Kios should not connect to an external MQTT server without permission

[jeroenjacobs79]

Preliminary Docs

I confirm that I have read the CONTRIBUTING guide before opening this issue.

I confirm that I have read the FAQ before opening this issue.

motionEyeOS Version

NA

Board Model

I am using the following board/model: (insert your board model here, e.g. Raspberry PI 3B+).

Camera

NA

Log Files

NA

Actual issue

I'm seeing connections to an external MQTT server (159.65.215.225) after installing kerberos on my Raspberry Pi. Since this is data gathering without explicit permission from the user, this is probably a GDPR violation and therefore illegal in Europe.

Proposed solution

Make this opt-in during install.

[litij]

Is there any workaround about this issue ?

[cedricve]

hey, it's actually setting this connection up for our cloud application, butt if you didn't configured it, it will not do anything. For next version we will make sure the connection is not established when not needed. However if you are suspicious you can always block the ip in the firewall.

[jeroenjacobs79]

I had blocked those devices from connecting to the internet in my firewall, because there is absolutely zero reason it should connect to the internet without my permission.

@cedricve Sorry, but I don't think that's true. I never setup the cloud stuff, and it still connects to that MQTT server on the internet. I have my firewall logs to prove it. (misunderstood your previous remark, sorry) If someone ever logs a GDPR complaint about this, they probably have a case.

[jeroenjacobs79]

@cedricve I would suggest to make either disable this completely, or inform the user during install that this happens (and clarify what data is being sent to this MQTT server).

[cedricve]

@cedricve I would suggest to make either disable this completely, or inform the user during install that this happens (and clarify what data is being sent to this MQTT server).

That is the point I try to make.

@jeroenjacobs79 you should look into the source code, to see what it is doing. It establish the connection, but doesn't receive or send data if the cloud credentials are not entered. Anyhow, as mentioned this is something we will definitely will fix in next version, as it doesn't make sense to establish the connection anyhow (it's not good for anyone).

https://github.com/kerberos-io/machinery/blob/master/src/kerberos/cloud/ForwardStream.cpp#L7

https://github.com/kerberos-io/machinery/blob/master/src/kerberos/Kerberos.cpp#L84