We have moved at community.getvera.com

Author Topic: Any chance MCV will address this?  (Read 1470 times)

Offline Frunple

  • Jr. Member
  • **
  • Posts: 67
  • Karma: +0/-0

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4437
  • Karma: +249/-120
Re: Any chance MCV will address this?
« Reply #1 on: October 30, 2014, 09:16:32 am »
Probably not. Almost everything in that story is a known issue that has existed for years even from the previous firmware version(UI5) that MCV has yet to address. But there are a couple of things to note.

1. Vera is not a secure system if you are on the LAN. Provided you restrict access to your LAN and do not portforward Vera, the vulnerabilities are mitigated. This topic has been discussed repeatedly on this forum.

2. The linked post makes a VERY bold claim that I do not believe is correct and, despite the lengthy and dramatized story, they made no attempt to prove. In the article's conclusion they claim
From there potentially (if SSH works the way we think it does),  this key can be used to access ALL THE OTHER devices like it in the world currently connected to the internet.

Despite this hyperbole filled claim, I do not see that this would allow any one to do more than connect to MCV servers via SSH. I do not see how this could allow access to another Vera also connected to that server, without architectural vulnerabilities on the MCV server side. Simply establishing a tunnel to MCV should not allow access to any other device and unless they can offer some proof that it does, I'm unwilling to accept this claim at face value.

Edit: Thinking about the SSH key claim a little more... Having this key would allow the possibility of a man-in-the-middle(MITM) attack where, if the attacker could gain access to the network between your Vera and MCV, they would be able to access a SSH tunnel session. If they gained access to the network in front of MCV servers, they could in theory access any/all tunnels via MITM. It's not secure/impenetrable, but it is low risk and it is something that the article writers are incapable of accomplishing.
« Last Edit: October 30, 2014, 09:43:23 am by Z-Waver »