Plugwise disassembled

Plugwise Forum about Plugwise devices and the Source software.
Post Reply
User avatar
Codeblack
Starting Member
Starting Member
Posts: 46
Joined: Fri Dec 11, 2009 4:02 pm
Location: Netherlands
Contact:

Plugwise disassembled

Post by Codeblack »

In this post a while back, I read .NET must be installed for the Source to run. You might be using it already, but I just thought I'd mention a great (& free) reverse-engineering tool for .NET: Reflector. It will disassemble a .NET assembly and show it in a selected .NET language like C# or VB.NET. I use it quite often, even to reverse engineer the actual .NET assemblies :P. The code itself is often more helpfull then MSDN or other documentation. It won't work if the code has been obfuscated though. Which might be the case here, but you could give it a try.
User avatar
Codeblack
Starting Member
Starting Member
Posts: 46
Joined: Fri Dec 11, 2009 4:02 pm
Location: Netherlands
Contact:

Re: Plugwise disassembled

Post by Codeblack »

After reading the thread about plugwise stealing data, I decided to have a try with Reflector myself. Haven't purchased plugwise yet, but downloaded the setup and installed the Source to be able to look inside the code.
And the good News is that I haven't found any obfuscated code, so with Reflector all the Plugwise source is open & readable. Haven't checked everything, but for communication with the circles, I think most of the code will be in Plugwise.HAL.dll.
The bad News is that, as far as I can see, it is still uploading usage data every chance it gets...
Darwusch
Member
Member
Posts: 164
Joined: Sun Dec 21, 2008 10:25 pm
Location: Netherlands

Re: Plugwise disassembled

Post by Darwusch »

I have found out how to disable the uploading in the code but I'm not sure we want to do this. This would be cracking the code and I think we would damage our good relationship with Plugwise if we publish information about it.
Tiz
Member
Member
Posts: 146
Joined: Tue May 19, 2009 12:21 pm
Location: Netherlands

Re: Plugwise disassembled

Post by Tiz »

So, you share this discovery with us because......?
Mathijs
Digit
Global Moderator
Global Moderator
Posts: 3388
Joined: Sat Mar 25, 2006 10:23 am
Location: Netherlands
Contact:

Re: Plugwise disassembled

Post by Digit »

@Codeblack: i am very interested in the "anonymity" of the uploads. Any info on that?
@darwusch: then don't post it. The "special discount" topic is nr.1 on the list of most read, it seems saving a few bucks is more important to most of the members. So not everybody will like seeing their good relation possibly being harmed. Lets keep it that way. At least on this forum...
@Tiz: the reason is quite obvious to me...
User avatar
Codeblack
Starting Member
Starting Member
Posts: 46
Joined: Fri Dec 11, 2009 4:02 pm
Location: Netherlands
Contact:

Re: Plugwise disassembled

Post by Codeblack »

As far as I can tell from the code, I'm sure no personal information is uploaded during the data-upload. But if this makes the 'upload-scheme' anonymous, I'm not so sure.

I've found two settings that are used during the uploading of the data: one about sending the data and one about sending 'info'. When sending data is turned off, no data is uploaded at all. I haven't checked if this setting is actually changeable by a user, but I'm sure anyone with a license can verify this (my version is v2.0.3458.34153). When info is turned off, the data is sent but the contents of any Name field is replaced with the ID of the corresponding object.

So, no actual personal information is sent during the data-upload. But as you can see in Digit's xml-dump that still leaves quite some information. Without the Name field, the Type and Description field remain to provide enough information to determine what the data is all about. Depending on what you've entered for each module of course. But obfuscating names & descriptions of appliances, modules, rooms and groups so Plugwise (or any other party involved) can't determine your personal situation is solving the wrong problem IMHO.

To make matters worse, the xml-dump in Digit's post only shows the upload request. The program sends this message first, after which it receives a response from the portal that tells it what data to send (a list of appliance-id's and the date of the first log item to send). In the next message, the actual data upload, the program not only sends a list of appliances along with the logged usage information beginning at the requested date/time, but also all the modules, groups, rooms, schedules, schedule-items from the database together with all the relations between these tables. The contents of 15 tables from the database are send to the portal. In fact, the only things NOT being send are the tables containing the settings, personalinfo, network and translations.

Since I don't have a license, I'm not able to actually run the program, see the user interface and sniff the messages to see what they actually contain. Would be nice to see a complete upload-sequence, including the request, the response and the actual data-upload.

I guess the question now is: how bad is this? What do we actually mean with anonymous? Does an ID instead of a Name make the data anonymous enough? How do we know the IP used when sending data isn't matched with e.g. the IP used while registering, validating the license or checking for updates? Do we trust Plugwise? And the other party/parties involved?
Personally, I'm not too worried about the contents of the upload itself. I don't think that knowing that my fridge is in my basement, what I call it when I'm alone with it, what it's usage and schedule is, is dangerously usefull for anyone without having my personal information.
My first problem is actually the fact that it's not clearly communicated and the reaction from Plugwise, when challenged (although I'm not sure if the posts here from Reinder should be considered an official reaction from Plugwise).
Secondly I have a problem with other parties having control over my privacy. I know privacy is a somewhat dated concept, but how should I trust a company that is trying to hide it's true purpose? And what's that about they let another company gard our data? That only makes me more ancious to keep the data to myself. I have done enough IT projects and seen the inside of my share of companies and serverrooms. I'm sure (or at least I hope) our data is save in most cases, but a procedure on paper saying a database administrator should only look at the server and data structure, not at the data contents, can't prevent him from looking.

What worries me most, is the fact that the data apparently is worth so much more then the actual hardware/software. I'm not sure if the plugs would really be 3 times more expensive (according to Reinder [url=p16599http://www.domoticaforum.eu/viewtopic.php?f=39 ... 105#p16648]here[/url] and here), but the balance is way out of whack.

Well, I'm done rambling. Sorry for taking so long :P.
Please don't be put off or 'be against' Plugwise on my account. Worry or don't, but make up your own mind. I haven't had the pleasure of trying them out myself, according to plenty of comments on this forum they work pretty good.
Post Reply

Return to “Plugwise Forum”