Author Topic: Security Concerns  (Read 3930 times)

Offline Pete

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Security Concerns
« on: July 21, 2015, 08:56:49 pm »
I have Mi Casa Verde VeraLite Home Controller with the latest version and I'm constantly receiving messages warning me that there are unauthorized logins to the controllers.

I've had a ticket open with Vera support since June 21st and so far there's been almost no responses.  They only respond about once a week with a standard response that's only vaguely related to the issue or simply summarizes what the issue is with no further help.  It seems like they don't want to acknowledge the issue, they don't know what to do, or maybe they are in the process of going out of business?  Is this the same support that they've always had?  Should we be transitioning to another more secure product?
« Last Edit: June 17, 2017, 07:37:02 am by John M. »

Offline daniel

  • Customer Care Manager
  • Administrator
  • Full Member
  • *****
  • Posts: 143
  • Karma: +2/-0
    • Vera Control
Re: Critical Security Issues
« Reply #1 on: July 22, 2015, 06:19:42 am »
Hi Pete,
I can assure you we are very much in business and we are here to help. After further analysis on your case we found out that the alerts you're seeing are nothing but normal alerts generated when You are logging in on the gateway.
The only issue there is that the IP addresses that are being shown are matching our relay servers, instead of your own external IP address and we are currently working on addressing this.

173.255.250.75 - vera-us-oem-relay31.mios.com
198.74.52.112 - vera-us-oem-relay41.mios.com
54.187.71.199 - vera-us-oem-relay11.mios.com
« Last Edit: July 12, 2017, 02:14:00 pm by John M. »

Offline Pete

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #2 on: July 22, 2015, 09:40:38 am »
When I do an ip address lookup, it doesn't display that those are Vera ips.

173.255.250.75 ? li260-75.members.linode.com
198.74.52.112 ? li554-112.members.linode.com
54.187.71.199 ? ec2-54-187-71-199.us-west-2.compute.amazonaws.com

Offline BOFH

  • Sr. Hero Member
  • ******
  • Posts: 2391
  • Karma: +111/-138
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #3 on: July 22, 2015, 09:45:20 am »
It seems GetVera leases space from linode.com as well as is on Amazon's AWS cloud. Looks like your DNS server has some issues resolving to the right names. I'm wondering if that's part of your issue.
Vera3 UI5 UI7 Edge Plus
Trane TZEMT400AB32 | Schlage BE369 FE599 | GE 45601 45602 45603 45604 45606 45609 45631 | Intermatic HA01C HA03C HA05C HA07C CA600 CA3000 | Aeon DSC06106 | Telguard GDC1 | Foscam FI8910W FI8905W FI9821W | D-Link 930L | Wanscam JW0011 | ZModo ZPIBH13W

Offline vosmont

  • Hero Member
  • *****
  • Posts: 674
  • Karma: +59/-8
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #4 on: July 22, 2015, 10:07:13 am »
same result here for the lookup (from France)
« Last Edit: July 22, 2015, 10:39:40 am by vosmont »

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 9568
  • Karma: +729/-136
    • RTS Services Plugins
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #5 on: July 22, 2015, 01:21:16 pm »
There is NO uniqueness requirement in the internet for a  REVERSE IP lookup.

The key thing is that a DNS address maps to the correct address.
This is validated via an HTTPS connection ... because the encryption certificate for the server is verified with the DNS name.

Offline mike4kz

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #6 on: July 24, 2016, 06:26:14 pm »
Found this topic by searching for the IP address my Vera connects... I'm fine that Vera connects to the "centralized management". I'm fine that these servers are at Linode or Amazon AWS. But Vera connects over TCP/23... Unencrypted TELNET port. And transmits something over the Internet IN CLEAR TEXT.

Offline mvader

  • Sr. Member
  • ****
  • Posts: 380
  • Karma: +29/-74
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #7 on: June 09, 2017, 08:19:15 pm »
I'm seeing allot of traffic to/from my vera
173.255.250.75 ? li260-75.members.linode.com

i see that it was mentioned in an earlier post.
is this legit?

I have NO cameras on my vera. but it's transferred almost 400mb in the last 3 days.
this feels on the high side..
anyone have any thoughts on that address?

Offline MrCCIE

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #8 on: June 10, 2017, 10:44:28 am »
Found this topic by searching for the IP address my Vera connects... I'm fine that Vera connects to the "centralized management". I'm fine that these servers are at Linode or Amazon AWS. But Vera connects over TCP/23... Unencrypted TELNET port. And transmits something over the Internet IN CLEAR TEXT.

Seriously?

If they are using telnet, that's a big deal.  Any technology body in existence today will tell you that it is a bad and unnecessary practice.

I'm going to look for someone from Vera to provide a statement here.  If they are still using telnet and cannot say that you will be transitioning away from it ASAP, I'm done as a customer.  I don't care what they are transmitting over telnet; the fact that it is even on their list of available protocols at all would be enough to tell me that my data is not in the hands of someone with appropriate security controls to be trusted with it.
« Last Edit: June 10, 2017, 10:47:18 am by MrCCIE »

Offline mvader

  • Sr. Member
  • ****
  • Posts: 380
  • Karma: +29/-74
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #9 on: June 10, 2017, 02:06:47 pm »
unless vera gives us some answers. all this crap is getting blocked in my firewall.
i looked on my vera and saw this one too
au.kashra.pictures


Offline BOFH

  • Sr. Hero Member
  • ******
  • Posts: 2391
  • Karma: +111/-138
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #10 on: June 10, 2017, 04:29:53 pm »
Buy a Raspberry Pi Zero or Zero W ($10 or so) and a micro USB to cat5 adapter ($8) and install Raspbian Jessie. Then install Pi-Hole (https://pi-hole.net/). Easiest solution ever (just a few simple questions) and it even keeps ads away in your phone apps. As well as present Vizio TV's from spying on you. :)

The built in webserver shows you exactly what devices is trying to go where. A simple click and access is black or white listed. I've had this running on a Pi 3 for several months but since arrow.com is giving me a free Pi Zero W, I'm going to use that one and free the Pi # up for something else.

Do realize, if you have plug-ins installed, it may be those that are accessing certain sites and not Vera itself.
Vera3 UI5 UI7 Edge Plus
Trane TZEMT400AB32 | Schlage BE369 FE599 | GE 45601 45602 45603 45604 45606 45609 45631 | Intermatic HA01C HA03C HA05C HA07C CA600 CA3000 | Aeon DSC06106 | Telguard GDC1 | Foscam FI8910W FI8905W FI9821W | D-Link 930L | Wanscam JW0011 | ZModo ZPIBH13W

Offline kigmatzomat

  • Sr. Member
  • ****
  • Posts: 270
  • Karma: +8/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #11 on: June 11, 2017, 11:46:49 pm »
If you have a hub (not a switch, a hub) you can put it between the vera and your router, plug a PC to the hub and use a packet capture tool  like Wireshark to watch the data and on up those unencrypted packets.

Offline sgruby

  • Jr. Member
  • **
  • Posts: 61
  • Karma: +3/-1
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #12 on: June 12, 2017, 12:22:38 am »
Buy a Raspberry Pi Zero or Zero W ($10 or so) and a micro USB to cat5 adapter ($8) and install Raspbian Jessie. Then install Pi-Hole (https://pi-hole.net/). Easiest solution ever (just a few simple questions) and it even keeps ads away in your phone apps. As well as present Vizio TV's from spying on you. :)

The built in webserver shows you exactly what devices is trying to go where. A simple click and access is black or white listed. I've had this running on a Pi 3 for several months but since arrow.com is giving me a free Pi Zero W, I'm going to use that one and free the Pi # up for something else.

Do realize, if you have plug-ins installed, it may be those that are accessing certain sites and not Vera itself.

Unfortunately this doesn't work with the Vera. The device hardcodes Google DNS 8.8.8.8 and 8.8.4.4 so you won't see DNS requests show up in PiHole. I had to add firewall rules that redirect DNS going to Google and have it goto PiHole. Vera customer support's response wasn't satisfactory on why they ignore DNS given out via DHCP.

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 322
  • Karma: +14/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #13 on: June 12, 2017, 05:07:40 am »
I'm seeing allot of traffic to/from my vera
173.255.250.75 ? li260-75.members.linode.com

i see that it was mentioned in an earlier post.
is this legit?

I have NO cameras on my vera. but it's transferred almost 400mb in the last 3 days.
this feels on the high side..
anyone have any thoughts on that address?

This looks legit. The Vera relay servers are at Linode  and the hard coded DNS names resolve to those IP addresses in the /etc/cmh/servers.conf
2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 322
  • Karma: +14/-0
Re: Critical Security Issues - Is Vera Going Out of Business?
« Reply #14 on: June 12, 2017, 05:20:47 am »
Vera uses a bunch of different servers for various parts of their infrastructure.  Most use Hurricane Electric hosted, a couple (relay servers) use Linode,  QuadraNet, for provisioning, and Logs seem to go to a  Romanian server.

The logs can (and do) contain Pin info for security systems in clear as well as other sensitive info, so that is my greatest concern. Especially in the past at least that it was using standard FTP to transfer over the internet vs. their TLS / SSH tunnel.

You can see the server assignments on the /etc/cmh/servers.conf file.    I have posted in the past how redirect the logs locally by spoofing the DNS resolution locally for the logs servers.

Although I could probably do a better job tracking every outbound connection from my Vera, from what I have seen, there has bee no use of Telnet from my home vera. Maybe a specific plugin vs the core services?

Also, just because something is using TCP/23 does not actually mean that it is actually unencrypted TELNET protocol. It just means that this port is being used and other services could actually be listening on the port vs. TELNET. Best way to verify is use a sniffer inline or by spanning the switch port and actually look at the traffic to see if it is clear or obfuscated/secure in some way.

2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;