We have moved at community.getvera.com

Author Topic: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems  (Read 57379 times)

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #30 on: August 11, 2013, 10:29:12 am »

In blue iris you can set any port for the web server. 

What I do for blue iris:
- run BI PC as a standard user (not admin).
- use a high, non-standard port for the web server.
- port forward to BI.
- keep BI PC off any workgroups, no sharing.

- use LAN2 for my 'risky' stuff, including blue iris, cams, vera, DSC.  Things that need to access the WAN and/or work closely together.
- use LAN1 for everything else, including my NAS and wifi.  LAN1 is stealth to the outside, LAN2 has one visible port to the outside.
- LAN1 can access LAN2, but LAN2 cannot see LAN1.  From my laptop on LAN1 I can use local addresses to hit vera, BI on LAN2.
- check router logs & alerts regularly



Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #31 on: August 11, 2013, 10:46:27 am »
Also, long, strong passwords.

I personally use lastpass to generate long, unique passwords and store them for me.  I have to have my phone's authenticator to log into to my lastpass account from a new device, so it's protected. 

And per GRC:  https://www.grc.com/%5Chaystack.htm

D0g.....................
PrXyc.N(n4k77#L!eVdAfp9

...the first password above is 95 times more secure more difficult to brute force than the second because it is one character longer.  I sometimes use this padding technique by adding 10 or 20 of the same character to the end of a password.
« Last Edit: August 11, 2013, 11:06:48 am by Intrepid »

Offline Cor

  • Hero Member
  • *****
  • Posts: 1249
  • Karma: +8/-4
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #32 on: August 11, 2013, 05:54:22 pm »
@ Intrepid: Thanks for your advice.

 What is a good port for blue iris?, I guess the 2000 I am using is pretty crap :-s

Cor

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #33 on: August 11, 2013, 06:10:57 pm »
@Cor - Port 2000 is OK, so long as you don't put a Cisco IP phone or PBX on your home network. Cisco's IP phone protocol Skinny Call Control Protocol(SCCP), often referred to as "skinny", uses 2000 as a default port.

It is generally acceptable to use any ports greater than 1024, but as you see in the Wikipedia link you provided, the number of reserved ports is increasing quite a bit. For this reason you run less chance of a port conflict if you use higher port numbers.

Offline Cor

  • Hero Member
  • *****
  • Posts: 1249
  • Karma: +8/-4
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #34 on: August 11, 2013, 06:29:45 pm »
@Zwaver. Ok understood , many thanks,

Cor

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #35 on: August 11, 2013, 07:36:38 pm »
What is a good port for blue iris?, I guess the 2000 I am using is pretty crap :-s

No idea, but they can go to 65535, I think?  Might as well make it something uncommon and obscure.  It will be found, and that's where the password strength is critical, along with reliance on BI's web server security.

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #36 on: August 11, 2013, 08:27:31 pm »
When hackers look for vulnerabilities .. they walk (scan) the whole set of Ports ... it does not matter what port you actually use ... It only takes a few minutes to access the port availability of a particular IP address.  And it's amazing how often this happens ... I have some logging watching for it. Once they find a responding port that than they attack it looking for known vulnerabilities.

If they find a web server ... they start looking for server side vulnerabilities ... Your Vera and your IP cameras all have a web server ... many Audio/Video components in the house also have web servers in them.

I have actually BLACK listed a large part of Asia because of the number of probes from that part of the world ... Sorry that has caused my Web Server with documents on my plugins to be unavailable to those folks.


Offline MDoc

  • Jr. Member
  • **
  • Posts: 76
  • Karma: +3/-3
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #37 on: August 12, 2013, 08:23:40 am »
Richard, 

Is there any particular port scanning detecting software you reccomend?

Offline RichardTSchaefer

  • Community Beta
  • Master Member
  • ******
  • Posts: 10091
  • Karma: +764/-143
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #38 on: August 12, 2013, 09:11:01 am »
How/If you can do this is dependent on the hardware you have. Not generally possible with the typical residential router ... That's why I highly recommend to NEVER allow port forwarding except for a SSH/VPN tunnel. You may never know if you have been hacked.  A hacker may not even care about your resources directly. It may only use your resources to participate in a denial of service to someone else ... or an attempt to hide their identity by masquerading as you and do other mischievous actions.

Offline LightsOn

  • Hero Member
  • *****
  • Posts: 754
  • Karma: +4/-3
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #39 on: August 12, 2013, 09:41:59 am »
@RichardTSchaefer

Quote
I have some logging watching for it.

Out of interest could you expand on this a little? what logging and watching do you have set up? as I would like to monitor similar security vulnerabilities.

Quote
I have actually BLACK listed a large part of Asia because of the number of probes from that part of the world
&
Quote
How/If you can do this is dependent on the hardware you have

I am assuming you are running DDWRT or similar? could you share some of your protection set up's? logging and monitoring stuff?

I have experience in this area and what you mention all sounds familiar but I have not directly looked to implement anything to offer monitoring or alerting to potential attacks or "scans (walks)"


Offline Brientim

  • Sr. Hero Member
  • ******
  • Posts: 2497
  • Karma: +78/-7
« Last Edit: August 13, 2013, 05:05:49 pm by oTi@ »

Offline zedrally

  • Hero Member
  • *****
  • Posts: 1224
  • Karma: +15/-5
  • Black Cat Control Systems
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #41 on: August 14, 2013, 01:12:47 am »
^^^
Thats scary as hell.

Now I have to find a better browser.
Living in the Land of Oz, give me a vegemite sandwich. Home Seer, Vera Lite & Edge, Popp, Black Cat Smart Hub & Vera G, Black Cat Lite 1 & 2's a Black Cat Dimmer or 2, Fantem Tec and then some  Black Cat Cat's Eye PIR's & Door-Window Sensors, RFXComm, Broadlink RMPro & Mini plus a Z-UNO or 2.

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #42 on: August 14, 2013, 01:31:40 am »
Or just not save your passwords! I never use this option.

- Garrett

Offline Brientim

  • Sr. Hero Member
  • ******
  • Posts: 2497
  • Karma: +78/-7
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #43 on: August 14, 2013, 05:08:04 am »

Or just not save your passwords! I never use this option.

- Garrett
The most appropriate line here is from Hitchhikers Guide to the Galaxy... "Don't Panic".

And if your are worried, just take the advise above and remove the passwords already stored.

Offline SOlivas

  • Sr. Member
  • ****
  • Posts: 282
  • Karma: +1/-1
Re: Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
« Reply #44 on: August 14, 2013, 03:54:40 pm »
This brings to mind all sorts of things that are typically wrong with consumers using anything internet related as a "plug and play" device.  They plug it in, it works, they sometimes change a password and forget about it.

To solely depend on your internet provider's supplied router/gateway for security is just asking for trouble.  Then again, I personally think it is also partly the fault of the providers for lulling customers into a false sense of security with their internet connected devices, stating that their hardware will make their system secure.

Nothing is immune from being hacked or broken into (this old quote comes to mind
Quote
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
).  Be it your computer, your house, car, etc. 

One of the reasons why you need to have security in depth -- the layering of defenses, each one another roadblock to hopefully make it a bit harder to gain entry/access.

(Quote from:

http://spaf.cerias.purdue.edu/quotes.html


This quote is about security of computer systems. It appeared in "Computer Recreations: Of Worms, Viruses and Core War" by A. K. Dewdney in Scientific American, March 1989, pp 110. It was later misquoted in the book @Large: The Strange Case of the World's Biggest Internet Invasion by David H. Freedman and Charles C. Mann. (The misquoted version refers to titanium and nerve gas -- I never said anything like that.) The original quote is:  The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts. )

I also like this quote as well:

Quote
Secure web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.
There are some good analogies from the same person here:
http://homes.cerias.purdue.edu/~tripunit/spaf-analogies.html

I like #20, 21, 37-39 -- when taken in the context of my security rant above. :)
« Last Edit: August 14, 2013, 10:13:58 pm by SOlivas »
Vera 3 (1.5.622) / 9x GE/Jasco 45609 / 2x GE/Jasco 45612 / 2x GE/Jasco 45614 / 1x MIMO Lite
1x Twine (http://forum.micasaverde.com/index.php/topic,15617.0.html), DSC Security System, Honeywell  YTH8320ZW1007 Thermostat, 1x Fortrezz WWA-01, 1x CA9000 Wireless PIR Sensor