This object is in archive! 

Virtual Devices that can be controlled via URL

Vernon Miller shared this idea 3 years ago
Under Consideration

Which virtual devices have a URL that can be controlled without API authentication?


I was playing around with a virtual sensor and noticed it had a URL that I could simply post to without having to authenticate to my box. The URL is displayed in the Device Manager on the virtual sensor's attribute page. This does not seem to be on all virtual devices; so that made me wonder if there is a list of devices that can be controlled via an unauthenticated URL post?

Comments (3)

photo
1

It is the virtual sensor and meter. Don't understand why we cannot have the other devices (especially switch and level control) with a URL link...shame.

photo
1

I have mixed feelings about this; allowing unauthenticated access via a specially crafted URL string is definitely convenient (I am currently playing with a couple of integrations using this method), but I am seriously concerned about the security implications of having unauthenticated access to control my home. Any malicious hacker intercepting your URL string will give them the ability to control your device. I have not done an analysis on the randomness of the devices; but a good hacker could probably wreak considerable havoc on people using the Zipato services by doing a bit of fuzzing. I am sure that everybody has heard about the insecurity of IoT devices; I hope Zipato has security at the top of their priority list.


With Great IoT Comes Great Insecurity

photo
1

It is like with everything, everything can be broken...