You might know Telegram as a messaging app (like Messenger, WhatsApp, Wechat and the likes). Seen the increase in terrorist activity, it’s apparently also the preferred method for terrorists to communicate. But this can never be an argument against a free internet! Leaving politics aside: Telegram also has some very unique features, which we will discuss in this article!
Home automation control panel
If you’re an (electronics) engineer, you’ll probably have thought of home automation. And if you’re like me, you’d probably want to make it all yourself! In this utopian scenario where your house is fully equipped by sensors and actuators, you’d still want to control your place remotely. The sporadic mobile programmers (think Android, because Apple doesn’t seem to want hobbyists to mess around with their hardware) know the pain to set up your tool chain, find a template project and some libraries and then get started on simple HTTP communication. You’re not even making a 2 page GUI yet.
We’re in need of a better solution! Luckily the IoT is a total hype so there are options. Blynk is one of them. This app allows you to place widgets on the app dashboard that can you can tie to some IoT functionality (toggle a lamp). 2 downsides: it’s not entirely free (and as I’m always just tinkering, it’s not worth the money) but also, it ties even your IoT devices into their solution. Maybe you can use standard MQTT, but I didn’t dig deeper.
Another solution is a bit more hackerish, but it’s to use cool features in Telegram! The first and most important: You can create a Telegram bot which is an application that can participate and interact in chats. By running a bot on your own Linux server, you have a clean separation between UI (through telegram) and devices (through whatever you want). My preferred language is Python and I had a bot up and running in no time!
Hmm, so we can chat with our home appliances now, but writing “/lamp kitchen on” doesn’t seem very convenient right? Well here’s a cool feature: Bots can create custom keyboards on your device while you’re chatting with them. This will allow you to create a menu structure and trigger actions. It’s quite easy to define the keyboard, but keeping track of a multi-level menu is something that you’ll have to do yourself. (I never got to it, but it still appeals a lot to me!)
That was fun, but what else can we do? You might remember my work on a home NAS/download box. One feature I use regularly is remotely logging in through SSH. This also means that port 22 (the SSH port) has to be publicly available. Hackers absolutely love this because it might provide a way in. This is rarely a manual process, so hackers make use of scripts that scan entire IP ranges for open ports. Once the script finds a device, it will further scrutinize the ports! So how plausible is this?
My poor BeagleBone black is a (well protected) sitting duck! Although there’s 1 more thing we can do: a technique called port knocking. In all its variants, it comes down to: access a certain ports in a certain order and with a certain delay to enable port 22 for SSH. Something like “knock port 23 3 times” or “port 21, port 23, port 21” is easily implementable. But it still feels like security by obscurity to me. Telegram to the rescue!
Building a bot that has control over the firewall rules (it would need root access), would allow you to simply click a button in the menu and you have can log in over SSH! As a nice extra secure extension, the same bot could parse a log file for a successful login and disable the port again (ongoing connections stay alive). I kind of almost started with this, but then something even more cool popped up so my focus shifted 🙂
2 factor auth
Ok, this is actually pretty much the same as the knockknock bot. Nowadays 2 factor auth (for services like Facebook or Paypal) give you a pretty good extra layer of protection. Very often, the service will send you a text message containing a temporary code to your phone. Considering that SMS is a very old protocol you might understand why it’s in fact not that secure at all (get yourself an SDR and start cracking away). We’ll soon start moving away from text messages and have to use apps (Google Authenticator) instead. What about integrating it into Telegram (as a bot?). Or if your own little project is in need of simple 2 factor auth?
Before we finish the article, some things you should consider:
- There is no way to block connections to your bot on Telegram servers. You’ll have to check locally who’s trying to connect to you. This could be a risk for DDOS attackes on your bot. Would be nice if Telegram would have something for this!
- If your bot wants to do interesting stuff, it probably needs root access. Combining public access + root might need some extra measures!