@bgmoon, thank you for bringing these security concerns to our attention. We are taking this very seriously and our entire team is working now at 2 and 4am on a Friday night/Saturday morning to fix the issues you have brought up.
First and foremost, there is no reason for us to believe that any of your personal data has been exposed at this time. You are correct though that the last OS (v3.0.8) was unintentionally sending plain-text home wifi credentials to the API. In the past, this sensitive information has been filtered at the Raspberry Pi level and never sent out over the network. The file responsible for logging and the filtering of sensitive information can be found here. Regretfully though, the filtering mechanism broke in that OS release.
The steps we are taking right now to remedy the situation are as follows:
- We are fixing the filtering mechanism in FarmBot OS so that this sensitive data can no longer leave the device.
- We have permanently deleted all of the logs of all users/devices of the web application so that we are no longer storing any erroneously uploaded home wifi credentials in our database.
- We are putting a mechanism in place on the API that prevents us from accepting or storing logs from old OS versions.
- We are implementing blacklist word filters for things like “psk” and “ssid” so that no logs containing this information are allowed to be transmitted or stored anywhere in the software stack outside of the device.
- We are putting a mechanism in place on the frontend of the web app that informs users they must update their OS in order for it to work with the web app.
As soon as we deploy these fixes I will post updates in this thread.
Regarding your other concerns:
The Privacy Policy that you linked to applies only to this forum and is the standard policy included with the free/open-source forum software we are using called Discourse. The users of this forum must agree to that policy to use the forum, and the data associated with user accounts on this forum is in accordance with that policy.
The Privacy Policy and the Terms of Service for using our free hosted version of the Web Application are linked to on the signup/login screen of the web application as well as the footer of our homepage. You can read them here:
- https://farmbot.io/privacy/
-
https://farmbot.io/tos/
Note that we have provisions for storing essentially all FarmBot data that is entered into the web application and generated by the device itself including logs, sequences, regimens, events, crop searches, garden layout, photos, and sensor data. We store all of this information because the architecture of the FarmBot software ecosystem is such that the Web App/API is the arbiter of all the data. Also, in the event of a device failure, all data is still available in the cloud. If you do not accept the terms then you must no longer use our free hosted version of the web application. Instead you may run all of the software on your own private servers so that you have complete privacy of your data.
Currently we use a combination of cloud computing services from Heroku, Digital Ocean, and Google Cloud to run the FarmBot web application. Heroku hosts the web application and database, Digital Ocean hosts the MQTT broker, and Google Cloud is used to store the images taken by the FarmBot devices. While the images are stored on Google’s servers, they are not indexed by their search engine and thus they are not publicly searchable. So while your images are accessible via a URL that does not require login, the only way for someone to get the URL of any of your images is by either logging into the web app with your user account credentials or by you sharing the image’s URL. That is because the URLs include a UUID (this part: “8c8d4f45-e8a8-4ca2-bf8c-16dcf413444a”) which is a long and unique/random string that makes the URL virtually impossible to guess by an attacker.
While the image files can be accessed over http, FarmBotOS and the web app are configured to only upload and download images over https. Furthermore, all other features of the app (syncing, saving, etc) are performed over secure connections as well.
Again, we thank you for bringing these issues to our attention and helping us improve this new technology for everyone. I will be updating this thread with more information as soon as we deploy fixes across the software stack.
To better protect our community moving forward, we have published a page on our website detailing how to responsibly disclose security concerns. We will include a link to this page on all of the software repository README files and create a page on our software documentation hub as well. Once the dust settles I also plan to write up a blog post that fully discloses this event and our response to it.
Thanks,
Rory and the entire FarmBot team