Why are you collecting and storing sensitive data?

OK, so I’ve got my farm bot up and running now. I went to the webapp and noticed that you are retaining server logs. I had a look at those logs and was shocked that you have recorded and present in clear text my WiFi credentials for my local network.

This is not only unacceptable, its a clear violation of your stated security and data retention policy. You say you only keep our log in user names and ip addresses and email address, but clearly you have capture sensitive information from my home network that I’m not comfortable trusting you with given the rather light weight security practices I’m observing with your web service. Here’s an X’d out example of the type of info you are retaining in that log:

Nerves.WpaSupplicant: sending ‘SET_NETWORK 0 key_mgmt XXXXXXX’
1:20 am
Nerves.WpaSupplicant: sending ‘SET_NETWORK 0 psk “XXXXXXXXX”’
1:20 am
Nerves.WpaSupplicant: sending ‘SET_NETWORK 0 ssid “XXXXXXXXX”’
1:20 am

Searching those logs I was able to also see images captured from my network, in the clear, on a google datacenter. Here’s an example of an image that you captured and put into a public place without my permission:

http://storage.googleapis.com/farmbot-production/temp1/8c8d4f45-e8a8-4ca2-bf8c-16dcf413444a.jpg

You will note that HTTPS nor any login is even required to view these images and since they are on google they will get indexed and all sorts of things that you can not control.

This again seems to be a violation of your policy.

<fwi, I’ve worked in the networking industry for over 20 years and have massive security and IoT experience. I could drive a mac truck through your security so please get serious about this before your world caves in on you and your customers.>

@bgmoon, thank you for bringing these security concerns to our attention. We are taking this very seriously and our entire team is working now at 2 and 4am on a Friday night/Saturday morning to fix the issues you have brought up.

First and foremost, there is no reason for us to believe that any of your personal data has been exposed at this time. You are correct though that the last OS (v3.0.8) was unintentionally sending plain-text home wifi credentials to the API. In the past, this sensitive information has been filtered at the Raspberry Pi level and never sent out over the network. The file responsible for logging and the filtering of sensitive information can be found here. Regretfully though, the filtering mechanism broke in that OS release.

The steps we are taking right now to remedy the situation are as follows:

1. We are fixing the filtering mechanism in FarmBot OS so that this sensitive data can no longer leave the device.
2. We have permanently deleted all of the logs of all users/devices of the web application so that we are no longer storing any erroneously uploaded home wifi credentials in our database.
3. We are putting a mechanism in place on the API that prevents us from accepting or storing logs from old OS versions.
4. We are implementing blacklist word filters for things like “psk” and “ssid” so that no logs containing this information are allowed to be transmitted or stored anywhere in the software stack outside of the device.
5. We are putting a mechanism in place on the frontend of the web app that informs users they must update their OS in order for it to work with the web app.

As soon as we deploy these fixes I will post updates in this thread.

Regarding your other concerns:

The Privacy Policy that you linked to applies only to this forum and is the standard policy included with the free/open-source forum software we are using called Discourse. The users of this forum must agree to that policy to use the forum, and the data associated with user accounts on this forum is in accordance with that policy.

The Privacy Policy and the Terms of Service for using our free hosted version of the Web Application are linked to on the signup/login screen of the web application as well as the footer of our homepage. You can read them here:

• https://farmbot.io/privacy/
• https://farmbot.io/tos/
  Note that we have provisions for storing essentially all FarmBot data that is entered into the web application and generated by the device itself including logs, sequences, regimens, events, crop searches, garden layout, photos, and sensor data. We store all of this information because the architecture of the FarmBot software ecosystem is such that the Web App/API is the arbiter of all the data. Also, in the event of a device failure, all data is still available in the cloud. If you do not accept the terms then you must no longer use our free hosted version of the web application. Instead you may run all of the software on your own private servers so that you have complete privacy of your data.

Currently we use a combination of cloud computing services from Heroku, Digital Ocean, and Google Cloud to run the FarmBot web application. Heroku hosts the web application and database, Digital Ocean hosts the MQTT broker, and Google Cloud is used to store the images taken by the FarmBot devices. While the images are stored on Google’s servers, they are not indexed by their search engine and thus they are not publicly searchable. So while your images are accessible via a URL that does not require login, the only way for someone to get the URL of any of your images is by either logging into the web app with your user account credentials or by you sharing the image’s URL. That is because the URLs include a UUID (this part: “8c8d4f45-e8a8-4ca2-bf8c-16dcf413444a”) which is a long and unique/random string that makes the URL virtually impossible to guess by an attacker.

While the image files can be accessed over http, FarmBotOS and the web app are configured to only upload and download images over https. Furthermore, all other features of the app (syncing, saving, etc) are performed over secure connections as well.

Again, we thank you for bringing these issues to our attention and helping us improve this new technology for everyone. I will be updating this thread with more information as soon as we deploy fixes across the software stack.

To better protect our community moving forward, we have published a page on our website detailing how to responsibly disclose security concerns. We will include a link to this page on all of the software repository README files and create a page on our software documentation hub as well. Once the dust settles I also plan to write up a blog post that fully discloses this event and our response to it.

Thanks,

Rory and the entire FarmBot team

Here is the progress we have made in the last 12 hours:

1. We published a new version of FarmBot OS last night, v3.1.0, that fixes the logger file. You can download the new OS here if you would like to re-flash your device, or you can use the FarmBot OS update button on the web app’s device page, under the the device widget. You can also view the latest commits (changes) to the code here. We did testing last night on both brand new devices and devices that underwent an update from an old OS and both have sanitized logs without the sensitive information in them.
2. We deployed a mechanism to the API that prevents us from accepting and storing logs from devices with an OS version below 3.1.0. Note: communication will still work between the web browser and the device so it is possible for sensitive information to still leave the device that is running an old OS version. But that information will not be stored on our servers - it will only be shown in the web browser and once the user closes their tab it will become unavailable. Once old OSs update to 3.1.0, their logs will again be able to be stored on the API. You can see the latest commits to the API repository here.
3. We added a toast notification to the frontend which checks the OS version number and informs the user they must update if the version is below 3.1.0. See the changes here.
4. After deploying the updates we deleted all of the logs (again) in our database to ensure that we are not storing any erroneously uploaded sensitive information.

Please let us know if these updates work for you. We will continue to put security measures in place over the coming days including the blacklist word filters, and updates to all the repository README files for how to responsibly disclose software concerns.

We thank you again for working with us to improve the FarmBot software for everyone.

I am impressed with your response and really glad you see this as important. I wish more companies handled things like this.

Hey Fluffy, long to no see

I agree. I’ve posted sever issues on these forums and I’ve been very impressed with how response the Roy and the whole farm bot team have been at address issues honestly and quickly. Its a very good sign for great things to come.