Author Topic: Too much security delegation to a remote server  (Read 10511 times)

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Too much security delegation to a remote server
« on: October 03, 2010, 05:27:59 pm »

I am affraid that UI4 increase the level of security delegation to micasaverde servers without asking or advising the vera  customers  !!!

Now,

- How can I control locally access to my vera with local accounts and not as today with remote accounts that may be cracked !!!

- How can i upload pictures registred by my cams to a dedicated space THAT I CONTROL outside mios !!!

- Sorry guys but I dont want to grant to micasaverde people access to my personal files or  house organization !!!

- How can I control data flow between your servers and my Vera with my firewall no documentation about outgoing network flows frm vera to servers ?.

- Will you deliver a version of IOS with a local SSL protected HTTP interface on vera  in order not to use your mios gateway servers ?.

- Last point how can I access root level of the system ?. as far as I remenber, I have not defined any password about it

Offline Ap15e

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1998
  • Karma: +11/-0
Re: Too much security delegation to a remote server
« Reply #1 on: October 04, 2010, 05:00:22 am »
Quote
How can I control locally access to my vera with local accounts and not as today with remote accounts that may be cracked !!!

AFAIK, local accounts are not available anymore with UI4.

Quote
How can i upload pictures registred by my cams to a dedicated space THAT I CONTROL outside mios !!!

Use a Lua script (wget/luup.inet.wget, ftpput, ...). Yes, this functionality should be available from the GUI ...

Quote
Sorry guys but I dont want to grant to micasaverde people access to my personal files or  house organization !!!

According to http://wiki.micasaverde.com/index.php/Security_Concerns:
"Vera functions without any internet connection at all."

IIRC, Vera V1 is dependant on (external) ntp servers, because Vera V1 has no battery buffered clock ...
I do not know whether the same holds true for Vera V2.

More information about ntp servers and Vera is at: http://forum.micasaverde.com/index.php?topic=494.0

Yes, the ntp server(s) should be settable from Vera's GUI ...

Quote
- How can I control data flow between your servers and my Vera with my firewall no documentation about outgoing network flows frm vera to servers ?.

Some - partially outdated and scattered ... - information might be available at http://wiki.micasaverde.com

According to the disclaimer that comes with UI4 MCV's policy regarding security related questions seems to be: "Ask your specific security related question and we will provide an answer within reasonable time."

Several times I asked MCV for an overview about the security concept behind Vera/MiOS, never got an answer - maybe my question was too unspecific ...

Quote
Last point how can I access root level of the system ?. as far as I remenber, I have not defined any password about it

IIRC, telnet to your box and use the data from the sticker on your box to login.
« Last Edit: October 04, 2010, 05:27:27 am by Ap15e »

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #2 on: October 04, 2010, 08:28:54 am »
Thank you for those first answers.

What I understand is with this level of information concerning internal security choices in Vera it's mandatory to act as if it is a "maybe" backdoor inside my network until more informed.

So I setup yesterday my vera2 in a physical DMZ managed on my firewall in order to control access to LAN and WLAN, locked incoming flow from  internet to Vera  but I cannot neither control access to physical disposals inside my home nor data flow and usage inside outgoing flow.

 It remains a major security issue as access is not granted from vera but from Mios servers...

regards

Offline zmistro

  • Hero Member
  • *****
  • Posts: 966
  • Karma: +1/-0
Re: Too much security delegation to a remote server
« Reply #3 on: October 04, 2010, 04:02:47 pm »
you don't need the mios server to delegate user and password to vera. in the mios control panel you can set a user and require simple local authentication.

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #4 on: October 04, 2010, 04:20:25 pm »
Ok,

 I do not explain the things very well in english... sorry,  what I try to say is that the only access and rights magagment  is at MOIS server level. If something or someone breaks this level of security , nothing will protect my vera from unchoosen access... 

This is for that reason that I think that local accounts and local rights managment stay mandatory for a security device as is the vera.
 
The linked thing is that, indeed an access to vera from internet is an interesting feature, that might, to respect those security principles,  be  built around SSL/https user interface supported by a vera local web server.

..

Offline Dano87

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #5 on: January 08, 2011, 12:02:42 pm »
Am I understanding this correctly that Vera UI4 does not allow me to have local control management (without using the MOIS server).  I want to be control of the security of my system and don't want to need a proprietary server controlling and storing my personal data/video.  Please tell me I have a way to put Vera in local control.  Even if this mean needing to develop my own app or https interface.  I love the idea of using MOIS as a library depository where the community can share luup, scripts, plugins, applications.  However, requiring a MOIS server to operate my Vera should be left up to the user.

Offline atlantis94fr

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #6 on: January 09, 2011, 06:00:58 am »
Hello

Unfortunately, it's exactly the case... No remote access without using vera server, except using infrastructure VPN  if you have hardware firewall which can implement such a function...and desactivating embedded vera scecific link to vera servers !!

The second problem is when you use cameras vera cannot send pictures in a personnal valut, you must host the pictures on vera servers...

I still do not understand this principles !!!

Regards


Offline Dano87

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #7 on: January 09, 2011, 10:34:47 am »
MCV, say it's not so.  Are you really planning on restricting a true open archetecture of this great product?

Offline BrianAz

  • Jr. Member
  • **
  • Posts: 50
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #8 on: January 21, 2011, 08:21:57 pm »
From what I've been able to piece together, each Vera 2 seems to create a tunnel to "The Mothership" (aka fwd*.mios.com). I believe then that when you're out on the town using iVera (or whatever method) to connect, it sends the command to the fwd servers @ mios which then forwards it on to the vera on your lan. Vera then sends whatever response back through the tunnel to mios.com and then on to your device.

Code: [Select]
root@MiOS_13899:~# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    100 192.168.1.121:22        192.168.1.119:51331     ESTABLISHED
[color=red][i]tcp        0      0 192.168.1.121:2623      fwd1.mios.com:232       ESTABLISHED[/i][/color]



You can break this tunnel (documented elsewhere on this forum), but it then breaks your remote access unless you have a VPN server configured on your router (DD-WRT in my case).

While there may be other devices out there doing similar things w/o people being aware (who knows what the xbox or my network enabled receiver are doing when I leave them on all night), the huge difference here in my mind is that this product and tunnel are also intended to be linked to my cameras and home locks.

Who knows what kind of controls are in place at mios/MCV to prevent any random engineer or potential mios.com hacker from connecting via the tunnel and unlocking my door or watching my house?

This should all be spelled out more clearly to people and the option of disconnecting the remote capabilities should be right up front. In the meantime I'm passing on the doorlocks and using a different iPhone app to view my cameras. Will kill the tunnel and re-evaluate once iVera works via VPN for me...

-  Brian
« Last Edit: January 21, 2011, 08:23:37 pm by BrianAz »

Offline MikesTooLz

  • Sr. Newbie
  • *
  • Posts: 23
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #9 on: January 30, 2011, 11:00:57 pm »
This is pretty big security issue.

The vera2 grants full access to anyone connected to the local network. Who is to say no company will start scanning for Vera2 devices? You install a new printer, xbox, whatever.... the device could do a quick scan for vera device, get all info about the local home/building including camera snapshots and forward it back to its creator.

Same goes for virus's. Someone could easily make a virus that does a quick scan for Vera2 devices. When it finds one, all info gets forwarded to the creator. What could the virus creator then do with this info? Know all info about your home, look at cameras to see if your anyone is at the home, get the general location of the home via reverse IP lookup, Send  a request to unlock the front door to let themselves in.

This is all posable because there is no local credential checks when accessing via local network.


Also everyone knows that not all people secure their wireless internet like they should, If thats the case and they have a vera2, they just gave a robber the keys to their front door.


I just purchased a Vera2, did I just potentially open myself up to be robbed?

Offline newstargazer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #10 on: January 31, 2011, 01:28:58 am »
I am new to home automation and my Vera2 is on its way from Amazon.  Reading these security concerns is making me think twice about my decision to go with Vera. 

For members who have been using Vera for a while and are more familiar with its software/hardware architecture, is it a technical issue or a prioritization issue from the creators of Vera to implement credentials based (whether local or remote) access to the Vera box?

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3250
  • Karma: +189/-9
Re: Too much security delegation to a remote server
« Reply #11 on: January 31, 2011, 06:10:39 am »
This is all posable because there is no local credential checks when accessing via local network.

I'd buy that statement if the credentials weren't sent over unencrypted HTTP.

Anyone with a packet sniffer can extract the username and password from a so-called authenticated request sent over HTTP.  The entire query is sent as unencrypted bytes.  Packet sniffing is easy; search the net for Wireshark howtos.  I've used Wireshark in my day job as a software engineer.  It's not a specialist tool.

Vera listens on HTTPS too, which would protect it from other devices listening on the LAN, except that its certificate is self-signed.  That's a technical limitation that's not really possible to get around unless you run your own domain, have your own DNS, and can generate your own certificates countersigned by a CA that most browsers know about.  This excludes most users, who will just get a browser warning about an untrusted connection and accept it without a second thought.  (How many readers here know when it's safe to accept an untrusted certificate and can be certain that they are not the victim of a man-in-the-middle SSL attack?)

In short, local authentication doesn't give protection against malice, and if you've got malice on your LAN then you have more serious worries than what might happen to your Vera.

If you want protection against stupidity or accidents on the LAN, yes, I'll buy that: a password will remind local users that you don't want them fiddling with Vera without your consent.  But don't mistake this for security.

If you truly want to lock down Vera from the black hats on your LAN, you've really got only one option: subnet and firewall.  Block all packets going to Vera from the rest of your LAN, except those from permitted hosts.  Even then, be aware of IP spoofing and other low-level attacks.  Better, have Vera connect via SSL to one always-on host on your LAN, and set up a web gateway on that host, with HTTPS login, forwarding requests to the Vera's web interface over the SSL link.  Observant readers might notice a similarity between this solution and the mios.com remote access service.

Offline Ambrotos

  • Sr. Newbie
  • *
  • Posts: 30
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #12 on: February 24, 2011, 12:41:50 pm »
I too strongly dislike the fact that Vera connects to and is completely controllable by remote servers, in a way that I don't completely understand. Especially since Vera has control over my front door's deadbolt now. Initially, I had planned to just block this by means of an egress firewall rule blocking all traffic from Vera's IP. This caused 2 problems though:

1. navigating to Vera's dashboard from the local network caused a long (~30s) delay while it tried to contact the servers, finally prompting you to reconfigure your internet
2. Vera can't determine the time of day, so time-based scenes are useless.

I've broken the RA tunnel by modifying the cmh-ra.conf file, but that doesn't affect the dashboard delay. Also, I added a firewall rule to allow NTP from Vera (UDP port 123), but that didn't work for some reason. Does Vera/WRT do anything special protocol-wise I would need to account for in my firewall?

In the absence of a "proper" solution, I'd REALLY like MCV to provide us with:
1. A means to disable the timeout when navigating to Vera's dashboard if the servers aren't accessible.
2. A way (in the GUI!) to manually specify NTP server. My firewall provides NTP, there's no reason Vera shouldn't be able to use it.

I'd also like to point out that this is necessary for reasons other than security concerns. For example, I'd like to set up a Vera at my cottage, but there's no internet access there. I'm certainly not going to get internet there just so Vera can tell the time.

Andrew

Offline Ap15e

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 1998
  • Karma: +11/-0
Re: Too much security delegation to a remote server
« Reply #13 on: February 24, 2011, 03:59:06 pm »

Offline Ambrotos

  • Sr. Newbie
  • *
  • Posts: 30
  • Karma: +0/-0
Re: Too much security delegation to a remote server
« Reply #14 on: February 25, 2011, 12:11:36 pm »
Ahh. that explains a lot. Thanks.

Any thoughts on avoiding that dashboard delay?

Andrew