Whenever I remote connect to Picroft this message appears whey I start the session.
“CAUTION: The Mycroft bus is an open websocket with no built-in security
measures. You are responsible for protecting the local port
8181 with a firewall as appropriate.”
I inspected Picroft open ports a bit and there seem to be only two open ports: 22 for ssh(obviously) and 8181. I was wondering what is the port 8181 used for in Picroft.
Mycroft’s Message bus is exposed on port 8181 by default.
You can connect to port 8181 using a websocket client to remotely send commands to the Mycroft cli. See this thread:
My main objective in adopting MyCroft across the home is to provide a customised, on-prem voice control method for use with my home automation platform (HomeSeer in my case).
One key requirement of this is to be able to perform text-to-speech audio announcements that are triggered from home automation events. Examples include announcing when the letterbox has been opened, or that the washing machine has finished it’s cycle.
Using the mycroft-cli-client I can of course issue comma…
Okay so from what I gather it means that when the utterances come back from the Mycroft AI cloud they are sent back through port 8181 on my Picroft which broadcasts them to the message bus.
The utterance will be then matched to an intent by the intent handler and Adapt in the Skills process and then the skill will fire up.
Is this right?! My explanation above tries to relate to the video that
@steve.penrod posted on YouTube some time ago. Here is the link to it but I am sure you are all familiar with it.
Does that mean that if I close that port Mycroft will not be able to communicate with the cloud?!
messagebus has nothing to do with the cloud, thankfully
the messagebus is what connects internal components of mycroft, it should always be closed / firewalled! It has a grand total of 0 security measures built in
Any device on your network can fully control your mycroft if 8181 is open
Any device on your network can spy on everything happening in mycroft if 8181 is open
If someone needs to access messagebus externally please use the HiveMind, why?
https (self signed, vulnerable to MiTM, protects against passive attacks)
AES encryption (protects against MiTM)
Authentication (Api_key needed)
messages segregated by user (user A does not get messages meant for user B)
@JarbasAl thank you for all the details! It is really cool to learn about this tool for remote control. Definitely and interesting discovering for the 8181 vulnerability.
As much as I would like to know that this source code vulnerability has been addressed and it is not feasible now, I cannot help but thinking about what you said at the top of your post about “Any device on your network can fully control your mycroft if 8181 is open”.
How could Mycroft run without this port?! How can we make sure that this port is secured?! And also concerning my previous post, which is not the part of Mycroft architecture that interacts with the cloud?!
You can install and activate a firewall. Ill recomend ufw
Here’s the main (most read) topic on Mycroft Security: