We have moved at community.getvera.com

Author Topic: Embedded Private SSH Keys and More...  (Read 2144 times)

Offline windexh8er

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
Embedded Private SSH Keys and More...
« on: October 24, 2014, 02:03:33 am »
Great write up on the insecurities in Vera:

http://www.xipiter.com/musings/the-insecurity-of-things-part-two

Beyond this there are many more flaws related to how the device operates with central services.  If you're letting your Vera free on the egress of your network, well, you shouldn't...

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Embedded Private SSH Keys and More...
« Reply #1 on: October 24, 2014, 03:30:56 am »
Thanks for posting that. It nicely collates a lot of what we already know about Vera's vulnerabilities.  The post gets a bit alarmist towards the end where it intimates that the (stupidly) shared SSH private key might help an attacker to get access to all Veras worldwide. (It is true for you, only if your ISP, or your Government, or MCV's ISP, or MCV's Government*, is complicit and siphons off the encrypted data stream between you and MCV's servers.)

There aren't any new attack vectors revealed in the article. (Not that we need any more to be honest.) At least now we have a decent blog post to point forum members to when they want to do crazy things like port forward to expose their Vera to the world.

* Hello, NSA.

Edit: curse you. Autocorrect

Offline d55m14

  • Sr. Member
  • ****
  • Posts: 449
  • Karma: +8/-1
Re: Embedded Private SSH Keys and More...
« Reply #2 on: October 24, 2014, 05:18:47 am »
Hi Futzle,

I've installed my Veralite behind a router with OpenVPN software and to connect to veralite from internet I need a certificate on my client (PC, IOS) with OpenVPN client.

Do you think this configuration vulnerable as easy as illustrated in this post and others ?

Thanks

Donato

Thanks for posting that. It nicely collates a lot of what we already know about Vera's vulnerabilities.  The post gets a bit alarmist towards the end where it intimates that the (stupidly) shared SSH private key might help an attacker to get access to all Veras worldwide. (It is true for you, only if your ISP, or your Government, or MCV's ISP, or MCV's Government*, is complicit and siphons off the encrypted data stream between you and MCV's servers.)

There aren't any new attack vectors revealed in the article. (Not that we need any more to be honest.) At least now we have a decent blog post to point forum members to when they want to do crazy things like port forward to expose their Vera to the world.

* Hello, NSA.

Edit: curse you. Autocorrect

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: Embedded Private SSH Keys and More...
« Reply #3 on: October 24, 2014, 07:17:51 am »

I've installed my Veralite behind a router with OpenVPN software and to connect to veralite from internet I need a certificate on my client (PC, IOS) with OpenVPN client.

You've set up an end-to-end encrypted tunnel with a unique key. It doesn't get much better than that.

Offline Laughing Man

  • Sr. Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
Re: Embedded Private SSH Keys and More...
« Reply #4 on: October 25, 2014, 05:57:38 pm »
Hi Futzle,

I've installed my Veralite behind a router with OpenVPN software and to connect to veralite from internet I need a certificate on my client (PC, IOS) with OpenVPN client.

Do you think this configuration vulnerable as easy as illustrated in this post and others ?

Thanks

Donato

How are you using OpenVPN on iOS? Not using dev tap?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: Embedded Private SSH Keys and More...
« Reply #5 on: October 25, 2014, 07:38:07 pm »
How are you using OpenVPN on iOS?

I found this post from the same user.

Offline d55m14

  • Sr. Member
  • ****
  • Posts: 449
  • Karma: +8/-1
Re: Embedded Private SSH Keys and More...
« Reply #6 on: October 26, 2014, 06:13:06 pm »
Hi,

yes I've installed OpenVPN Connect from Apple Store.

donato