Author Topic: findvera.com login insecure?  (Read 6700 times)

Offline Gerenb

  • Sr. Newbie
  • *
  • Posts: 30
  • Karma: +0/-0
findvera.com login insecure?
« on: March 27, 2010, 11:33:06 am »

i recently purchase Vera and have been closely following these forums. Vera seems to be a bit of a work in progress but has great potential. I currently use my iPhone to access findvera using the Smartphone plugin. I love simplicity, though, and noticed the login credentials were passed in the URL (encrypted) after entering them in findvera.com/mobile. I thought it was great since all I had to do was bookmark the home page AFTER logging in. I would then no longer have to enter my login credentials and could immediately jump on Vera. It worked perfectly.

Be careful what you wish for. If I'm not mistaken, this means that anyone can sniff out the accessed web pages and connect to your Vera with full access - without knowing your username and password. I believe standard web monitoring tools like Websense in corporate networks would record the required URL.

Please tell me I'm wrong.

Offline mikeholczer

  • Sr. Member
  • ****
  • Posts: 413
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #1 on: March 27, 2010, 12:18:10 pm »
When using the HTTPS protocol, which find vera does, the entire request is encrypted, even the URL.

Offline Gerenb

  • Sr. Newbie
  • *
  • Posts: 30
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #2 on: March 27, 2010, 12:25:04 pm »
Thanks for the fast response. That makes me feel MUCH better. I knew the https traffic was encypted but didn't realize even the URL was encrypted.

Offline mikeholczer

  • Sr. Member
  • ****
  • Posts: 413
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #3 on: March 27, 2010, 12:26:33 pm »
Before people start taking about SSL termination within a corporate network and what not, I will restate and say that having the username and password in the URL is no less secure then providing it through another means. As far as data on the wire goes, it is as safe as logging in to your bank's website.

Offline umtauscher

  • Full Member
  • ***
  • Posts: 223
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #4 on: March 28, 2010, 03:34:20 am »
I have never seen a bank where you could log in by simply clicking a saved link.
Sorry, but this another point where I feel using findvera is a major security risk.
Glad that I don't use it.

Offline javier

  • Full Member
  • ***
  • Posts: 172
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #5 on: March 28, 2010, 05:55:47 am »
I have never seen a bank where you could log in by simply clicking a saved link.

banks worry a lot (as they should!) on phishing possibilities.  Having a 'no password asked' URL means that it's possible to some scammer to forge an email telling an accountowner to link somewhere and do something.

As with all phishing exploits, ultimately it all depends on the user's gullibility.

Sorry, but this another point where I feel using findvera is a major security risk.
Glad that I don't use it.

The only attack vector this would make possible (apart from phishing scams) is if you have some malware in your mobile that gets the URL and forwards to somebody else.

Note that (as mikeholczer noted) it's not enough to watch the TCP stream, since it's SSL encrypted; such malware would have to reside in your mobile and it must be able to read all the browser's history.

Frankly, if you have any kind of malware in any machine you use to control your house, i think it's game over already.  Nothing done on the server would be able to help in that situation.

I think that storing user credentials on the URL is not worse than letting the browser remember it on a 'keychain' or similar functionality.  Of course, there are valid objections to that too; but it's still a very popular feature, and very few people turn it off.

Of course, as with all security related issues, if you think a different attack scenario please share with us.
--
Javier

Offline umtauscher

  • Full Member
  • ***
  • Posts: 223
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #6 on: March 28, 2010, 07:12:22 am »
Thanks Javier, for your response,

You are right, about that and I think I understand that from your perspective.
For me, I won't use the findvera service and that would be ok for me, if Vera wouldn't rely on findevera.com in one or the other circumstance.

I really am very thankful  for you keeping up the dialogue. I really feel that MCV does very little here in the forum to help people solve their problems and you really are an exception in that field.
Thanks again

Umtauscher

Offline Hal

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
Re: findvera.com login insecure? [websense]
« Reply #7 on: June 19, 2010, 01:45:34 pm »
Absolutely, GET parameters are included with the URLs used in websense.  From some rather embarrassing personal experience fortunately a long time ago, this can lead to rather challenging analytics if the GET parameters are not parsed out before being passed to the main engine [since you generally want to know the per-site statistics not generate analytics separately for each user of the site].

Passwords should never be passed in the URLs themselves [encoded or not] as GET parameters.  POST parameters exist for a variety of reasons, and should be used.

While relatively unlikely and generally not of interest to most nefarious types, url's can also be retrieved via browser history either from the browser itself or, in some operating systems, from other applications running on the desktop that have this exposed to them via integration APIs.

As a note, IIRC the normal practice for caching logins for this type of exercise would be with a cookie vs the GET parameters.  Obviously, the cookie can still be potentially acquired at the file level from the machine but I wouldn't be putting the home control system toward the top of the wish list for people doing this.  Generally bank accounts come first :)

In short, cookies are better than usernames/passwords in URLs.

--hal

Offline mikeholczer

  • Sr. Member
  • ****
  • Posts: 413
  • Karma: +0/-0
Re: findvera.com login insecure?
« Reply #8 on: June 19, 2010, 03:03:19 pm »
If someone has enough access to view your web history you have already been breached.

Offline micasaverde

  • Administrator
  • Hero Member
  • *****
  • Posts: 1667
  • Karma: +15/-1
Re: findvera.com login insecure?
« Reply #9 on: July 06, 2010, 01:56:16 am »
I know it'll offend some people, but, frankly, I think this concern about usernames/passwords is kind of silly.  Remember, we're talking about mobile phones here, so typing on the 2=abc, or even the iphone style on screen keyboard is a royal PITA.  The whole idea behind the home automation control of the phone is to be fast and convenient.  Quickly turn off the lights as you're rushing to the car kind of thing.  So having the username/password stored in the bookmark, which, as everyone has pointed out, is secure, but also *SO* much more convenient.  You can stick a bookmark to the page on your phone's desktop, so it's one click to bring up the page, 1 click to turn the light off.  Not too bad and you can do it one handed.  Now, imagine if to turn a light off you have to enter on a phone's tiny keyboard a full username and password....  Who would use it?  Honestly, at that point, the security becomes so intrusive it's impractical.

True, banks don't let you store usernames and passwords in the bookmark.  But, with a bank, you log in only occasionally and when you do, you have the ability to transfer all of your money out of the account and give it to a stranger, such as by clicking bill pay and having a check issued or doing a wire transfer.  I can understand why most consumers would rather enter the full username/password each time before accessing online banking, since it's something you do infrequently and very high risk.  But, as a user, I would never go through that kind of hassle just to turn on the a/c.

It's true that with door locks and security the phone can do grant access to the home...  But, again, as has been pointed out, if someone has installed malware on your phone to capture the URL's, they've got your online banking usernames and passwords and would probably be a lot more interested in transferring the $20,000 out of your savings account than in unlocking a Schlage door *somewhere* in the city.  Remember, we don't store the address anywhere in the system for that very reason if someone finds the phone.  So, the person who found the phone would have to hack into AT&T's databases to find the home address that corresponds to your phone, go to your address, hoping that by the time they got there you hadn't discovered the phone was missing and change the password, and hoping that you don't have another security system like an alarm panel, and hoping that you're not home, so they can unlock the door and burglarize your home.  And remember, if the person who found your phone really wanted to burglarize your home, they could also just throw a rock through the side window and wouldn't need the phone to unlock the front door.

Anyway, the bottom line is that if you're not comfortable with it, you don't have to use it, or you could one of the dedicated phone apps, like iVera or SQ Remote.  But, I have a feeling that for 99+% of users, the convenience of turning on a light without entering a username/password far outweighs the really minor risk, and most users would agree that if someone got access to your usernames/passwords, they'd be too busy transferring all the money out of your bank accounts to take the time to play around with your home automation system.