

I'll continue working with Wes behind the scenes to make Mobilinc even more secure for current gen ISY users.

[InsteonNut]

Thanks MWareman,

 

Just to add a little more info on the mobile app side, MobiLinc/iOS supports iOS 9+. Apple removed SSL and weak ciphers in iOS 9. For MobiLinc/Android users, Android OS 5 and above removed SSL and weak ciphers.

 

Wes

[MWareman]

All - Please see this post on mitigation that has occurred...

 

http://forum.universal-devices.com/topic/20902-mobilinc-connect-update-1-12-2017/

 

Thank you to Wes and the Mobilinc team for this! 

 

Michael.