Password protect Blink when accessing from PC on network?

My Nissan Leaf Forum

Help Support My Nissan Leaf Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.

ehuna

Well-known member
Joined
Dec 23, 2010
Messages
57
When browsing the Blink from a PC on the network, is there anyway to put a password on the whole site? I know about "Settings > Change Device PIN" and "Settings > Change Intranet Password", but these only protect some pages, particularly when a change is being made.

I would like to access the main screen or the stats from outside of my home - I can easily deal with NAT rules on my firewall and I have a public DNS entry for my house - but I don't want anyone to be able to access the non-protected screens.

Update 8/13: I found an easy way to do it and blogged about it here -

How to securely access your Blink electric car
charger from outside your home, using a proxy server (CCProxy)
http://blog.ehuna.org/2011/08/how_to_securely_access_your_bl.html

Good times!
 
ehuna said:
When browsing the Blink from a PC on the network, is there anyway to put a password on the whole site? I know about "Settings > Change Device PIN" and "Settings > Change Intranet Password", but these only protect some pages, particularly when a change is being made.

I would like to access the main screen or the stats from outside of my home - I can easily deal with NAT rules on my firewall and I have a public DNS entry for my house - but I don't want anyone to be able to access the non-protected screens.

I'm not aware of a password other than the Intranet password.

I used a unique port number in my firewall that routes to port 80 on the Blink.

If I type in http://myipaddress:6789 , my firewall routes it to my Blink's internal IP address with port 80.

Think of it as a password 'Lite'. Choose a number that very few, or nobody, uses.

Here is the 'official' list of port numbers in use.
http://www.iana.org/assignments/port-numbers
 
Assigning it a random port is a swell idea, but I wouldn't call it something as promising as "password lite".
Any adversary is going to have something like 'nmap' which will just list out your ports anyway.
Seriously, it accomplishes nothing at all. It's totally transparent.


The best way to protect your Blink is to put it behind a firewall, and allow NO direct inbound access to it.
Then create an SSH gateway on one of your machines, or the router.. use strong authentication on that, and from that tunnel connect to the Blink or any of your internal machines. So you have a hard exterior login that you can secure.

Normally, I'd say this is paranoid overkill for most home networks.

However, remember that the Blink is running a full Linux system, with remote incoming connections possible. It's also been proven to be poorly-written hacked together code, with no rigorous security audit.

I'd sooner browse, download, and install random russian torrents than allow inbound access to the Blink through the firewall. I'm even suspicious of its outbound activity, with the thought that it could be hijacked and converted into a bot or attack launchpad inside my network.

Remember that it has WiFi, ethernet, Zigbee, and Cellular(!) connectivity. That's a lot of surface area to work with.
 
I found a good way to do it through a proxy server running on windows - here are the details if anyone is interested -

1. Download CCProxy
http://www.youngzsoft.net/ccproxy/proxy-server-download.htm
(3 user version is free)

2. Install CCProxy
In installed it on a netbook I run all the time (low power)
This netbook is running all the time, we use it for Zwave home automation - note that you'll need a machine running CCProxy to access your Blink from the outside of your house.

3. Configure the proxy server - http (turn off any protocols you won't use such as FTP, mail, dns, etc...)
Choose a random port, like 3843
Make sure you setup authentication - username/password is a minimum, username/password + IP or MAC address even better

5. Signup for a free http://dyn.com/dns/ account, make sure you can resolve your home IP from the outside

6. Update your router/firewall to map port 3843 to the computer where CCProxy is running
Update your router/firewall to update your external IP on dyndns.com (or run the windows client)

7. Test it out - make sure you can use your new proxy server from outside of your house
I like to use Firefox, since it allows me to setup a proxy just for Firefox, not for my whole system
Use your external IP address (or dyndns.org address you setup in step 5) and the port you setup in step 3.

Now here's the magic to access the Blink -

8. Use CCProxy's "Port Map" feature: Options > Check "Port Map" > Edit
Destination Host: 192.168.1.123 (whatever your INTERNAL Blink IP address is)
Destination Port: 80
Port Type: HTTP
Local Port: 80

Now from work, or from anywhere outside your house, setup Firefox (or any other browser) to use your home proxy - type "http://192.168.1.123" in your address bar, enter the username/password you set up in step 3 - and that's it! You can now use the Blink web interface in a relative safe way from anywhere in the world!
 
Back
Top