underground circulation network
As a home automation geek, or home assistant enthusiast, I was looking for a better way. I found and installed Rinnai's unofficial component and was able to actually take control. I could set up recirculation to run on any schedule, at any temperature, and triggered by anything. If you want to start running hot water as soon as the lights come on in your bedroom on a winter morning, you can do that only if the moon is in Aquarius (I'm not kidding). The future felt warm, but not too warm, and on demand.
Getty Images
If everything went well, why am I still writing? Because I thought I'd reach out to the programmer behind that integration and write a little steamy fun adventure. . Perhaps we can learn more about the motivations of those who do this useful work for free. This added an amazing second part and a surreal third part to my one-act play.
I spoke with Brad Barbour, author of Integration, via email and phone. Like me, he wanted to improve his brand of Rinnai tankless water heaters, both for his code-savvy self and for his water-using family. Barbour also lives in an area where subzero temperatures are rare, but not impossible, so most homes aren't built to withstand the cold. He wanted to have hot water automatically circulating whenever the temperature dropped into the pipe freezing range.
The first version of Rinnai's official app, Control-R, “left a huge gap” in functionality and usability, Barbour said. He could only sign in to one account. The integration with Google “basically didn't really work,” he said, and only allowed you to set timed schedules, not automation. Barbour wanted to create his own solution and began monitoring his traffic on the app's network to see if there was a better way.
advertisement
The calls Control-R made to Rinnai's servers were “very basic,” Baber said. Digging into the undocumented API calls, Barbour discovered something surreal. This means that you only need your registered email address to get information or change settings for your connected water heater.
Gets weird with other people's water
“I thought this was strange until another GitHub user contacted me and we started collaborating and came to the same conclusion. If you know the email address of the registered account, you can connect any Rinnai hot water heater that is connected to It can also be controlled with a device,” Barbour wrote to me.
Another GitHub user, Daniel Duritz, discussed “How does authentication work?” with Barbour in a public GitHub issue about the project. On June 29, 2021, Duritz asked his core questions about Rinnai's app.
So this seems to be an unauthenticated endpoint, and anyone on the internet can read all the information about me and my water heater without knowing the password, just with the API_KEY, and can always create a new You can set the temperature. is in this codebase (and is the same for everyone).
Please confirm or refute my observations.
Both have written security advisories for Rinnai, which I have also seen. The report notes that the technologies used by the system (AWS Cognito, App Sync/Graph QL, CloudFront) are “adequate and defensible,” but do not require access tokens or keys to allow reading and configuration. It is pointed out that it seems to have been structured as follows. “If we just know your email address, we can set the water heater temperature to very low or to scorching heat. We can put it in recirculation mode continuously, which uses a lot of gas. …You will see the home address you entered in the Control-R app when you registered your water heater.”