Dear Openhab community, has anybody found (or thought of) a way to limit the set of variables that can be set by iCalendar events? As I am looking into integrating more and more things into my Openhab installation (and some of them could be sensitive / security related), I am concerned about iCalendar entity being able to just directly modify any Openhab item by injecting an event into the calendar.
Yes, it is password-protected and all, but still feels like a fairly straightforward attack surface.
Thoughts? Suspect this would be a new feature for the (absolutely excellent) add-on.
I assume you are writing about the command tags triggering commands. Thats why there the authorizationCode setting. If set, the binding just executes commands with the same code. If you use an untrusted source and want to semi disable the execution, enter a long random code that is unlikely to match.
In other cases (the contained events as presence switch or filtered events) you just have to make sure you can trust the source. Or i did not understand the described situation fully. In that case please describe an exact example.
Thank you @damihe .
I am concerned about a situation if hosted calendar (say a Google Calendar or another hosted provider) gets compromised. In that scenario intruder will be able to observe the authorizationCode entrance and would be capable of creating another entry with the same code.
Does it make sense?
For normal people that is a situation that is unlikely to happen. First of all, an attacker would have to access your calendar. Normally you protect it by using tls on the transport layer (by using https), manipulating the calendar on the transport is very hard when tls with trusted certificates is used. Changing it requires authentication and bigger providers want you to use 2 factor authentication. I’m pretty sure that bigger companies are able to implement privilege separation and authentication right. So for normal people, modifying a calendar is a expensive task for a attacker. It’s quite unlikely to store interesting information (for hackers) in calendars like credit card numbers.
If you are paranoid or there are real secrets you must host your own instance if you don’t trust anyone. And you must not connect it to the internet. Together with right authentication and TLS is secure. Be warned: to implement it right, it’s harder than it sounds and a lot work to keep it secure.
