We have moved at community.getvera.com

Author Topic: Security issues  (Read 4334 times)

Offline bhavin66

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
Security issues
« on: July 26, 2013, 01:01:05 pm »
just read this article on forbes.
http://www.forbes.com/sites/kashmirhill/2013/07/26/smart-homes-hack/

should we be worried?

Offline fba

  • Sr. Member
  • ****
  • Posts: 292
  • Karma: +1/-0
  • If it ain't broke, I ain't touched it yet.
Re: Security issues
« Reply #1 on: July 26, 2013, 03:18:33 pm »
You should ALWAYS be worried about security, but not to the point of it ruining your life.

I read that article too.   The key points in it are that people set up their devices so they can be accessed from the outside world, and the device was not designed in a way that introduced any security to speak of.  (You could enable a username and password, but it sounds like it was trivial to get around.)  There is a small blurb in there about the Vera Lite lacking security when it is contacted from a LAN.   This is true.   However, you would have to set up your NAT router to allow someone outside your network to talk to the Vera, at which point you give up complete control.   This is why the Vera "phones home" to a control server that is used as an intermediary to access your Vera while you are out.   Someone would have to hack the MCV servers before they could get to hacking your box.  (Though without knowing how they are speaking, it is unclear if just breaching the MCV servers would give them access.   I doubt it would, but I would almost bet that as soon as you access your Vera from the outside world they could grab your credentials and have their way.

So, in a nutshell, don't poke holes in your home NAT router.  (And if you aren't using a home NAT router, GET ONE!   It will keep you a bit more safe.)   But, at the same time, anytime you add something to your network ask yourself what damage could be done if someone took it over.   If the level of damage someone could do makes you uncomfortable, then you probably shouldn't use it.
Vera 3, Altsteon, (Insteon: Relay (Smarthome & Icon), Dimmer (Smarthome), Keypadlinc, 2420M, Triggerlinc, IOLinc, Garage Hawk, Venstar Thermostat, Fanlinc, MI lock, Appliancelinc, Synchrolinc, iMeter), CurrentCost, (Z-Wave: Schlage lock, GE Appliance switch), AutHomation

Offline dparkinson

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
Re: Security issues
« Reply #2 on: July 30, 2013, 05:14:35 am »

Yes, I saw this article too, which brought me here and I saw someone had already mentioned it.  Are there any specific hardening tasks we should be performing to ensure the best level of security?

Offline fba

  • Sr. Member
  • ****
  • Posts: 292
  • Karma: +1/-0
  • If it ain't broke, I ain't touched it yet.
Re: Security issues
« Reply #3 on: July 31, 2013, 04:52:14 pm »
Probably the single biggest known threat to the Vera is the assumption that when you are connected to the LAN you don't require authentication.   If you have the right kind of gear in your house you could put the Vera on its own subnet that nothing else is on as a method of forcing it to see everything else on the network as "remote" and require authentication.   However, the gear you would need isn't something you would pick up at a normal electronics store.   (You could fake some of it with the right gear from a normal electronics store, and a desire to flash it with an alternate OS to enable some of that functionality.   But, you would still need to understand the basics of routing, switching, VLANs, and NAT to really do it right.)

If you have wireless in your house (and who doesn't these days), disable the WPS functionality on all access points.  (This is some times called "push-button authentication" or other weird names.  Basically, if it lets you use a number to get on the network, turn it off as it can be brute forced faster than a good password.)   Then, make sure you wireless is set to only use WPA2 with CCMP for encryption.   If you have some really old gear you might have to also allow WPA1, but I wouldn't enable that if you don't have to.  If you have gear that requires WEP, throw it away.   WEP can be broken fairly easily.

If you are concerned that the Vera is exposing services that can easily be hacked, the best thing you can do is put a different NAT router in front of the Vera.   That will require a bit more configuration to keep the Vera working how it would if it was the main router, but it adds another possible level of protection.  (This is what I do.)

If you will never use the Vera outside your house, then change the default gateway address to something that isn't your outbound router.  This will keep the Vera from talking to anything on the internet.   However, you will lose all ability to control it from outside your house!!!

If you are a bit more savvy, you can always set up the Vera in a configuration that allows you to port scan both the "inside" and "outside" interfaces on the Vera to see what it is listening for.

The other thing to keep in mind is the Vera is built on OpenWRT.   So, as long as MCV keeps up with patches to OpenWRT, and they don't introduce any security holes with the code they run on top, you are probably reasonably okay.   OpenWRT is built to face an unfiltered Internet connection.   (If you are running a Vera 2, you should probably be aware that it is running an older version of OpenWRT, which means any security issues that have been found since then probably aren't fixed.)

However, keep in mind that anything can be hacked.   It is just a matter of someone having enough time and desire to do it.
Vera 3, Altsteon, (Insteon: Relay (Smarthome & Icon), Dimmer (Smarthome), Keypadlinc, 2420M, Triggerlinc, IOLinc, Garage Hawk, Venstar Thermostat, Fanlinc, MI lock, Appliancelinc, Synchrolinc, iMeter), CurrentCost, (Z-Wave: Schlage lock, GE Appliance switch), AutHomation

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: Security issues
« Reply #4 on: July 31, 2013, 06:14:57 pm »
However, the gear you would need isn't something you would pick up at a normal electronics store.   (You could fake some of it with the right gear from a normal electronics store, and a desire to flash it with an alternate OS to enable some of that functionality.   But, you would still need to understand the basics of routing, switching, VLANs, and NAT to really do it right.)

If you are concerned that the Vera is exposing services that can easily be hacked, the best thing you can do is put a different NAT router in front of the Vera.   That will require a bit more configuration to keep the Vera working how it would if it was the main router, but it adds another possible level of protection.  (This is what I do.)

Thanks fba.  could you describe some specifics of how you have your network set up?  I currently have everything on one router, including Vera and my windows7 blue iris dvr (with a forwarded port).  I'd like to have the vera and dvr on a different router/subnet, but I love the convenience of having all on the same.

What's your setup and what are the pros/cons vs. a single network?  I assume, for example, it would be more difficult to use plugins (such as sonos) when it's on a different subnet.

thanks.

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: Security issues
« Reply #5 on: August 01, 2013, 05:48:46 am »
If you will never use the Vera outside your house, then change the default gateway address to something that isn't your outbound router.  This will keep the Vera from talking to anything on the internet.   However, you will lose all ability to control it from outside your house!!!

You mean the network gateway defined in the VeraLite ?
If I setup as gateway an IP that does match nothing in my network, I imagine my VeraLite will not be able to go outside the local network ?
How to setup the gateway ? The default gateway is probably delivered by my router (DHCP).

By the way, I am very interested by a simple solution that will break connection from the Internet, if possible with an easy way to ON/OFF it.
« Last Edit: August 01, 2013, 06:29:27 am by lolodomo »

Offline lolodomo

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3484
  • Karma: +74/-10
Re: Security issues
« Reply #6 on: August 01, 2013, 06:36:48 am »
Is there a way to disable the tunnel established by the Vera with Micasaverde servers ? Temporary or definitively ?

In last alternative, I imagine that without a Micasaverde account, this tunnel cannot be established ? Or is the Micasaverde account only used for authentication in the Micasaverde Web page but not used by the Vera to connect to Micasaverde servers (backups, notifications, ...) ?

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Security issues
« Reply #7 on: August 01, 2013, 07:14:33 am »
Is there a way to disable the tunnel established by the Vera with Micasaverde servers ? Temporary or definitively ?

In last alternative, I imagine that without a Micasaverde account, this tunnel cannot be established ? Or is the Micasaverde account only used for authentication in the Micasaverde Web page but not used by the Vera to connect to Micasaverde servers (backups, notifications, ...) ?

This has been answered by Futzle and a search for disable remote access would turn up this:

http://forum.micasaverde.com/index.php/topic,4782.0.html

- Garrett