Discontinuation of MyQ Connect Community SmartApp


#201

This may be wishful thinking, but if I had to guess, I’d guess chamberlain is tightening things up in preparation for HomeKit compatibility for some models.

It looks likely that that is going to require an additional bridge, and that the compatibility will probably be limited to some of the WF remote models.

But Apple has reiterated their insistence that there can’t be open access to an HK – compatible device. Yonomi just had to drop support for the Schlage Sense this month because the integration didn’t comply with HomeKit security requirements.

This is the opposite of the “overpermissioning” issue that was brought up in the recent security review of SmartThings. Apple is limiting access permissions to the minimum required for specific use case functionality.

It may be completely unrelated, but the timing seems more than coincidental.


(Glen King) #202

Yeah, the homekit link is what I was thinking too.
For lots of companies, this could be considered a no-brainer. Why mess with ST and its community in this age of ransomware and other potential hazards when there’s a closed, far more secure environment of tens of millions of Apple devotees out there waiting to hand over their money?


(Ben Lebson) #203

It’s sad really. Dumbing down a ‘smart’ product in order to prevent a use that wasn’t specifically designed. It’s not home automation, it’s remote control with fancy names.


(ToyzRUsKid1976) #204

I’m glad I read this. My Genie just died on me and I need to pick up a new door opener to hook to my Mimolite and get this rolling again. Sadly, after reading all of this I know not to buy anything with MyQ… question now is which door opener do I buy. I’ve been flipping through the forum and through Google and I’ve yet to find anything recent that states "This door opener works well with SmartThings and/or Mimolite. I had to buy this device that decrypts the Genie codes to allow for the relay. I’m starting to wonder if it’s Genie only or if I can use that with the other brands.

Hoping to find something regarding this today before I pick up the new opener.


(Never Trust @bamarayne) #205

They could respond by disabling accounts that are violating their tos.


#206

They would have no way of knowing, thanks to the beauty of mobile devices having fully dynamic IP addressing. Their mobile app hits their same API, so really they’d be guessing as to who was even violating what.


(Ben W) #207

They could since you have to be authenticated, so there is a unique token assigned to a user, and I am sure the account number is also being passed through the call. Its harder than an IP block, but still doable.


#208

You get an auth token, but if the auth token is from a differing IP every request, with varying request polling – you’d have no idea what range to block and who was illegitimate. The behavior is done in such a way to mimic a person traveling via cell tower using their mobile app. Most network admins wouldn’t even dare attempt to go after this solution, since they would have so many false positives it’d start costing them money.

:wink:


(Jason Mok) #209

@desertblade is talking about being disabled at the account level. Also, there’s possibilities that they will be able to ban at the gateway device level.


#210

Understood, again, if you have no specific IP (much like your mobile phone), since we’re talking about spinning up a Tor instance on any communication to MyQ – they’d never be able to catch on. You’d always look like a legitimate user.

There’s no single IP address to single you out with, or behavior. It would mimic exactly what their app does today on a mobile connection.


(Never Trust @bamarayne) #211

If you are referring to using TOR for this, as I think you mentioned earlier, TOR exit nodes are known, defined. MyQ could, not that they necessarily will, move to disable any accounts found to have used a TOR exit node.


#212

Sure, for now we could use Tor, and then move off to any other of the many free socks proxy endpoints. Basically, the point is that we can game the system enough to make them at some point just give up. Either that or we just build out little micro servers that can run on a raspberry pi that multiple folks can just hit.

No matter what the solution, there are plenty available to get around an IP block. They’d have to move towards blocking accounts entirely, which also would destroy their brand over time.


(Ben W) #213

They can ban your account, revoke access to your token and prevent an account from getting a new token. There are other solutions than straight IP banning, which for consumer level addresses are impossible. While I may keep my IP at home for a while, there is no guarantee that will stay the same forever.

Think about video games, that is how they ban cheaters.


(Never Trust @bamarayne) #214

Point being, this is a cat and mouse game - and if MYQ is dedicated to shutting down such a use case - they can. Someone on this end similarly dedicated would face an uphill battle - constantly having to change it up to avoid new blocks.

And as I said from the get go, they could ban the accounts using those TOR nodes, or proxies, etc… and then your account is out of commission. matters not what IP you come from anymore.


#215

Considering I view my MyQ device as a paperweight with how poor their Android app actually is – I’m ok with the risk.


(Ben W) #216

To be fair I don’t think Chamberlain even has developers in house, I would guess its all outsourced


(Never Trust @bamarayne) #217

The most likely controls that would be used are network based, in a firewall or security gateway that is capable of blocking using a dynamically defined group such as ‘TOR Exit Nodes’…

Or if they get really pissed, letting them through, but flagging the accounts that abuse the same over a period of several weeks then shut the accounts down.

No dev work required on their part.


(Dan) #218

So disappointed by this outcome. I blame Smartthings as much as the MyQ folks.


#219

Seems like it’s still working for me as well… 7 days later.


(Megan) #220

shhhhhhhhh!!! don’t let them know