local timezone based nonce for authentication SHA256 hash is insecure

[johannestaas]

A number of issues:

1. still vulnerable to replay attack, just limited to current minute.
2. won't work if triggered from devices out of sync
3. won't work if triggered from remote device in different timezone
4. allows an attack who can sniff traffic to be able to capture the hashed pass+time and crack it offline to reveal the password. Just takes longer, probably.

Any issue which will cause this to not work is a serious vulnerability, as someone could have an attacker actively breaking into the device, and this would offer no real protection. Someone intending to use this and finding it not work in the last minute has very dangerous consequences.

May be fixed with end-to-end encryption, but don't roll your own crypto.

[0xPoly]

I've updated the source code to use datetime.datetime.utcnow().isoformat()[:-10] instead. That solves issue 3.

[0xPoly]

end-to-end crypto would be ideal, but I'm not sure about how it would be implemented considering the broadcasting nature of the panic signal. See issue #5. Anyways, not closing until we find a way to do end-to-end crypto.