find.z-wave.me issues
Posted: 01 Feb 2018 00:11
Dear Z-Way/RaZberry users,
Many of you are IT experts so we believe it would be good to share some technical details with you.
You might have noticed that our remote access service called find.z-wave.me was not working well last months. The reason is a very fast growing number of users. We did a lot of work to heal the service, but just adding more resources to the server was not a solution. The intrinsic limitation of the technology used made it impossible to easily scale our infrastructure.
As a result we decided to follow two steps:
1) We change our infrastructure to scale it horizontally - means adding more servers. This was expected to be a fast solution.
2) Over time (in April-May 2018) switch to another technology we develop since July 2017.
Our Step 1 was expected this month. Last week we have made two test switches to our new servers, but pretty soon we realized that there is a security issue allowing to access boxes of other people. Some of you also noticed that and were gentle to drop us a note about this highly critical issue. Of course we turned the service down and switch back to the old robust and secure find.z-wave.me server.
This critical issue is fixed now and we would like to share with you how a small bug in our software ended up with a disaster.
As you know, we do not store any information on our find.z-wave.me server. Even hashes of your passwords are not stored. We only store public keys of your boxes to match them against your box ID to verify your box identity when you connect. This is to make useless to hack our servers. When you connect via Web or mobile apps, our server connects to your Z-Way via the tunnel and tries to login via the login and password you entered in the form. If successful, we send back to your browser the authenticated session. If not, we say login/password incorrect. This means we do not store any logins/passwords/Z-Way session of your boxes.
How has it ended up that one got access to the box of another customer? Good question! It turned out that our passthru authentication daemon after improvements to support new server infrastructure was not initializing the memory and in some cases when entering wrong login and password a session from the last successful authenticated user was returned. Stupid bug that resulted in an awfully problem, agree!
As of today this issue is fixed. We did a lot of internal tests and are now ready to turn the service for public.
We apologize for the inconvenience caused and hope there were no harmful consequence for each of you. We hope that this trouble will not kill your trust in us. We will continue to make our best to provide you a good, robust, secure (and free as before) service.
Out Step 2 is an ongoing work. Security is our primary goal. We will comme up with this new technology around April-May as planned.
TLDR
We still don't store your data, if you don't trust us, you are always free to disable the remote access service and use your own way to access your box remotely.
Sincerely yours,
Poltorak Serguei
CTO at Z-Wave.Me
Many of you are IT experts so we believe it would be good to share some technical details with you.
You might have noticed that our remote access service called find.z-wave.me was not working well last months. The reason is a very fast growing number of users. We did a lot of work to heal the service, but just adding more resources to the server was not a solution. The intrinsic limitation of the technology used made it impossible to easily scale our infrastructure.
As a result we decided to follow two steps:
1) We change our infrastructure to scale it horizontally - means adding more servers. This was expected to be a fast solution.
2) Over time (in April-May 2018) switch to another technology we develop since July 2017.
Our Step 1 was expected this month. Last week we have made two test switches to our new servers, but pretty soon we realized that there is a security issue allowing to access boxes of other people. Some of you also noticed that and were gentle to drop us a note about this highly critical issue. Of course we turned the service down and switch back to the old robust and secure find.z-wave.me server.
This critical issue is fixed now and we would like to share with you how a small bug in our software ended up with a disaster.
As you know, we do not store any information on our find.z-wave.me server. Even hashes of your passwords are not stored. We only store public keys of your boxes to match them against your box ID to verify your box identity when you connect. This is to make useless to hack our servers. When you connect via Web or mobile apps, our server connects to your Z-Way via the tunnel and tries to login via the login and password you entered in the form. If successful, we send back to your browser the authenticated session. If not, we say login/password incorrect. This means we do not store any logins/passwords/Z-Way session of your boxes.
How has it ended up that one got access to the box of another customer? Good question! It turned out that our passthru authentication daemon after improvements to support new server infrastructure was not initializing the memory and in some cases when entering wrong login and password a session from the last successful authenticated user was returned. Stupid bug that resulted in an awfully problem, agree!
As of today this issue is fixed. We did a lot of internal tests and are now ready to turn the service for public.
We apologize for the inconvenience caused and hope there were no harmful consequence for each of you. We hope that this trouble will not kill your trust in us. We will continue to make our best to provide you a good, robust, secure (and free as before) service.
Out Step 2 is an ongoing work. Security is our primary goal. We will comme up with this new technology around April-May as planned.
TLDR
We still don't store your data, if you don't trust us, you are always free to disable the remote access service and use your own way to access your box remotely.
Sincerely yours,
Poltorak Serguei
CTO at Z-Wave.Me