We have moved at community.getvera.com

Author Topic: Couple of questions pre purchase  (Read 2784 times)

Offline Abscam

  • Sr. Newbie
  • *
  • Posts: 27
  • Karma: +0/-0
Couple of questions pre purchase
« on: September 10, 2011, 11:31:43 pm »
OK. I've been all over the wiki and this site and ready to pull the trigger but looking for some input. Thanks for your considered responses.

1.  Are you satisfied with micas verde and vera2?  I've seen a lot of frustration on the site and a lot of bugs listed and delayed response from the mcv team. Would you buy again or use homeward or another alternative?  Mcv doing enough business to stick around?

2.  Can one manage the lock codes remotely on the kwikset or schlage locks?  I'd like to log in remotely, input a code for renters and then delete when they've left. It's not clear this can be done onerous the Internet.

3.  Are there other costs after the initial purchase?  If I want SMS alerts vs. Email, do I need to pay more?  I don't see where additional service fees are listed anywhere.

4.  Has any security review been done on the management website?  Do the mcv guys know secure coding?  I've seen so many instances of coders that have no clue and leave big gaping hole due to ignorance or a willingness to bear risk and not taking time to audit their security and allow XSS, SQL injection, etc.  I don't want some hacking my house locks due to insecurely managed cool solutions.   The claims of "bank level security" SSL in the literature and videos mean little of the rest of the code sucks. Is ther a risk of a renter hacking the vera2 while they are visiting?

 That said I look forward to a better solution than what I have today and am intrigued by what mcv has done with vera2. Thanks in advance.

Offline garrettwp

  • Master Member
  • *******
  • Posts: 6371
  • Karma: +227/-128
  • Vera 3, Lite, ISY994
Re: Couple of questions pre purchase
« Reply #1 on: September 11, 2011, 12:35:17 am »
OK. I've been all over the wiki and this site and ready to pull the trigger but looking for some input. Thanks for your considered responses.

1.  Are you satisfied with micas verde and vera2?  I've seen a lot of frustration on the site and a lot of bugs listed and delayed response from the mcv team. Would you buy again or use homeward or another alternative?  Mcv doing enough business to stick around?

I have had my vera for over a year now and for the most part she has been running strong. Anywhere you go for a product you will most likely see more of people having issues or getting frustrated. So do not let the negative posts scare you. Most people on here are either asking questions or needing help. Vera is a great product. Once you get to know how to work it and it's limitations, the product should work great and give you no problems. I choose MCV and Vera as it was affordable, it has 3rd party api support and I was not attached to any stupid monthly fee. MCV is more of an OEM as they do a lot of work for other companies. I do not think MCV will go anywhere any time soon.

2.  Can one manage the lock codes remotely on the kwikset or schlage locks?  I'd like to log in remotely, input a code for renters and then delete when they've left. It's not clear this can be done onerous the Internet.

Yes, you can log into Vera via either MCV's control panel @ cp.mios.com or you can use other forms of remote access (ssh, vpn, etc) to gain access to Vera's web interface and issue new pins to the locks.

3.  Are there other costs after the initial purchase?  If I want SMS alerts vs. Email, do I need to pay more?  I don't see where additional service fees are listed anywhere.

There are no additional costs to use Vera. MCV has provided remote access for free. I do believe there is a limit to how many sms texts can be sent per day. But all in all there are no monthly fees.

4.  Has any security review been done on the management website?  Do the mcv guys know secure coding?  I've seen so many instances of coders that have no clue and leave big gaping hole due to ignorance or a willingness to bear risk and not taking time to audit their security and allow XSS, SQL injection, etc.  I don't want some hacking my house locks due to insecurely managed cool solutions.   The claims of "bank level security" SSL in the literature and videos mean little of the rest of the code sucks. Is ther a risk of a renter hacking the vera2 while they are visiting?

The way MCV provides security for Vera via remote access is pretty straight forward and secure. As any rule of thumb, always use strong passwords and when choosing a username for cp.mios.com, use something other than your name, or things that can be relate to you from the web. For using this product in a rental, I would strongly suggest that you keep the vera unit locked up somewhere. If you provide any sort of internet access for your renters, I would also suggest to have a separate network (guess network) that can not have access to the network that vera resides on.

- Garrett
« Last Edit: September 11, 2011, 01:49:59 am by garrettwp »

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: Couple of questions pre purchase
« Reply #2 on: September 11, 2011, 07:55:42 am »
4.  Has any security review been done on the management website?  Do the mcv guys know secure coding?  I've seen so many instances of coders that have no clue and leave big gaping hole due to ignorance or a willingness to bear risk and not taking time to audit their security and allow XSS, SQL injection, etc.  I don't want some hacking my house locks due to insecurely managed cool solutions.   The claims of "bank level security" SSL in the literature and videos mean little of the rest of the code sucks. Is ther a risk of a renter hacking the vera2 while they are visiting?

In short, I don't trust MCV.  That probably says more about me than it does about them.

Leaving aside the issue of LAN security (there is none), I'm just not in the habit of running SSH tunnels from inside my LAN out to a third party I haven't personally been able to audit.  Especially when that SSH tunnel key is the same on every single Vera MCV has sold.

If you're worried about specific attacks on the MCV gateway, I haven't been able to imagine any, and I'm pretty imaginative.  I think the architecture is sound, but I can't speak for the implementation.  It would probably be rude for me to do a little Bobby Tables attack uninvited.  Though I do find it interesting that your MiOS password has to be alphanumeric.  To me, that always smacks of It Was Too Hard To Deal With Escaping Special Characters, So We Forbade Them.

Whether MCV support staff is open to social engineering, well, everyone is to some extent.

MCV staff are on record as suggesting that Vera customers are too insignificant to hack.  That's all well and good when you're a niche player, but it's not good to see that attitude in a company that has ambitions of being a major home automation provider.

That said, I still use their product.  I just take precautions.

Offline Abscam

  • Sr. Newbie
  • *
  • Posts: 27
  • Karma: +0/-0
Re: Couple of questions pre purchase
« Reply #3 on: September 11, 2011, 11:24:00 am »
Thanks for the comments folks.

Offline HouseBot

  • Full Member
  • ***
  • Posts: 210
  • Karma: +1/-1
Re: Couple of questions pre purchase
« Reply #4 on: September 12, 2011, 04:12:54 am »
Quote
1.  Are you satisfied with micas verde and vera2?  I've seen a lot of frustration on the site and a lot of bugs listed and delayed response from the mcv team. Would you buy again or use homeward or another alternative?  Mcv doing enough business to stick around?
Im satisified. Had only had Vera2 for few month. It's not only point and click all the time but as you see the Forum members are really helpfull and the support also answers promtly if needed. Vera does all that I can think of and even more. There is 500 z-way devices on the market to be controlled. I have not been affected by any of the bugs mentioned so far.

Quote
3.  Are there other costs after the initial purchase?  If I want SMS alerts vs. Email, do I need to pay more?  I don't see where additional service fees are listed anywhere.
No, you can receive one free sms and 20 emails per day.

Quote
4.  Has any security review been done on the management website?  Do the mcv guys know secure coding?  I've seen so many instances of coders that have no clue and leave big gaping hole due to ignorance or a willingness to bear risk and not taking time to audit their security and allow XSS, SQL injection, etc.  I don't want some hacking my house locks due to insecurely managed cool solutions.   The claims of "bank level security" SSL in the literature and videos mean little of the rest of the code sucks. Is ther a risk of a renter hacking the vera2 while they are visiting?
The service was under a Denial of Service attack and they managed to solve that issue out after some time and after that I have not seen any more issue and I think MCV learned to be more communcative after this issue.