Adapter Shield C6 security?

[IngoSchroeder]

Hello everybody,

I am just starting with ebusd, so please be patient. (Yes, I tried to answer my question by searching the documentation and the discussion board...)

I have got a Shield C6 adapter (flashed to Build 20250120) which currently joins my IOT WLAN. Connection to ebusd with device "ens:HOST:9999" works, too. I enabled credentials/password für HTTP(S) within the adapter for the web interface. So far, so good.
However, I am concerned about security. The adapter bridges between ebus and (w)lan/internet. So, potentially, someone who gets access to the local network can - without any further efforts - connect via ens:HOST:9999 to the adapter and control (and possibly damage) the heating etc.

I would feel better if there were any kind of authorization and/or encryption between the adapter and ebusd. Has this issue been addessed already? Or am I missing something obvious?

Thanks for any help!
Greetings,
Ingo

[andreiandreiandreiandreiandrei]

Hi,

C6 is just an ESP32, so traffic encriptyion, probably, is not it's main purpose. I don't know if it can keep up with ebusd message as it could be very verbose.

Being on wireless is pretty complicated to secure as it is always a possibility somebody to connnect Shield. Better options would be wired connections. You have options:

1. connect with USB to shield
2. connect with uart, like using a raspberry py (upside down on it's 40-pin) => this option does not work with HAOS, but you could use docker or supervised version. Please consider vote the implementation of the feature in HAOS here: https://community.home-assistant.io/t/rpi5-enable-uart-on-gpio14-gpio15-on-dev-ttyama0/838011
3. install an ethernet module on the shield and isolate the shield from the rest of the internal network
   See options at https://adapter.ebusd.eu/v5-c6/index.en.html#variants

[IngoSchroeder]

Hi,
thank you for your reply!
That's almost what I expected. I was wondering because the C6's web interface has user/password protection and even TLS/HTTPS. Isn't it kind of useless to protect the web interface of the C6 and allow access to the ebus without any authorization? Well, when someone evil takes over my heating, he at least can't control the C6 ;-)
I think I will go with option 1 (although that means to move a pi from room A to room B.
Thank youn again.
Greetings
Ingo

[Koky05]

@IngoSchroeder I use web interface to remote check of my eBus Adapter, it is tunneled via CloudFlare into my own domain and can be for example used to update from work if need. Other communication to adapter is blocked by firewall so if someone connect to my network and did not replace my source IP address with his device router will block that type of communication.

[IngoSchroeder]

Smart!