Kohler doesn't even bother encrypting the web control panel for their residential generators

Networking and broadband talkabout. Need help with that new router or setting up a network?
Post Reply
User avatar
FlyingPenguin
Flightless Bird
Posts: 32773
Joined: Wed Nov 22, 2000 11:13 am
Location: Central Florida
Contact:

Kohler doesn't even bother encrypting the web control panel for their residential generators

Post by FlyingPenguin »

I have a Kohler whole house generator on my new house, and it can be connected to the Internet to allow remote monitoring and have it send text and email alerts. I originally wasn't going to do this because I doubt it's very secure, but there's no easy way to access the physical control panel on the generator without taking the cover off.

After having the battery die 3 weeks after the generator was setup because the tech forgot to turn on the breaker for the battery charger, I decided to connect it to the Internet. At least this way I can get texts and email alerts about the generator status, and easily monitor it's condition.

I put it on an untrusted LAN segment I reserve or the very few IoT devices I use. The generator, like most IoT stuff, talks to a cloud server that I can log into to control and monitor the generator.

To my horror, I noticed the other day, that when logging into the web control panel, the session is NOT encrypted. I'm not certain if it was always like that - I usually notice things like that. Right now though, there is no HTTPS page. Even manually forcing HTTPS in the URL forwards to the HTTP page.

And I'm not talking about just the logon. THE WHOLE CONTROL PANEL PAGE IS UNENCRYPTED. So my password is being sent out totally in the clear, and the whole session is in the clear (running in Flash no-less to add insult to injury).

You have to realize that you can do a LOT of things from this control panel that directly affects the generator like: start and stop the generator and change the exercise schedule. In the screenshot below you'll see I'm logged in without any encryption. (I've redacted the generator's serial number).

I have sent Kohler a feedback message complaining about this, but I am sure they will blow me off and assure me that it's super secure, but I'm hoping someone accidentally misconfigured a server and that it can be made secure again.

I will likely disconnect the generator from the network, convenient as this is, if it stays this way, as this is way too much of a security risk.

:smackme

Image
"Turns out I’m 'woke.' All along, I thought I was just compassionate, kind, and good at history. "

Image
Post Reply