10

I recently registered with IFTTT, which seems like a fantastic service to chain events together in order to create a smart home or automate various services.

I've just found the Maker channel which allows you to make simple HTTP requests (e.g. GET and POST), and I'm hoping to use this to securely send a message to a Raspberry Pi I have running that is waiting for any API request on a certain route (let's say, for example, POST /foo).

The Makezine article I linked suggests this method for security:

Now what I did above was horribly insecure, I basically exposed to the world a script — a web application in other words — that could toggle a switch controlling a light in my house on and off. This is obviously not something you want to do, but that’s why IFTTT’s services provides the capabilities to pass more information to the remote service.

It wouldn’t be difficult to set up a TOTP authenticated link between the two for instance, or a token or key exchange — and to protect your IFTTT account itself? They’ve just added two-factor authentication.

I read more about Time-based One-time Passwords on Wikipedia, which seems to suggest that there is an element of computation involved in order to generate the one-time password.

Since IFTTT does not support chaining of tasks or any scripting, how do I generate the TOTP as suggested in the article? Is it possible at all to do this, since some calculations are required and there doesn't seem to be a way to do these?

Community
  • 1
Aurora0001
  • 18,520
  • 13
  • 55
  • 169

1 Answers1

3

The linked article is a little misleading. The interface provided by IFTTT is not completely open, it requires a key in the request. Since the request is made using HTTPS, the secret is not directly observable (provided your client always reliably connects to IFTTT, not a mitm proxy).

From the maker channel information page (user specific)

To trigger an Event Make a POST or GET web request to:

https://maker.ifttt.com/trigger/{event}/with/key/my-secret-key

With an optional JSON body of:

{ "value1" : "", "value2" : "", "value3" : "" }

The data is completely optional, and you can also pass value1, value2, and value3 as query parameters or form variables. This content will be passed on to the Action in your Recipe.

You can also try it with curl from a command line.

curl -X POST https://maker.ifttt.com/trigger/{event}/with/key/my-secret-key

Now the key is only low entropy so could potentially be reversed from monitoring your requests (unless you pad them with high quality noise), but the request for per-session security is in this case satisfied by TLS which handles the setup of the HTTPS channel.

To make the communication significantly more secure would require IFTTT to specifically support endpoint authentication, but this appears to exceed the security which is applied to the other service-side links. This means that your maker channel to IFTTT is currently equally secure as the IFTTT channel to your in-home appliances.

Glorfindel
  • 159
  • 1
  • 1
  • 9
Sean Houlihane
  • 10,524
  • 2
  • 26
  • 62