Joshua Pressnell Posted March 8, 2017 Share Posted March 8, 2017 So I just found out that the security in the iPhone app is a joke. My son figured out my system password and installed the app on his iPhone, which is all well and good until he decided it would be funny to turn my bedroom lights into a disco. So I took his phone and put a passcode on it, thinking that would keep him from getting in. Nope. He just entered the passcode incorrectly 5 some odd times, selected the option to remove the system from the app, and then added the system back in. When it came back in, it setup *without* the passcode, so now he's back in and playing with my lights. Yes, ok, I can just change my system password... But really, it would be sorta nice to have those "security" options stored in the iOS device keychain, so they stick around if the user removes and re-adds the system, or if the user uninstalls and reinstalls the app. Would make more sense that allowing those settings to get cleared. Link to comment Share on other sites More sharing options...
knowitall Posted March 8, 2017 Share Posted March 8, 2017 So if you forget the passcode to the c4 app on your phone you have to scrap your entrie iTunes account? logical. Link to comment Share on other sites More sharing options...
knowitall Posted March 8, 2017 Share Posted March 8, 2017 https://youtu.be/a6iW-8xPw3k Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 1 minute ago, knowitall said: So if you forget the passcode to the c4 app on your phone you have to scrap your entrie iTunes account? logical. Not at all. The user or the dealer could "reset" the state by removing the device from the list in the customer portal. Then when the device starts up, it could determine that it needed to reset state and startup fresh. There's plenty of ways around "I forgot it" issue. Link to comment Share on other sites More sharing options...
msgreenf Posted March 8, 2017 Share Posted March 8, 2017 44 minutes ago, Joshua Pressnell said: So I just found out that the security in the iPhone app is a joke. My son figured out my system password and installed the app on his iPhone, which is all well and good until he decided it would be funny to turn my bedroom lights into a disco. So I took his phone and put a passcode on it, thinking that would keep him from getting in. Nope. He just entered the passcode incorrectly 5 some odd times, selected the option to remove the system from the app, and then added the system back in. When it came back in, it setup *without* the passcode, so now he's back in and playing with my lights. Yes, ok, I can just change my system password... But really, it would be sorta nice to have those "security" options stored in the iOS device keychain, so they stick around if the user removes and re-adds the system, or if the user uninstalls and reinstalls the app. Would make more sense that allowing those settings to get cleared. ultimately it was a weak system password that was the problem? Link to comment Share on other sites More sharing options...
knowitall Posted March 8, 2017 Share Posted March 8, 2017 So you want c4 to store the passcode not your phone Link to comment Share on other sites More sharing options...
knowitall Posted March 8, 2017 Share Posted March 8, 2017 Nominating for funniest complaint of the year. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 Just now, msgreenf said: ultimately it was a weak system password that was the problem? Sure... "root cause" is that my kid knows me well enough to know the passwords I normally use. But I have to figure that anybody who has the app installed and is permitted to connect to my system is probably "close enough" to be family or similar. What I'd REALLY like is a way to have an alternate login for my kids so they can have access to control their rooms, but not the rest of the house. I just found it somewhat amusing that you can reset "security" settings by just entering them incorrectly and re-adding the system. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 3 minutes ago, knowitall said: So you want c4 to store the passcode not your phone No, not the passcode. A "reset" flag. The passcode and everything else would be stored on the phone like it is now, just held across system remove/add and app remove/install cycles. Handle the "I forgot my passcode" issues by giving the system a way to remotely reset state. Mostly, I just don't get the value of advanced security options if the only real security is the system login anyway. Not a huge complaint... mostly just an "I don't get why" feature. Again, the biggest feature I *would* request is a way to have multiple logins and the ability to set permissions for different users to have access to different rooms/devices. Link to comment Share on other sites More sharing options...
GT Slider Posted March 8, 2017 Share Posted March 8, 2017 Joshua, sorry, but you don't get the value of security at ALL if your kids "know the passwords I normally use". You're concerned about security? I don't follow. Control4 login guessing is the least of your concerns (i.e. - your email, banking, etc.) Tighten up your password and log into your customer.control4.com account and setup user accounts for them. Then, have your dealer setup an Access agent that would prevent them from changing rooms. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 4 minutes ago, GT Slider said: Joshua, sorry, but you don't get the value of security at ALL if your kids "know the passwords I normally use". You're concerned about security? I don't follow. Control4 login guessing is the least of your concerns (i.e. - your email, banking, etc.) Tighten up your password and log into your customer.control4.com account and setup user accounts for them. Then, have your dealer setup an Access agent that would prevent them from changing rooms. Oh... I already changed the password on the central portal. We have standard passwords we use for the "non-secure" things. For email, banking, etc, I use cryptographically secure passwords stored in a secure password manager. I hadn't heard about the Access agent yet. I'll take a look at that. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 20 minutes ago, GT Slider said: Joshua, sorry, but you don't get the value of security at ALL if your kids "know the passwords I normally use". You're concerned about security? I don't follow. Control4 login guessing is the least of your concerns (i.e. - your email, banking, etc.) Tighten up your password and log into your customer.control4.com account and setup user accounts for them. Then, have your dealer setup an Access agent that would prevent them from changing rooms. Ok... just gave the Access agent a quick try. This does allow me to set things up so they can't change rooms, but it doesn't solve the "light imp" issue, since if you go into Lighting on the app, you can tap "All Rooms" and get access to lights in the entire house. Once music is playing, they can also select the little "Music" icon in the lower right corner, and add other zones (including ones all over the house) or turn off the audio to the entire house. So yeah, I can prevent them from changing rooms, but they still get access to things they shouldn't have. Unless they add additional options to the Access agent to lock things down further, and by logged in user, not globally, that's really not what I'm looking for. Link to comment Share on other sites More sharing options...
thegreatheed Posted March 8, 2017 Share Posted March 8, 2017 This is not a "Security Issue". This is a parenting issue. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 8, 2017 Author Share Posted March 8, 2017 14 minutes ago, thegreatheed said: This is not a "Security Issue". This is a parenting issue. Meh. The kid's smart and generally pretty responsible. But he's also 9, so sometimes he gets a little carried away. I'd like to give him access to his own room, but not give him access to the rest of the house. That doesn't seem like an invalid use case to me. Link to comment Share on other sites More sharing options...
South Africa C4 user Posted March 9, 2017 Share Posted March 9, 2017 2 hours ago, Joshua Pressnell said: Meh. The kid's smart and generally pretty responsible. But he's also 9, so sometimes he gets a little carried away. I'd like to give him access to his own room, but not give him access to the rest of the house. That doesn't seem like an invalid use case to me. Yeah... the access agent could do with an upgrade... would also be nice to have some devices (e.g. The Touchscreen in our master bedroom) able to access any room without a passcode while others (e.g. Touchscreens on our patio / kids iPhones) are locked down to one room! Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 9, 2017 Author Share Posted March 9, 2017 Exactly. Would be really keen to have room-level permissions per user and if they're enabled, the user can't access anything outside of the allowed room. Bonus points if you have it configurable in the navigator section, so we can allow multiple room access while still limiting them to not having access to other rooms. Link to comment Share on other sites More sharing options...
Thatguy230 Posted March 9, 2017 Share Posted March 9, 2017 16 hours ago, Joshua Pressnell said: Meh. The kid's smart and generally pretty responsible. But he's also 9, so sometimes he gets a little carried away. I'd like to give him access to his own room, but not give him access to the rest of the house. That doesn't seem like an invalid use case to me. Punish the kid. Or beat him whatever works. ? Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 9, 2017 Author Share Posted March 9, 2017 I told him yesterday that the general community opinion is that I should punish him into compliance. He looked at me somewhat wide-eyed and said, "Wait, what?" He really is a pretty good kid. Link to comment Share on other sites More sharing options...
GT Slider Posted March 9, 2017 Share Posted March 9, 2017 lol . . . great response! Link to comment Share on other sites More sharing options...
msgreenf Posted March 9, 2017 Share Posted March 9, 2017 22 minutes ago, Joshua Pressnell said: I told him yesterday that the general community opinion is that I should punish him into compliance. He looked at me somewhat wide-eyed and said, "Wait, what?" He really is a pretty good kid. I like it. Punishment is he has to touch the light switches and go up to the TV to change channels...no more c4 for him Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 9, 2017 Author Share Posted March 9, 2017 1 minute ago, msgreenf said: I like it. Punishment is he has to touch the light switches and go up to the TV to change channels...no more c4 for him That's where he's at now... until C4 updates may (or may not) provide a security model where I can truly limit certain users to particular rooms. Link to comment Share on other sites More sharing options...
GT Slider Posted March 9, 2017 Share Posted March 9, 2017 A couple of ideas for his room! Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 9, 2017 Author Share Posted March 9, 2017 ROFL Link to comment Share on other sites More sharing options...
turls Posted March 9, 2017 Share Posted March 9, 2017 C4 ought to at least add Touch ID on iOS. Its a free API. Can't be that hard. Not that it would prevent this but its kind of a checkbox item to me. Allow it to be turned off if not used. Link to comment Share on other sites More sharing options...
Joshua Pressnell Posted March 9, 2017 Author Share Posted March 9, 2017 2 minutes ago, turls said: C4 ought to at least add Touch ID on iOS. Its a free API. Can't be that hard. Not that it would prevent this but its kind of a checkbox item to me. Allow it to be turned off if not used. They do have Touch ID. Although that's apparently broken as well. I wanted to see if getting around Touch ID was as easy as using the wrong fingerprint 5 times. So I turned on Touch ID, and used my pinky (not registered) several times to attempt to get in. Eventually, the Control4 app stopped bringing up Touch ID at all when I tried to login, and would only let me use the passcode. At that point, I used the passcode to go back in... and now Touch ID is no longer available in the app *at all*. I tried turning the passcode off and on again. I tried rebooting the app. The switch that let me enable it just isn't there anymore. I haven't gone so far as to uninstall the app and install it again yet. But... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.