Elk M1 + Homekit authentication bypass #20630
Comments
|
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. |
|
Still a (serious) issue on 0.95.4 |
|
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. |
|
This is still an issue. |
|
Yes, this is an issue. The root of the issue is that the ElkM1 has a bug (I believe). Sending an arm away will arm the panel. A second arm away will disarm. The panel should not disarm on a second arm away. I will raise this on the Elk Products forum and see what they say. A work around may be possible. I'll take a look. In the meantime, does requiring a code make any difference, or does HomeKit put the arming code in there for you? |
|
It's pretty normal behavior for an alarm to use the same code for arm/disarm. I assume that's the root of this behavior. I'm not sure how HomeKit works without the code, or if it does all. |
|
I thought there was an option to arm without a code. Disarm always requires a code... wondered if that might help. |
|
I couldn’t get easy arm to work with HomeKit.
… On Oct 24, 2020, at 7:25 PM, Glenn Waters ***@***.***> wrote:
I thought there was an option to arm without a code. Disarm always requires a code... wondered if that might help.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
What version of the ElkM1 do you have... I have posted a question on the ElkM1 forum and that's going to be their next question. Thx |
|
M1G Hardware 0.13, boot 3.3.6, firmware 5.3.8 (yes, old), voice 0.8. I
should probably try to update it. I can't find the M1XEP version in ElkRP.
…On Sat, Oct 24, 2020 at 9:39 PM Glenn Waters ***@***.***> wrote:
What version of the ElkM1 do you have... I have posted a question on the
ElkM1 forum and that's going to be their next question. Thx
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#20630 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABCEUVVSF4LMORSM2ADUWYDSMOFULANCNFSM4GTTKTSQ>
.
|
|
Here we go: M1XEP Bootware 2.0.4, Application 2.0.42
…On Sun, Oct 25, 2020 at 12:59 PM Jefferson Noxon ***@***.***> wrote:
M1G Hardware 0.13, boot 3.3.6, firmware 5.3.8 (yes, old), voice 0.8. I
should probably try to update it. I can't find the M1XEP version in ElkRP.
On Sat, Oct 24, 2020 at 9:39 PM Glenn Waters ***@***.***>
wrote:
> What version of the ElkM1 do you have... I have posted a question on the
> ElkM1 forum and that's going to be their next question. Thx
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#20630 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/ABCEUVVSF4LMORSM2ADUWYDSMOFULANCNFSM4GTTKTSQ>
> .
>
|
|
Thanks. I have added this in the note to ElkProducts. I will wait for their reply before deciding on what to do. FYI you can get the versions of both the panel and the M1XEP from Home Assistant. In the attributes of the panel object. |
This is a bump by two dot versions of the library. The 0.8.6 version had a number of internal improvements to the library. No external changes. The 0.8.7 version fixes #20630.
|
@jnoxon This will be fixed in the next HA release, 0.118. The code change doesn't change anything for me since I don't arm using HomeKit. It would be great that once you have tested this if you could drop a comment here. I did not know that this issue existed, I only found it when searching for something else. @bdraco Are issues now automatically tagged with the codeowners? |
|
You rock! Thanks so much for taking the time to do this. |
The bot does tag codeowners now. |
Home Assistant release with the issue:
0.86.3 (and all versions)
Last working Home Assistant release (if known):
Never
Operating environment (Hass.io/Docker/Windows/etc.):
Hass.io
Component/platform:
Elk-M1
https://www.home-assistant.io/components/elkm1/
Description of problem:
Sending an "arm" command to a currently armed system causes it to disarm. This should be treated as a no-op.
Because the M1 component will disarm the system if you arm it while it is already armed, linking it to a smart cylinder enables authentication bypass. Someone standing outside a home can yell at the cylinder through a closed door/window and disarm the burglar alarm.
Homepod (and presumably other voice-activated cylinders) treat locking/arming commands as commands that do not require user authentication. Conversely, disarming/unlocking commands do require user authentication. (The way Homekit specifically handles this is by requiring confirmation on a personal iOS device that's linked to the home.)
Problem-relevant
configuration.yamlentries and (fill out even if it seems unimportant):Traceback (if applicable):
Additional information:
The text was updated successfully, but these errors were encountered: