Author Topic: Password protection for local login  (Read 19552 times)

Offline Insomnia

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
Password protection for local login
« on: May 01, 2011, 03:49:34 pm »
Just as any router or access point, the Vera2 should have a username and password associated with it.  Regardless of whether a user chooses to make Vera transparent on his / her network any breach of wireless security could bring easy access to Vera.  Considering the fact that Vera is the guardian of all things Z wave including exterior door locks this is a mandatory condition rather than a request.  The omission of a username and password to access Vera is an oversight of disasterous proportions and a Giant crater of a security hole at the most basic level.  This must be addressed immediately.

Offline iflyM3

  • Full Member
  • ***
  • Posts: 144
  • Karma: +0/-0
Re: Password protection for local login
« Reply #1 on: May 01, 2011, 03:58:34 pm »
Vera's main purpose is to handle Z Wave Home Automation Control.  Vera's main functionality is not to be a router, notice you are not able to open any ports and can't manage any IP mappings in the UI.  I suppose it wouldn't matter so much for a single client however Vera's processor isn't really designed to handle a lot of IP oriented traffic as this will eat up processes on the CPU and slow Vera down doing what she does best... Z Wave Home Automation Control.  Place your Vera behind Router/Firewall and slap Vera in switch mode.  If you choose to go wireless with Vera and use Vera as a wireless router you can always enable WEP, WPA, WPA2, WPA + WPA2 (PSK) encryption similar to other wireless routers (you can even use a radius server if you have one).  You can also choose within Vera not to broadcast your SSID (Advanced Icon, Net & WiFi).  

If you log onto your Mios account at http://www.mios.com/, you can also enable local http authentication to be required when you click the "settings" link near your IP Address of your Vera.  This will assist you in enabling authentication locally with a username/password.
« Last Edit: May 01, 2011, 04:25:00 pm by iflyM3 »
Vera 2 UI5 (1.5.622)... and too many Z-Wave/Ethernet/Wi-Fi devices to list.

Offline Insomnia

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
Re: Password protection for local login
« Reply #2 on: May 02, 2011, 01:46:55 pm »
" Vera's main functionality is not to be a router, notice you are not able to open any ports and can't manage any IP mappings in the UI"

I'm not sure exactly how you got that impression from my post, however, allow me make this clarification.  Regardless of how one uses Vera, Any breach of the wireless network provides full access to all devices within it's control.  This is not to single out the Vera itself as the point of access.  Any breach of any device on the network could bring full access to Vera.  In most cases, a breach of the network could provide the attacker access to files or free internet at worst.  The problem here is that Vera comes with a bonus to an attacker in the form of physical access to a property via any door locks that might be part of the Z wave network.  To put this simply.  If one were to connect Vera to thier wireless Router (the way mine is).  Provide it with an ip address (necessary for it to function).  Anyone with access to the network Vera is connected to may gain full control of Vera.  This is not an issue of how Vera is Used.  Vera is obviously not a Router and security of the wireless network whether it be through The wifi capabilites of Vera itself, or another componant in the network, both provide an attacker with equal access to Vera.  Vera MUST be protected within itself and should not rely on the integrity of the network it is on for such protection.  Furthermore, to suggest one put Vera in Switch mode and essentially turn off all wireless functionality is not a solution to the issue at hand.  Users Beware, this is a major security flaw and the responder to my original post is either unfamiliar with with workings of wireless networks, or has chosen to take my post out of context in order to minimalize its urgency.

Offline oTi@

  • Beta Testers
  • Master Member
  • *****
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Password protection for local login
« Reply #3 on: May 02, 2011, 02:23:50 pm »
@Insomnia:
Did you read that @iflyM3 stated what you are looking for is already there?

If you log onto your Mios account at http://www.mios.com/, you can also enable local http authentication to be required when you click the "settings" link near your IP Address of your Vera.  This will assist you in enabling authentication locally with a username/password.
« Last Edit: May 02, 2011, 02:30:45 pm by oTi@ »
Dezwaved at the moment...

Offline Insomnia

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
Re: Password protection for local login
« Reply #4 on: May 02, 2011, 10:56:05 pm »
@oTi,

Thank you for that clarification, I suppose I was so consumed with the misunderstanding of the router issue I failed to notice that last bit of information.  It's an odd setup that http authentication for the local browser would require login to an external account for modification.  I appreciate the fact that the functionality is there, but still express some concern with regard to how it is implemented.  I'm an IT professional and I missed it.  I believe that any internet connected device posessing the ability to open and close doors and regulate security systems should be secured both inside and out by default.  If the user chooses to disable that security, so be it, however as I see it, the security should be considered to be a necessity by default rather than an option after the fact.

Offline iflyM3

  • Full Member
  • ***
  • Posts: 144
  • Karma: +0/-0
Re: Password protection for local login
« Reply #5 on: May 02, 2011, 11:21:37 pm »
I am a network engineer by trade.  I can tell you that Vera is pretty secure, there are certain protocols that I wish MicasaVerde had put into place however thats neither here nor there.  You also have to bear in mind the cost factor of Vera and the intentions of bringing this product to a wide csr base at a reasonable price.  This isn't Crestron nor Crestron prices we are talking about.

I can agree in the fact that it is kind of mind boggling why MCV didnt put into place a standard local username/pasword for local access to the device itself.  Vera does use https authentication with mios and vera for communication and you can enable local authentication from the mios servers, now it is true that this is not 100% secure... I mean you paid what for Vera, between 230 to 260 dollars?  My point is, you are not going to get a 1024MB double encrypted signal shot through a multiplexer with an encryption key loaded crossing the world wide web at a cost of 230 to 260 dollars and get away without paying some substantial monthly fee.  For what Vera is and for what we all paid for our Vera's, Vera isn't half bad.  :)
« Last Edit: May 04, 2011, 12:09:46 am by iflyM3 »
Vera 2 UI5 (1.5.622)... and too many Z-Wave/Ethernet/Wi-Fi devices to list.

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3258
  • Karma: +191/-9
Re: Password protection for local login
« Reply #6 on: May 03, 2011, 05:50:19 pm »
@Insomnia:
Did you read that @iflyM3 stated what you are looking for is already there?

Except that @Insomnia is right... I've talked about this before.  Vera's local authentication is not security in any useful sense of the word.  The moment your LAN is compromised (wireless or not) anyone with off-the-shelf tools can listen to network traffic and extract your "secret" username and password from the HTTP packet in plaintext.

Anyone who wants more information about how to conduct an experiment on their own network to prove this, please ask.

Offline plarkin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Password protection for local login
« Reply #7 on: May 03, 2011, 06:21:02 pm »
I am a network engineer by trade and also a Federal Government Employee who used to work with the Department of Defense... my speciality is network security.  I can tell you that Vera is pretty secure, there are certain protocols that I wish MicasaVerde had put into place however thats neither here nor there.  You also have to bear in mind the cost factor of Vera and the intentions of bringing this product to a wide csr base at a reasonable price.  This isn't Crestron nor Crestron prices we are talking about.

I'm an Information Security Specialist currently working for the Department of Defense and my specialist is absolutely information and systems security.

And I agree with you in regards to price/performance.   I do find it odd that general users would need to do this through mios and not locally on the Vera itself.  Between the lack of built-in authentication locally, shared SSH keys across all devices, and lack of HTTPS I wouldn't really call it "secure".

Personally,  I use an ACL on the interface Vera connects to on my switch and only allow specific MAC addresses through, and for remote use I primarily use a VPN back to my home from my iPhone and then run mobile apps like SQ Remote and Automator over the VPN connection.

I'd be interested in running some UNIX SRR's on the Vera locally in SSH and see how well it fares. 


Offline Henk

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: Password protection for local login
« Reply #8 on: May 08, 2011, 09:15:47 am »
Id like your thoughts on the fact that WHEN (local) login is enforced for the vera 2 system, one is only allowed alphabetical and numerological characters to build the username and password.

This seems a method probe to bruteforce dictionary attacks.

Any suggestions on how to inprove this?

Regards,

Henk
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline plarkin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
Re: Password protection for local login
« Reply #9 on: May 09, 2011, 08:01:40 am »
Using alphanumeric character sets isn't all that bad provided you use a long enough password.  14 character mixed case with numbers using NON-dictionary words would not be prone to compromise based on dictionary attack, only brute force.

The longer the password, the longer it would take to brute force.  When you get into the 14 character range it makes the likelyhood of compromise from brute force attack nearly impossible.  That being said, one thing I should take a look at to verify this is the number of honored characters in the password.  On some systems, it doesn't matter HOW long you make the password as only the first 8 characters are actually used.

Regularly changing your password every 2-3 months also helps as the amount of time required to brute force your password hash, should it be obtained, is longer than your password change cycle.

Offline gardner

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-1
Re: Password protection for local login
« Reply #10 on: June 27, 2011, 11:11:02 pm »
Is it possible to establish HTTP security on a Vera 2 without using www.mios.com?  I am not very interested in using or connecting to mios.com.

I am in the midst of contriving that my Vera has network settings that do not allow it outbound routing of any kind.   Is anyone working with a Vera 2 where it is denied the ability to connect outbound?  Are there any surprises to look out for?

Offline oTi@

  • Beta Testers
  • Master Member
  • *****
  • Posts: 4041
  • Karma: +32/-6
  • UI what ?!
Re: Password protection for local login
« Reply #11 on: June 28, 2011, 12:16:25 am »
[...]Are there any surprises to look out for?
For one, Vera would like to synchronize the time of day through the internet. To get around that, folks have successfully set Vera up to connect with a local NTP server.

Also, there are 2 ongoing threads about disabling remote access and not having a MiOS account at all that may interest you.

Personally, I use VPN/SSH to get to Vera remotely.
« Last Edit: June 28, 2011, 12:26:56 am by oTi@ »
Dezwaved at the moment...

Offline gardner

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-1
Re: Password protection for local login
« Reply #12 on: June 28, 2011, 10:09:29 pm »
Thanks, yeah, I'd read those, so that's good info.  NTP is no problem for me since I run a reliable NTP network in house.

The 'not having MiOS account' thread doesn't seem to come to any clear conclusion about whether this is a supported configuration or what exactly aught to work how,

I guess my best bet is to sign up for MiOS, set local security that way, and the reconfigure my network to cut off my Vera 2 from further access outside my firewall.  It seems a bit involved.

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3258
  • Karma: +191/-9
Re: Password protection for local login
« Reply #13 on: August 21, 2011, 07:54:36 pm »
Using alphanumeric character sets isn't all that bad provided you use a long enough password.

Obligatory reference to xkcd 936.