Skip to content

Security: NickAldewereld/shellyplugpowerlogger

Security

docs/security.md

Security & Privacy

This document describes the security model and privacy considerations for the power measurement framework.

Privacy by Design

What We Collect

Data Collected Purpose
Power readings Yes Core measurement
Timestamps Yes Correlation
Input event types Yes Activity correlation
Keystroke content NO Privacy
Mouse coordinates NO Privacy
Process names Yes Attribution
Process command lines Limited (first 200 chars) Context
Network traffic NO Privacy
File contents NO Privacy

Input Event Privacy

The input capture module (input_events.py) is designed with privacy as a core principle:

# We record ONLY:
- That a key was pressed (event_type: "key_press")
- That mouse was clicked (event_type: "mouse_click")
- That mouse moved (event_type: "mouse_move")
- That scrolling occurred (event_type: "scroll")

# We NEVER record:
- Which key was pressed
- What text was typed
- Exact mouse positions
- Window or URL information

Implementation: In input_events.py, the _on_key_press handler explicitly discards the key parameter:

def _on_key_press(self, key) -> None:
    # Privacy: Do NOT log the actual key
    self._add_event('key_press')

Process Information

Process sampling records:

  • Process name (e.g., "firefox")
  • PID
  • CPU and memory usage
  • First 200 characters of command line

Risk: Command lines may contain sensitive arguments (file paths, URLs).

Mitigation: Review proc_samples.csv before sharing data.

Data Storage

Local Storage Only

All data is stored locally in the data/ directory:

data/
├── power.csv
├── input_events.csv
├── proc_samples.csv
├── session_summary.json
├── aligned_timeseries.csv
├── event_costs.csv
└── plots/
    └── session.png

No data is sent to external services unless you explicitly configure it (e.g., InfluxDB, API push).

File Permissions

Output files are created with default user permissions. For sensitive environments:

# Restrict data directory
chmod 700 data/

Network Security

Shelly Communication

Communication with the Shelly device uses:

  • Protocol: HTTP (not HTTPS)
  • Authentication: None by default

Risks:

  • Anyone on the network can read power data
  • Anyone can control the Shelly device

Mitigations:

  1. Use a dedicated IoT VLAN
  2. Enable Shelly authentication via its web UI
  3. Use firewall rules to restrict access
  4. Consider VPN (Tailscale, WireGuard) for remote access

API/MQTT Security

If using external integrations:

Integration Security Recommendations
REST API Use HTTPS, API tokens, IP allowlisting
MQTT Use TLS (mqtts://), username/password auth
InfluxDB Use authentication tokens, TLS

Access Control

Linux Permissions

Input capture may require special permissions:

# pynput on X11: Works with user permissions
# pynput on Wayland: May need root or special config

# xinput: Works with X11 user permissions

Process sampling works with user permissions but has limitations:

  • IO counters may require root
  • Some processes may be hidden

Running as Root

Avoid running as root unless necessary. If you must:

# Only for specific features
sudo python -m src.correlate capture --duration 60

# Better: Use capabilities
sudo setcap cap_sys_ptrace+ep $(which python3)

Data Retention

The framework does not automatically delete data. Implement your own retention policy:

# Delete data older than 7 days
find data/ -name "*.csv" -mtime +7 -delete

# Or archive
tar -czf archive_$(date +%Y%m%d).tar.gz data/
rm -rf data/*

Sharing Data

Before sharing measurement data:

  1. Review process samples for sensitive command lines
  2. Review timestamps if timing reveals work patterns
  3. Consider anonymization:
import pandas as pd
import hashlib

df = pd.read_csv('data/proc_samples.csv', delimiter=';')

# Anonymize process names
def hash_name(name):
    return hashlib.sha256(name.encode()).hexdigest()[:8]

df['name'] = df['name'].apply(hash_name)
df.to_csv('data/proc_samples_anon.csv', sep=';', index=False)

Threat Model

Threat Likelihood Impact Mitigation
Local user reads data Medium Low File permissions
Network eavesdropping (Shelly) Medium Low VPN, VLAN
Keystroke logging accusation Low High Code audit, documentation
Process info exposure Medium Medium Review before sharing
Shelly device hijacking Low Medium Authentication, firewalls

Auditing the Code

The privacy-critical code is in:

  • src/correlate/input_events.py: Input capture
  • src/correlate/proc_sample.py: Process sampling

Key audit points:

  1. _on_key_press: Verify key content is not logged
  2. _on_mouse_move: Verify coordinates are not logged
  3. ProcessSnapshot.cmdline: Verify truncation

Compliance

GDPR Considerations

If using this tool in an EU context where employees are monitored:

  1. Inform users that power/activity data is collected
  2. Legitimate purpose: Energy efficiency research
  3. Data minimization: We already minimize what's collected
  4. Right to deletion: Users can delete their data
  5. No automated decisions: This is analysis tooling only

Workplace Monitoring

If deploying in a workplace:

  • Get explicit consent from employees
  • Document the purpose (energy research, not surveillance)
  • Provide access to collected data
  • Allow opt-out

Security Checklist

  • Shelly device on isolated network/VLAN
  • Shelly authentication enabled
  • Data directory has restricted permissions
  • External integrations use TLS/authentication
  • Reviewed output before sharing
  • Retention policy implemented
  • Users informed of data collection

There aren’t any published security advisories