We have moved at community.getvera.com

Author Topic: Questions on security around the ssh tunnel to mios.com  (Read 2755 times)

Offline signal15

  • Sr. Member
  • ****
  • Posts: 322
  • Karma: +1/-0
Questions on security around the ssh tunnel to mios.com
« on: February 20, 2013, 12:29:42 pm »
Has anyone looked at how the Vera connects back to the Mios cloud?  It's an ssh tunnel.  I see there are a lot of iptables rules locally on the Vera, but I haven't really dug into them to see what they are restricting. 

My concern is that if someone compromised Mios, they would have full network level access over the tunnel into my network, and everyone elses.  Or, being that it's a tunnel back to Mios, a malicious person with a Vera could use that tunnel to somehow get to other Veras. 

Does anyone know what security mechanisms are in place on the Mios side?

I've moved my Vera into its own VLAN/DMZ.  But, I know that a lot of people don't have equipment capable of this (I'm using a Juniper SRX). 

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: Questions on security around the ssh tunnel to mios.com
« Reply #1 on: February 20, 2013, 04:17:37 pm »
The tunnel gives full access to MCV to your Vera's port 80 (the web server that drives the dashboard).

Practically speaking, that means that anyone who can access the MCV end of the tunnel can gain root on your Vera and do anything that you could do at Vera's shell prompt: probe other devices on your LAN, access open ports, sniff network traffic, send spam email from your IP address, participate in a DDoS attack, ...

The SSH key that the tunnel uses is the same for all Vera users.  The public nature of this key means that anyone on the path between you and mios.com could successfully perform a man-in-the-middle attack and listen to traffic between Vera and MCV, and neither party would know.

Each Vera has a unique hardware key in its nonvolatile RAM which is used to identify your Vera to MCV.  Without this key, other Vera users can't impersonate you.

In short, you are vulnerable to any rogue agent at MCV, or to any ISP or backbone between you and MCV, including your ISP and their ISP.  You are not vulnerable to other Vera owners, unless you share your hardware key.

Offline guessed

  • Community Beta
  • Master Member
  • ******
  • Posts: 5301
  • Karma: +92/-22
  • Release compat is not a bolted-on afterthought
Re: Questions on security around the ssh tunnel to mios.com
« Reply #2 on: February 20, 2013, 06:29:28 pm »
If you're looking for potential weak-points, it would be worth looking at shared server/host being used to run the components.

For example, there was a point when one of the fwd*.mios.com servers was shared with a logging server  (log*.mios.com).  The logging servers all use FTP, and a common/hard-coded passwd (in Vera shell scripts), for write-only access.  It may be possible, for example, to use this by filling the disks and causing an outage on services sharing the host infrastructure.

Also, this gives a little more insight to a root-like password, if the support is enabled:

although, as @futzle indicates, once you have URL Access you can get ROOT access anyhow (and launch your own outbound SSH Proxy to anywhere ;)

If you're concerned about these items then you'll be best-off "boxing" the device somewhere so it has limited/controlled access to stuff that you approve. 

That said, it's likely you'd have already done this since there are other network-enabled items in a modern house that similarly "phone home", and we have a lot less insight to what they're doing.  8)