Author Topic: [Solved] VeraLite's Security  (Read 3414 times)

Offline nutt318

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
[Solved] VeraLite's Security
« on: July 21, 2014, 10:11:42 am »
I was really thinking about purchasing a VeraLita soon but I just happened to come across this secuirty video.

Does anyone know if any of these vulnerabilities are fixed? Looks like this was from last November.

http://www.youtube.com/watch?v=eGjrBb1Oscg&t=29m50s
« Last Edit: July 22, 2014, 09:39:20 am by nutt318 »

Offline ServiceXp

  • Sr. Member
  • ****
  • Posts: 342
  • Karma: +9/-6
Re: VeraLite's Security
« Reply #1 on: July 21, 2014, 12:40:31 pm »
My understanding is No, the vulnerabilities are still present in FW 1.5..
U.S.A Vera 3

Offline nutt318

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
Re: VeraLite's Security
« Reply #2 on: July 21, 2014, 02:23:47 pm »
Interesting. Does the VeraLite need access to the internet? Can I have it only be accessible on my local lan? I then can setup a firewall rule to block anyting in/out from the veralite.

Thanks for the info.

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +247/-120
Re: VeraLite's Security
« Reply #3 on: July 21, 2014, 07:08:23 pm »
This subject has be rehashed many times.

Yes, the Vera has many security vulnerabilities or security deficiencies.

Many of the issues are design issues that cannot be "fixed", but will require redesign. Maybe this redesign will happen in UI7, but maybe not.

All of the vulnerabilities require the "attacker" be on the LAN. Vera is not exploitable from the internet, unless you stupidly port forward the Vera. Something that is not required and is strongly recommended against.(If you don't know what port forwarding is, then you have no worries, it's off by default.)

Vera is remotely accessible over the internet through a secure connection between you and the Micasaverde servers which then talk to Vera through a secure tunnel. This connection is not vulnerable, despite the incessant smug hyperbole in the video. The "attacker" must be on Vera's LAN.

Vera does not have to be connected to the internet at all in order to function. However, without internet you limit your ability to remotely access Vera, a very powerful feature. Vera will also need a local NTP time source, if internet access is removed. Also, being off the internet does not protect Vera if the "attacker" is on the LAN.

So, in order to secure Vera to a generally acceptable level, do not permit unauthorized or guest access to your LAN. If you wish to go even further and make Vera very secure from your housemates/guests, then Vera needs to be on its own private LAN that your housemates do not have access to. But, even in this scenario, Vera can still have access to the internet without risk.

Offline capjay

  • Hero Member
  • *****
  • Posts: 675
  • Karma: +9/-3
Re: VeraLite's Security
« Reply #4 on: July 21, 2014, 08:01:17 pm »
this topic has been beaten to death elsewhere in the forums: http://forum.micasaverde.com/index.php/topic,15425.0.html

Offline nutt318

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
[Solved] Re: VeraLite's Security
« Reply #5 on: July 22, 2014, 09:38:57 am »
Thanks for the great info z-waver, it did make it sound like it was compromised from outside the LAN. However if its just the LAN then thats fine with me.

When you say redesign do you mean firmware on UI7 or are you thinking a hardware redesign?

Thanks!

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +247/-120
Re: [Solved] VeraLite's Security
« Reply #6 on: July 22, 2014, 12:33:28 pm »
When you say redesign do you mean firmware on UI7 or are you thinking a hardware redesign?
It would take a firmware and operating method redesign. It would require putting authentication in front of UPnP access, significantly restricting UPnP capabilities, which is a core aspect of Vera's operation. Some of this redesign is already underway. But changes to some aspects of Vera would be so disruptive to existing installations and apps that I don't think they will do it as an upgrade. They may instead offer a whole new product. But, who knows when that might be, if ever.