Author Topic: Security Concerns  (Read 3737 times)

Offline John M.

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Karma: +27/-3
    • getvera.com
Re: Security Concerns
« Reply #30 on: July 12, 2017, 01:59:14 pm »
@niharmehta & others.


I really thank you for the effort you've put into this detailed report. This is certainly something I need to pass on to our networking team for clarifications.


To be clear, I'm not trying to negate that there might be flaws or convince you that the perfect wheel is in fact square and if it's something to report and fix I will surely do.
If I am something to this forum, I am an advocate for all of you people, contributing with some form of constructive information. While I'm not the guy with the toolbox, I'm surely the guy sounding the horn to the appropriate persons, to make sure your voice is heard inside the company.
 8)
« Last Edit: July 12, 2017, 02:17:20 pm by John M. »
John.M. ▾ Senior Customer Care Advocate
Vera Control, Ltd. ▾ Smarter Home Control  ▾ support@getvera.com ▾www.getvera.com ▾ +1 (866) 966-2272

HOURS OF OPERATION (Pacific Time Zone, UTC -8 )
Monday - Friday   12:00 am ? 06:00 pm
Saturday - Sunday   04:00 am ? 06:00 pm

Offline Z-Waver

  • Master Member
  • *******
  • Posts: 4426
  • Karma: +245/-120
Re: Security Concerns
« Reply #31 on: July 12, 2017, 02:44:28 pm »
Using FTP protocol isn't such a big deal. It's still quite common for this use case.

Publicly disclosed FTP credentials are a total non-issue. You can ONLY upload files to it. You cannot list, even your own files on it. You cannot download anything from it. The only reason it needs a password at all is to mitigate against a denial of service "Attack" where every internet nitwit uploads massive files and runs the server out of disk space. This would be a problem for Vera Ltd, not for Vera users.

Unencrypted log files full of sensitive information is an issue. An issue easily solved, Vera Ltd., by encrypting the file when it gets gzipped.

The only way for anyone to see the unencrypted log file is to intercept your traffic between your Vera and the Vera servers. The risk is real, but pretty small. Your Vera isn't connected to a public coffee shop WiFi, is it?

The easy way for the user to mitigate this issue is to log locally to USB and, most importantly, uncheck "Archive old logs on server(Reocmmended)" on the log configuration panel.

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 318
  • Karma: +14/-0
Re: Security Concerns
« Reply #32 on: July 12, 2017, 03:34:15 pm »
Z-Waver.
Security comes in layers. I have known about how this logging was archived for a couple of years, but did not make a huge deal out of it as the actual risk was less than others. I was far more concerned about when I found they screwed up with their configuration and left the server in a state where every log from every vera was neatly organized for anyone to download.    Mistakes will occur again.

 There is a concern that MCV developers thought that everything is in fact encrypted when it is not.  You should know what your software does.   As  they move in to security offerings, this is concerning as this is just the easy one to find. I am more concerned about the difficult ones. 

  I agree that file encryption would be a good first step. The next, should include validation that the server you are uploading to is actually  the one you think it should be. FTP does not do this.  Not concerned about the coffee shop example, but DNS attacks I am.  I am also sure that some Vera users may live in multi-tenant buildings which shared internet.

Although I agree that the disclosed credentials are a non-issue. I did not say they are, just that they exist.    I do take issue with your statement that FTP us not a big deal.  Outside of a private network, I challenge you to find a security pro that says that FTP on its own is a preferred or adequate  protocol to use to transfer ANYTHING private (even if file encrypted) over the internet.  As we have just seen here, its reliance led to probably unattended risks as plugin developers are dropping sensitive information in the logs.

The right answer is a combination of file and transfer protocol encryption. However, first MCV has to accept that this is an issue.



2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 318
  • Karma: +14/-0
Re: Security Concerns
« Reply #33 on: July 12, 2017, 03:44:28 pm »
John, thanks again for chiming in.   Having you be a voice back to MCV is extremely helpful and I know this indicates in investment in their user base.  Please let us know what the network team says.  I think i provided enough evidence that at least something different needs to be done. At least you may want to check this against your privacy policy (https://www.vera.com/privacy-policy/)  that states:
"Vera?s servers are located in the USA. If you are a non-US resident, this will mean that your personal information will be transferred to the US." 
...
...
... 
"We also encrypt all communications between the Vera client and our web services. If you have any questions about security on our Web site, you can contact us at compliance@vera.com"
« Last Edit: July 12, 2017, 05:38:01 pm by niharmehta »
2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;

Offline John M.

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Karma: +27/-3
    • getvera.com
Re: Security Concerns
« Reply #34 on: July 12, 2017, 05:27:45 pm »
No problem niharmehta,


It's a good feeling when things are going the right way, and I've been a part of it. I'm doing all it stands in my hands to do so.




I have to add one thing tho. We don't own Vera.com domain.


Our legal page is here: http://getvera.com/legal/
« Last Edit: July 12, 2017, 05:30:53 pm by John M. »
John.M. ▾ Senior Customer Care Advocate
Vera Control, Ltd. ▾ Smarter Home Control  ▾ support@getvera.com ▾www.getvera.com ▾ +1 (866) 966-2272

HOURS OF OPERATION (Pacific Time Zone, UTC -8 )
Monday - Friday   12:00 am ? 06:00 pm
Saturday - Sunday   04:00 am ? 06:00 pm

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 318
  • Karma: +14/-0
Re: Security Concerns
« Reply #35 on: July 12, 2017, 05:37:21 pm »
Doh.. thats what I get for doing the research from my phone.  I stand corrected on the previous statement.
2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;

Offline Alex Waverley

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +3/-0
Re: Security Concerns
« Reply #36 on: July 12, 2017, 11:18:12 pm »
Interesting thread. I applaud the effort put into analyzing the security of communications when logs are transmitted. That being said, I think it is important to recognize that we are talking about a toy. Vera and devices like it are not serious security systems. They are certainly not adequate life safety systems, and will not pass code as such anywhere in the US or Canada as far as I know. I have two Vera devices; A Vera Lite/UI5 that is rock solid and is used to turn off water flow to outside spigots when temperature drops below 40 degrees Fahrenheit and to turn off the main water valve in the event of a leak; and a Vera Edge/UI7 that is, well, lets say fun to use but interesting to own ("could not write errors" and the occasional freeze).  I'm considering having the Lite toggle power to the Edge once a week. How funny is that? This is not a bust on Vera, none of this type of device is mature or sophisticated enough to be trusted with anything above the level of trivial. I have sump pumps and a backup generator. If Vera fails, so be it. I'll just have to turn on the lights and the stereo the old fashioned way.

As one who has been involved in residential systems integration since the 1980's I can tell you that "home automation" has been touted as being the "next big thing" for about 40 years and we are no closer to wide spread adoption now than we were in 1985. There is the high-end where I made a living with Lutron, Crestron, AMX and the like (that market is expanding) and there is the hobbyist market where Vera resides that is making small inroads but whose aspirations may be unrealistic (if you drive past 100 homes on your way to work, chances are none of them include any automation and never will). What I'm getting at is that our automated "hobbiest" homes are ridiculously small targets with no upside for the effort it would take to breach them. FWIW, trusting your cameras, security, and safety systems to Vera or anything like it is like racing a motorcycle while wearing a $10 helmet.
« Last Edit: July 13, 2017, 07:23:05 pm by Alex Waverley »
Please hold your applause until I have concluded my remarks.

Offline integlikewhoa

  • Master Member
  • *******
  • Posts: 5527
  • Karma: +149/-348
Re: Security Concerns
« Reply #37 on: July 12, 2017, 11:57:17 pm »
Interesting thread. I applaud the effort put into analyzing the security of communications when logs are transmitted. That being said, I think it is important to recognize that we are talking about a toy. Vera and devices like it are not serious security systems. They are certainly not adequate life safety systems, and will not pass code as such anywhere in the US or Canada as far as I know. I have two Vera devices; A Vera Lite/UI5 that is rock solid and is used to turn off water flow to outside spigots when temperature drops below 40 degrees Fahrenheit and to turn off the main water valve in the event of a leak; and a Vera Edge/UI7 that is, well, lets say fun to use but interesting to own ("could not write errors" and the occasional freeze).  I'm considering having the Lite toggle power to the Edge once a week. How funny is that? This is not a bust on Vera, none of this type of device is mature or sophisticated enough to be trusted with anything above the level of trivial. I have sump pumps and a backup generator. If Vera fails, so be it. I'll just have to turn on the lights and the stereo the old fashioned way.

As one who has been involved in residential systems integration since the 1980's I can tell you that "home automation" has been touted as being the "next big thing" for about 40 years and we are no closer to wide spread adoption now than we were in 1985. There is the high-end where I made a living with Lutron, Crestron, AMX and the like (that market is expanding) and there is the hobbyist market where Vera resides that is making small inroads but whose aspirations may be unrealistic (if you drive past 100 homes on your way to work, chances are none of them include any automation and never will). What I'm getting at is that our automated "hobbiest" homes are ridiculously small targets with no upside for the effort it would take to breach them. FWIW, trusting your cameras, security, and safety systems to Vera or anything like it is like racing a motorcycle wearing a $10 helmet.

Well said. +1

Offline John M.

  • Administrator
  • Sr. Member
  • *****
  • Posts: 430
  • Karma: +27/-3
    • getvera.com
Re: Security Concerns
« Reply #38 on: July 15, 2017, 09:52:20 am »
Wanted to keep you guys posted.


Task for technical analysis is created and it will part of our current road-map (7.23 15366 Security Concerns - logs upload - Technical Analysis) of server side revamps which are also imminent.


Thank you all, for the constructive feedback and time put into this report.
John.M. ▾ Senior Customer Care Advocate
Vera Control, Ltd. ▾ Smarter Home Control  ▾ support@getvera.com ▾www.getvera.com ▾ +1 (866) 966-2272

HOURS OF OPERATION (Pacific Time Zone, UTC -8 )
Monday - Friday   12:00 am ? 06:00 pm
Saturday - Sunday   04:00 am ? 06:00 pm

Offline mvader

  • Sr. Member
  • ****
  • Posts: 367
  • Karma: +29/-74
Re: Security Concerns
« Reply #39 on: July 15, 2017, 01:18:16 pm »
Wanted to keep you guys posted.


Task for technical analysis is created and it will part of our current road-map (7.23 15366 Security Concerns - logs upload - Technical Analysis) of server side revamps which are also imminent.


Thank you all, for the constructive feedback and time put into this report.

Thank you John. as a community this is the type of communication we value and appreciate.

Offline BOFH

  • Sr. Hero Member
  • ******
  • Posts: 2371
  • Karma: +110/-137
Re: Security Concerns
« Reply #40 on: July 15, 2017, 01:27:57 pm »
Happily seconded. And FTR, at the monthly fee I am paying ($0.00) I'm OK with being somewhat of  a 'beta' tester. On the whole my Vera's are running pretty stable for me. With the exception of my Vera 3 UI7 one.  I think that may be from repeated firmware update failures. Causing factory resets and restore from backup procedures. No big deal as I've started migrating it's devices to my VeraPlus. (which was the plan all along)

Thank you John M for the update...
Vera3 UI5 UI7 Edge Plus
Trane TZEMT400AB32 | Schlage BE369 FE599 | GE 45601 45602 45603 45604 45606 45609 45631 | Intermatic HA01C HA03C HA05C HA07C CA600 CA3000 | Aeon DSC06106 | Telguard GDC1 | Foscam FI8910W FI8905W FI9821W | D-Link 930L | Wanscam JW0011 | ZModo ZPIBH13W

Offline Priest

  • Jr. Member
  • **
  • Posts: 99
  • Karma: +4/-0
Re: Security Concerns
« Reply #41 on: July 17, 2017, 10:01:58 am »
Happily seconded. And FTR, at the monthly fee I am paying ($0.00) I'm OK with being somewhat of  a 'beta' tester. On the whole my Vera's are running pretty stable for me. With the exception of my Vera 3 UI7 one.  I think that may be from repeated firmware update failures. Causing factory resets and restore from backup procedures. No big deal as I've started migrating it's devices to my VeraPlus. (which was the plan all along)

Thank you John M for the update...

To follow this up. My Vera3 has been rock solid ever since it lost it's mind a few times back in 2014. I've had one other time it took a break this year, but that was for about 10 minutes.  I am not on the most recent firmware, but on the previous.  I did however stay on UI5 until Jan 2016, updated to the current UI7 at that time and did not upgrade again until a couple months ago. 

No one was ever able to explain the freakouts in 2014... it just stopped working for days on end and then would begin working at 00:00 midnight and do all functions it had been asked to do for several days all at once.  after three of these events it never happened again.

Offline hax0rmort

  • Full Member
  • ***
  • Posts: 110
  • Karma: +9/-5
Re: Security Concerns
« Reply #42 on: July 17, 2017, 10:12:38 am »
Agreed, this is good to see!


Wanted to keep you guys posted.


Task for technical analysis is created and it will part of our current road-map (7.23 15366 Security Concerns - logs upload - Technical Analysis) of server side revamps which are also imminent.


Thank you all, for the constructive feedback and time put into this report.

Thank you John. as a community this is the type of communication we value and appreciate.

Offline niharmehta

  • Sr. Member
  • ****
  • Posts: 318
  • Karma: +14/-0
Re: Security Concerns
« Reply #43 on: July 19, 2017, 02:24:23 am »
Wanted to keep you guys posted.


Task for technical analysis is created and it will part of our current road-map (7.23 15366 Security Concerns - logs upload - Technical Analysis) of server side revamps which are also imminent.


Thank you all, for the constructive feedback and time put into this report.

John, thank you for sharing this update with us.  Looking forward to the results of the analysis. 
2x VeraLite; 2xTrane Tstats; 45 x Switches/Dimmers/Appliance Modules; 4x Everspring Water Sensors; DSC Integration; 2 x Zwave Door Locks; 1x Ted5K; 1x Rainforest Eagle; Onkyo AVR; 6x Squeezebox;