Safe to install jar file from github?

rockit4 · July 12, 2019, 8:36pm

Hi,

I tried to google this but with no luck.
How big is the risk of getting malicious code in my OH server when installing bindings? I don’t want to be part of any botnet, mine bitcoins or worse. Are the bindings checked for this somehow?
I sleep at night thinking that the well used bindings are checked and contributed by many, and the risk should be low. But now I found a binding on github with no contributors that I want to try, but I don’t know if I dare
Any one else thoughts about this?

/D

rlkoshak · July 12, 2019, 9:03pm

Let’s look at this like a security engineer.

risk = likelihood * impact

What’s the likelihood that someone would create some openHAB addon that includes malicious code? Well, the population of openHAB users is in the thousands, not the millions. It’s a really small target. For the amount of effort required to successfully do something malicious in an openHAB binding the time would be much better spent using that effort to go after something with more users, like a popular IP camera or the like.

And this is thinking about the “official” openHAB addons. You are talking about some random addon on Github. Something like that may have at most dozens of users.

I’m not saying it’s impossible for someone to do something malicious, but it is a really low likelihood. It’s just not worth the effort. So let’s say that the likelihood is around 10%, which I honestly think is too high but it’s a nice round number.

What’s the impact? That depends on how you have openHAB installed, what it can see, etc.

Making your OH part of a botnet: impact to you is pretty low, let’s say 5 out of 100
Making your OH machine mine bitcoin: impact to you is pretty low, your machine overheats or becomes unresponsive at which point you probably will start from scratch, let’s say 20 out of 100
Something worse: it’s hard to guess without specifics, lets say the impact is 80 out of 100 which would be something like identity theft (100 would be loss of life)

So at worse we are looking at a risk of 0.5 to 10 out of 100. This is really low.

So what can you do to mitigate the risks?

put in place firewall rules to limit what your openHAB can talk to (block botnet)
monitor your openHAB’s resource utilization (detect cryptomining)
isolate your OH and home automation from your other machines where sensitive information may live.

Let’s say you implement those mitigations, Thumb in the air I’d say that the first one completely mitigates the botnet risk, the second one mitigates the cryptomining by 90%, and the third one mitigates the “Something worse” by 90%. So with these mitigations in place we bring the risk down to 0 or 1 out of 100.

That’s really low risk.

But honestly, I wouldn’t bother with these mitigations because the original risks were really low to begin with.

But to answer your specific question, no, what sort of checking do you think is possible? openHAB didn’t write the code. The code has never been reviewed by us. It isn’t owned by us and it’s never been submitted to the project. We have no insight into it.

I’d say go ahead and try it. If you are still worried, put in place some mitigations and then try it. The risks are very low.

rockit4 · July 12, 2019, 9:22pm

Reson vs tin foil hat, hehe
I can agree with you, but I would think that every situation where you have people willing to install software, without doing any sanity checking, would be great for anyone interested in poking around on different servers just for fun. I cant imagine that a backdoor would be that hard to implement (without knowing OH ).
Of course you guys in the OH team cant check the bindings. I was thinking maybe the bindings had restrictions making it hard to implement mischief, <upcoming release?>or some kind of monitoring of suspicious actives like “call-home” (like a built in firewall “This binding is only allowed to contact http://________)”</upcoming release?>

mhilbush · July 12, 2019, 9:42pm

I agree with @rlkoshak. There are far, far bigger targets out there. Spending one’s time trying to get malicious code into an openHAB plugin just doesn’t have the return on investment.

Besides, it’s very unlikely for a binding that’s part of the distribution to have malicious code given the review process that occurs before the binding can be included in the distribution.

As for a binding that’s not part of the distribution… If it’s unmaintained and you don’t know/can’t find the developer, that’s a bit more risky. If it were me, and I REALLY needed that binding, I’d be inclined to decompile it and take a quick look at the Java code. I’d do this more to avoid introducing something that could introduce instability into my system. The identification of any malicious code would be a side benefit.

matt1 · July 12, 2019, 9:49pm

A couple of quick thoughts…

Openhab users are more switched on to noticing symptoms then a average person that indicate malicious code is running. It would get detected and reported on this forum and I have never seen any reports of it happening.

I tend to think of the reasons why someone would do it and as Rickoshak has pointed out none make sense with the number of users that Openhab has and the increased risk of getting found out. Waste of time doing it when other platforms with more users can be targeted. If the person has been a member of the forum for a long time and they shared the code then I tend to trust them whilst looking at my logs and the impact the jar has to my system.

Yet we all hand money over to big companys to do exactly that, yes I pay to have someone steal my data, but look forward to the day when Opensource can replace it all.

no contributors is normal as it is rare to find someone that wants to work for free and help others. Look at the number of forks as that shows how many people are reading and scanning over the code and wanting to keep a copy in case the project disappears.

rlkoshak · July 13, 2019, 3:11am

One person’s mischief is another bindings requirements to interface with technology x. There isn’t much different between accessing a cloud api and a back door. OH can’t really preclude any behavior because there is no way to tell the difference between malicious and necessary. And even if there were, there isn’t much oh can do about it. If the bindings conforms to the API there isn’t anything that oh can do to stop it from doing what ever it wants.

The source code is available since it’s on github and you can review it and, if you are really paranoid build it yourself from that source instead of the prebuilt jar.
Or you can decompile it like Mark suggested.

There are lots of ways for you as a user to motivate the risks. Which ones are worth doing should consider the risk. It’s not worth implementing any mitigation that costs more than the risk it mitigates.

The difference between reasonable and unreasonably paranoid is the paranoid don’t consider likelihood when calculating risk.