We have moved at community.getvera.com

Author Topic: Vera Lite scanning localnet port 80  (Read 2021 times)

Offline sdrider

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
Vera Lite scanning localnet port 80
« on: February 11, 2016, 03:50:15 pm »
I just noticed my Vera scanning port 80 on my local network.

Checking firewall logs, I can see this has happened twice in the 30 days, so this is not often or frequent, and I can't associate either of the two events with any trigger that would cause this.. ie. nothing special was happening either on the vera or on the home network.

I don't actually know how broad the scan was. Since I just noticed this and the two events are 3 weeks apart, I haven't gone the extra step of putting a full traffic capture in between the Vera and my network. If it happens again, I certainly will consider doing that.

What I do have is a beaglebone on my home network that acts network tripwire: I drop all known host:protocol:port packets that I don't care about (netbios, plex scans, etc) and log everything else. Upon reviewing these logs, I noticed Vera hitting port 80 on my beaglebone. Vera has no reason to know or talk to this host, so this is an unsolicited port scan. It was only port 80 that was scanned, and since I don't currently have a 2nd tripwire on the localnet, I can't verify it scanned every single IP or just targeted my BeagleBone for some reason.

Suffice to say, it's alarming to see a black box device on my home network start probing other devices for no reason. I'd love to know why it's doing this, what triggered it, and what I can do to turn off whatever is causing this.

Has anyone seen this behavior from their Vera before and have any idea of the cause? My searching of these forums and of google turned up nothing. One thing I did find was this link https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf describing a number of security issues with the VeraLite and the author commenting there was a general lack of interest by Vera to acknowledge or fix these issues (section 3.2). This only heightened my concern that these port scans may actually be malicious activity by a remote attacker who has exploited any number of these vulnerabilities.

Here's a pastebin of the firewall logs of the Vera (1.50) hitting my Beagle (1.3) on the two different dates: http://pastebin.com/a4X0jLBi

Offline Brientim

  • Sr. Hero Member
  • ******
  • Posts: 2497
  • Karma: +78/-7
Re: Vera Lite scanning localnet port 80
« Reply #1 on: February 12, 2016, 02:07:40 am »

Offline mcvflorin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1755
  • Karma: +11/-3
Re: Vera Lite scanning localnet port 80
« Reply #2 on: February 12, 2016, 02:17:34 am »
Vera listens to DHCP requests on the network, so whenever a new device appears, it will try to identify it by making various requests to it, and comparing the received responses with the ones in a list. If any response matches one in the list, the device is added on Vera. Currently only IP cameras are identified this way. All these requests are on port 80, so maybe that is what you saw. Vera does not do any active scanning on the network, unless you have "Scan for UPnP devices" checked, but that is not actually a scan, it's a broadcast on the UPnP port.

Offline sdrider

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
Re: Vera Lite scanning localnet port 80
« Reply #3 on: February 12, 2016, 12:05:23 pm »
The beagle in this case has been on the network for years, and nothing was run or nothing new was installed that would cause it to tickle Vera to initiate a probe. This was an unsolicited scan from the VeraLite. Are you suggesting *any* change on the network will cause Vera to do a full scan of the entire local network?

I will setup a second tripwire device on my local net to see if Vera is just hitting one host or if it's scanning all of them.

I had no idea VeraLite was listening to DHCP and probing new devices. Interesting news. I can see how this would be helpful for non-techies in that Vera can magically auto-discover new devices. Me, personally, I don't like black box devices I don't control probing and scanning devices on my network. It might be time to setup a VLAN to isolate Vera.

I've shutdown outbound 232 from Vera so MCV remote access servers (and my own user/pass) are no longer a possible attack vector on it. I tried shutting down all outbound Vera traffic, but that renders the web console useless - it apparently needs to reach out over HTTP to the internet to render the Web UI (bizarre). Also I have a few email alerts that would be blocked by shutting down all outbound, so for now I'm back to just shutting down 232.

Thanks for the info. Tinfoil hat mode has been triggered so I'll keep a close eye on Vera over the next few months to understand this behavior better, but the info given here in this thread has already been helpful. Thank you.