Aercus WeatherSleuth Weatherstation / MQTT / Security thoughts

I recently got my hands on an Aercus Weathersleuth Weatherstation. This is a fairly nice piece of kit.

One of its benefits is it can talk to the internet or an arbitrary server. A bit of poking around revealed it communicates by way of an HTTP post request which looks as follows –

http://ADDRESS.SPECIFIED.IN.CONFIG/weatherstation/updateweatherstation.php?ID=IDINCONFIG&PASSWORD=PWINCONFIG&tempf=64.8&humidity=79&dewptf=58.1&windchillf=64.8&winddir=48&windspeedmph=2.46&windgustmph=2.46&rainin=0.00&dailyrainin=0.00&weeklyrainin=0.00&monthlyrainin=0.00&yearlyrainin=0.00&solarradiation=152.45&UV=1&indoortempf=-9999&indoorhumidity=-9999&baromin=-9999&lowbatt=0&dateutc=20165-10-0%202:29:46&softwaretype=Weather%20logger%20V2.1.9&action=updateraw&realtime=1&rtfreq=5

On the back of this I wrote a trivial script (which does not yet do authentication) –

<?php

# Script to take data from Aecus weather station and convert to MQTT

# Stations is an array which defines the devices we accept.
# Format of each sub-array is “Name”,”Password”,”IP address”

#
# This script requires php-mqtt – see https://github.com/php-mqtt/client
# Acquired with “composer require php-mqtt/client”

 

$mqttserver = ‘MQTTSERVER’;
$mqttport = 1883;
$mqttClientID = ‘WeatherStnToMQTT01’;
$mqtttopic = ‘WeatherStation’;

# List of attributes not to send to MQTT
$DontPublish = array (‘ID’,’PASSWORD’);

require_once ‘vendor/autoload.php’;

$mqtt = new \PhpMqtt\Client\MQTTClient($mqttserver,$mqttport,$mqttClientID);
$mqtt->connect();

$PostedVals=$_REQUEST;
$StationID=$_REQUEST[‘ID’];

# Clean up array
$key=array_search(‘ID’,$PostedVals);
unset($PostedVals[$key]);
# $key=array_search(‘ID’,$PostedVals);
#unset($PostedVals[$key]);

print_r($key);
echo “<hr />”;

foreach ($PostedVals as $PostKey=>$PostVal)
{
# Ignore the following keys:
if (!in_array($PostKey,$DontPublish))
{
$topic=$mqtttopic.’/’.$StationID.’/’.$PostKey;
$mqtt->publish($topic,$PostVal,0);
}
}

$mqtt->close();

 

This script needs to be placed in (documentroot)/weatherstation/updateweatherstation.php – and (from the same path” composer require php-mqtt/client” needs to be run to install the MQTT library

 

On the version I got – software version 2.1 The security on this device is pretty much non-existent.  The web interface for the device can be accessed without a username or password, and telnet access username and password are both, by default admin.   Communication takes place on http (no obvious option for https).    The password to the publish to the webserver is sent as part of a request which will turn up in the servers log files. 

I guess publishing this to a local server at least means that to access the url someone needs to have breached the local network.