We have moved at community.getvera.com

Author Topic: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)  (Read 7369 times)

Offline markiper

  • Full Member
  • ***
  • Posts: 106
  • Karma: +0/-0
I have been using VERA (V1 and V2) for over 2 years now.  Today, June 22, 2011, I tried connecting remotely using CP.MIOS.COM and to my surprise I am login into someone else's VERA2 unit.  The serial number is showing the correct serial number on my VERA2 unit (I guess serial numbers are not unique), so there must something very wrong with MICASAVERDE.

This is very big security concern, so I thought to post a ticket and ask anyone else on the forum that access their VERA remotely to check, you might not want to leave your house and find that someone else UNLOCKED the doors for you while you where gone.

I already try contacting MICASAVERDE support, but no answer.  While I wait, I wanted to advise the community just in case someone else is experiencing the same problem

Offline MCV.Eugen

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #1 on: June 22, 2011, 09:28:48 am »
Mark, your ticket was issued 42 minutes ago. The tech guys spent the last 40 minutes looking into this. You will be contacted at soon as we figure out if there is something wrong.

And by the way, serial numbers ARE unique.

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #2 on: June 22, 2011, 10:30:09 am »
Yeah, something happened within the past hour.  I cannot login remotely.  On the web/dashboard, I can't connect.  On automatorapp, I get cannot connect.  On SQ remote, I get wrong password.


Offline cj

  • Hero Member
  • *****
  • Posts: 1252
  • Karma: +1/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #3 on: June 22, 2011, 10:36:15 am »
We've identified your issue and solved it.
Due to the current hardware upgrade some of the customers may notice some remote control issues during the transition.
We're working hard to set everything in place asap.

Thanks for your understanding,
MiOS IT Team

Offline hightop32

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #4 on: June 22, 2011, 11:35:44 am »
Thanks for your understanding,
MiOS IT Team

consider me jaded, but im not so/as understanding.  

this is exactly why you should allow the OPTION for users who dont want to rely on your internal security/central infrastructure the ability to disable the entire mios.com crap.  

anything security related with regard to the vera is a joke.

first requiring this connection/login with UI4 (along side all of the improvements/bugfixes/zwave fw update, gee thanks)
2nd the hokey jokey password limitations
3rd no ssl support

i dont even care to go on.

grumble rabble rabble hiss.
« Last Edit: June 22, 2011, 11:37:37 am by hightop32 »

Offline Minnies

  • Full Member
  • ***
  • Posts: 220
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #5 on: June 22, 2011, 11:41:15 am »
I logged in earlier today through about 9:00 eastern. Trying now I am unable to. Is this related?

Started working again. Hmm.
« Last Edit: June 22, 2011, 12:00:44 pm by Minnies »

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #6 on: June 22, 2011, 01:19:22 pm »
working for me now also.

Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #7 on: June 22, 2011, 01:38:05 pm »
Showing sympathy on this post....(i have made a few remarks on the security side of things, but never any response from MCV if it was on their roadmap AT all....

No hissing and rattling here, but i DO agree

Thanks for your understanding,
MiOS IT Team

consider me jaded, but im not so/as understanding.  

this is exactly why you should allow the OPTION for users who dont want to rely on your internal security/central infrastructure the ability to disable the entire mios.com crap.  

anything security related with regard to the vera is a joke.

first requiring this connection/login with UI4 (along side all of the improvements/bugfixes/zwave fw update, gee thanks)
2nd the hokey jokey password limitations
3rd no ssl support

i dont even care to go on.

grumble rabble rabble hiss.
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline cj

  • Hero Member
  • *****
  • Posts: 1252
  • Karma: +1/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #8 on: June 22, 2011, 02:03:00 pm »
hightop32 I'm sorry to read that you're so disappointed in our Vera unit, it seems that in all your post you  make this remark.

this is exactly why you should allow the OPTION for users who dont want to rely on your internal security/central infrastructure the ability to disable the entire mios.com crap.  
By default when you buy a Vera unit, this unit is not tied to our servers and you can't control it remotely if you don't add it to any
cp.mios.com accounts.

anything security related with regard to the vera is a joke.
If you'll be more specific on this, maybe we could debate your concerns, there is a specific forum section for security concerns.

first requiring this connection/login with UI4 (along side all of the improvements/bugfixes/zwave fw update, gee thanks)
You can use all Vera features, excepting remote control, email/sms notifications, energy monitoring if you don't pair your unit with a cp.mios.com user.

2nd the hokey jokey password limitations
We don't have low limit of the character numbers that a password can contain, so you could create a strong password only from alpha numeric characters.

3rd no ssl support
The ssl support exists in the Vera unit, it was working on some firmware versions, I had to remove it because when connecting from certain mobile phones to your Vera ssl connection, it made the unit to use high cpu. It was something related to the self-signed certificate and lighttpd, to which I didn't manage to find a solution at that time. It is in plan to fix this and have it working in the future releases.

i dont even care to go on.
We're open to any remarks, suggestions that our users are making, and we're working each day to make our software better .

The issue that started this thread was caused by a human error:
The Linux System Administrator when it made the migration to the new server, overlapped some of the tech support ports with the ones of the mios remote service.
Each service (tech support, mios remote) use a specified unique range of ports which aren't overlapping. This are used to connect remotely to the units through the cp.mios.com or the tech support portal.

Some of the units remained with tech support active on the wrong port, markiper's unit didn't updated its dns record and its mios tunnels where still being made on the old server, but from his browser he went correctly to the new cp.mios.com servers and it ended up connecting to a unit that had wrong tech support ports allocated.
We've fixed the overlapping port allocation and closed all wrong tech support connections.

Until the new dns records are fully propagated some of the users could still notice issues in controlling remotely their units.


Offline Henk

  • Hero Member
  • *****
  • Posts: 820
  • Karma: +3/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #9 on: June 22, 2011, 02:16:10 pm »
@CJ

Some positive words on MCV support.

I must really hand it to you guys (and girls) that responses get more and more frequent and more importantly, meaningfull.
As a user community we run into the issues of Vera's pro's and con's every day and sometimes ppl get upset.

IMHO no excuse, but i understand the emotions, especially on the privacy related stuff in a world that seems to become progressily interconnected. Us early adapters always want/need hands on control and many of us are adverse of "big brother"

As i said this post should be a postive note.
Its good to see the broken down, to the point responses i think we are all looking for.
At least that gives all of us the general idea MCV is listening (and hopefully trying to act on/roadmap on some of issues we discuss like embedded SSL support).

As for human errors, alas... that happens... im not sure if thats a good excuse, but at least its fair and open communications.

i would say apolagies accepted and we all hope lessons were learned to prevent future mishaps.

One last remark from my side on this quote:
Quote
Quote from: hightop32 on Today at 05:35:44 pm
2nd the hokey jokey password limitations
We don't have low limit of the character numbers that a password can contain, so you could create a strong password only from alpha numeric characters.
Im not really considering numeric and alphanumeric characters as a particular strong basis for passwords.
Of course this is my personal opinion, but support for special characters like @, underscores, exclamations etc etc would dramatically improve security when facing bruteforce/dictionary attacks

From my end, keep informing us the way you ppl do the last few weeks and we will stay loyal and motivated!

Best,

Henk

| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline mdconnelly

  • Jr. Member
  • **
  • Posts: 96
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #10 on: June 22, 2011, 02:46:13 pm »
Having worked in IT for more years than I care to think about, I must commend MCV & CJ for the in depth response and explanation.  Hey, sh*t happens, people get pissed, negative emotions abound.  This is not unique to MCV and Vera and is just the state of the world in which we live.  

The measure of value is how well it is Received, Acknowledged, Rectified and Explained.  Yeah, I know that stands for RARE but is a measure of distinction by the best companies.  In this case, kudos to MCV and CJ!

Offline markiper

  • Full Member
  • ***
  • Posts: 106
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #11 on: June 22, 2011, 03:12:38 pm »
I must say, MCV really showed their support and commitment on this issue.  I got an email from MCV that the issue was solved (haven't tried yet), and based on their quick actions I will definetively keep on using Vera.

Thanks a lot to MCV for the quick action on resolving this issue; I must say, problems can always appear when dealing with technology, what is important is how quick does a company reacts and fixes the issue.  Once again, thanks MCV, you really showed your commitment and high level of support when dealing with high priority (security) issues.

Offline hightop32

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #12 on: June 22, 2011, 05:01:09 pm »
hightop32 I'm sorry to read that you're so disappointed in our Vera unit, it seems that in all your post you  make this remark.

I just want to post to state that I wholeheartedly appreciate your response.  Finally!

Honestly, the only reason i created a forum account and kept pushing the same issue (UI4's features and firmware improvements -without- the use of findvera.com/mios) was because of the lack of direct response addressing these same concerns some users have been posting about for years now (yes, at some point i read through EVERY post available on the forums, well before i purchased or posted).  

I've been nothing but optimisitic and supportive of this product and its potential, even selling friends on the idea/value of a low cost, 'open'/extensible/community driven and supported z-wave gateway.  

I understand business models change and sometimes as a developer the direction of the product is out of your control, but please don't forget about users who have these needs/requests when you are designing future implementations.

For example, you state you can operate the Vera (minus remote access) without creating a user account.  I find this to be incorrect or at the best, misleading.  In IU4 without creating an account, you really cant do much of anything at all.  

Even if you chose to use UI2 where you can choose to not create an account, the state of the Vera code and support at that point in time is far, far behind the current support and developments made in 1.1.1245 and firmware 3.2.  In order to utilize these features (some of which, like specific device support and/or improvements to the core zwave implementation are required) i MUST upgrade to a version that DOES require an account and central management.  

You mention what you cannot do when you do not create an account, but you havent stated why those limitations are excluded, or limited from a user perspective.... Why cant we select our own SMS gateway/NTP/Mail IMAP/POP/DDNS/Tunnel configurations (as advanced options)?

Even the threads created to show how to disable the tunnel -or- have the unit running without an internet connection, users are seeing that the box relies heavily on web based content and causes issues when running in these configurations.  Its not that its not possible to hack to do what you want, its that its not created with these things in mind, instead assuming all users will WANT to use your so called 'optional' services.

Just want you to know that many existing users, and even not-yet-customers share my exact concerns and is putting us in very weird positions where we have two choices; putting full trust into your system and ignoring established best practices, or dealing with a hacked up, non-supportable, half-working product.  I literally have BINS of zwave gear sitting around ready to outfit an entire home, yet stuck dealing with what firmware version to use to support the modules i have (CA9000 PIR seems to be causing some pain right now, along with the monster/leviton scene controllers) yet give me the flexibility and appease my concerns with the cloud security model that is basically mandated for what i would consider basic functionality (secure remote access).  

It REALLY is hard to sell fellow geeks on the idea of a total home control/automation gateway that basically pokes a hole to some remote servers run who knows where, accessible (legitimately or otherwise) by by who knows who, and sustainable/supportable for who knows how long; all with no direct control over any of it.  How does one answer 'Soooo, they can basically see screenshots/video of all of my IP cameras and everything about my homes configuration and frequency of activity derived from my scheduled scenes?', ive found that usually, 'Oh, trust me (read: them), its fine and secure, dont worry about it', doesnt cut the mustard.  Can one find ANY one out there who is OK with the answer to this question?  Current/happy users... do you really have that much trust and lack of concern for someone with eyes inside your house?  Im creating a new topic in security forum to hear some replies.  

Link to topic:  http://forum.micasaverde.com/index.php?topic=6900.0

AGAIN, while my post reads ranty, ive been following this project for years, and am not ready to abandon my efforts in finding a solution using the Vera, yet.  Ive invested way too much time and money reading, comparing and buying what i need to have some basic home automation features.  However, admittedly, Ive stopped tellling my friends about Vera, and instead just planting the seed for general advantages/benefits of home automation and z-wave.  Ive looked/glanced at other solutions, including full on PC-based control, and while more expensive and perhaps even more proprietary (when talking about standalone products), this route is starting to seem more viable every day.

« Last Edit: June 22, 2011, 05:14:53 pm by hightop32 »

Offline Intrepid

  • Hero Member
  • *****
  • Posts: 536
  • Karma: +4/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #13 on: June 22, 2011, 05:09:31 pm »
 Current/happy users... do you really have that much trust and lack of concern for someone with eyes inside your house?

I'm a privacy/security nut (per my friends), and the issues you raised do not concern me. 


Offline hightop32

  • Jr. Member
  • **
  • Posts: 91
  • Karma: +0/-0
Re: CP.MIOS.COM logs me into the wrong VERA2 (user/pass is correct)
« Reply #14 on: June 22, 2011, 05:23:13 pm »
I'm a privacy/security nut (per my friends), and the issues you raised do not concern me.  

please reply to my poll.  i appreciate your view/feedback as ive read and agree with most of your posts.