Security: No access restriction?

[gerd94706]

Hi,

I read through all the support information I could find, as well as posted this question to the support link micasaverde.com/contact-support.php with no luck so far,
so I'm trying this forum in the hope that someone can help (I am using a Vera3 / UI5):

Security Concern:
  As it stands, anyone with local network access, and anyone registered for the device (even Guest accounts), can change any settings to their likings:
  There isn't any protection for the settings available in menu "Setup"; only the Z-wave/home-automation specific settings appear to be protected.
  A malicuous user could very easily change IP host addresses, WiFi settings, or any other settings by means of "Backup" + "vi etc/passwd" + "Restore", followed by a login to the box.

  The web-site at wiki.micasaverde.com/index.php/Security_Concerns says that I should enable "Require a username and password to access Vera from within my home network."
  However, I could not find that option anywhere.
  Did it move in UI5 to some other place, did it disappear, or am I missing something else?

  How can I restrict access in such a way that only Administrators can change those settings?

[aschwalb]

Hi,

Security Concern:
  As it stands, anyone with local network access, and anyone registered for the device (even Guest accounts), can change any settings to their likings:
 

Before I answer just want to make sure I understand.  The security concern is that if someone has access to your local lan (i.e. has the appropriate credentials to be on the lan) AND has been given a user name and password for your Vera you need additional controls?  For example a guest account is allowed which you need to give a username and password to, can only control devices and cannot make configuration changes...

Access level:
Administrator: Let this user control and configure my Vera
Guest: This user can control my Vera system, but can't save any configuration changes
Notification only: This user can receive notifications, like security breaches, temperature extremes, etc., but cannot control or configure the system

[gerd94706]

Hi aschwalb,

Thank you for your fast response.

No, the concern is that anyone, even without any account can take over the box.

I'd like to distinguish between  2 cases:

#1 - Local network access without any account
#2 - Remote access with any type of account (even Guest / Unprivileged)

Both options are of concern to me w.r.t. the "Setup" Menu:

The "Backup" as well as the "Network" settings are particularily concerning.
Backup + Restore gives access to everything (since the backup can be manipulated and then restored).

Is there a way to only let the "Administrator" perform "Backup" as well as other "Setup" changes (e.g. change IP address, DHCP server, etc.)?

[gerd94706]

aschwalb, you said that

For example a guest account is allowed which you need to give a username and password to, can only control devices and cannot make configuration changes

That I can not confirm when it comes to "Setup". It appears to be wide open on my system; no account (not even a guest account) is necessary to perform these changes.

Could this be a release issue (I am using UI5, firmware version 1.5.254)?

[futzle]

Even if you enable user/pass authentication locally, and there are hacks on the forum that help you to do that, you are not being any deterrent to malicious or even mischievous users on your LAN. Vera's security model just doesn't have LAN security built into it. This has been talked about extensively on the forum. Do a search and see the history.

Better to prevent malicious users from getting onto your LAN. If you can't, then you should rethink using Vera at all.

[gerd94706]

Allow me to cite from the http://wiki.micasaverde.com/index.php/Security_Concerns web-page:
"If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service. "

None of the suggestions listed on this web-site appears to work anymore.
The promise of being able to run this system securely was one of my purchasing decisions.

Anyone who has kids that bring friends with laptops over, probably knows what I'm talking about.
Installing a separate guest-SSID comes with its own challenges (not all APs support that, and even if they do, devices are in a separate broadcast domain, which limits functionality: e.g. mDNS / UPnP).

The same web-page mentioned above goes on to say:
"So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "

I'm not sure why anyone would want to go through the trouble of sniffing a username/password, if you can configure / take-over the device without a username/password.

I also don't quite understand the purpose of the Admin/Guest distinction, if no password is necessary to configure more fundamental / basic functions of the system (i.e. add / remove / change any user-account you want).

[futzle]

The wiki page you cite is out of date at best, wrong at worst. Vera has NO LAN security, so you have to provide your own. Those measures can be technical (as I have done on my network) or social (kid, if your friends hack Vera, you're grounded).

If this entitles you to a refund under your relevant consumer protection laws, go for it.

[gerd94706]

Vera has NO LAN security

Thank you for being this frank & clear; it helps me stop wasting my time on something that has little chance of success.

I only wish that micasaverde.com would've been this clear, so customers could make an informed decision.

For what it's worth: Micasaverde is in good company with other manufacturers that consider "LAN security" strictly optional.

Denon is another fine example. I leave it up to the readers to decide which is worse.

Denon.com?
a) Having mischievous kids destroy a few thousand $ worth of audio equipment
b) The same kids manage to crank up the volume to a point the neighbours call the police

Or Micasaverde.com?
Well, I guess it depends on what's connected to those appliance modules:
a) Turn your house into a finnish dry sauna
b) Turn your house into a refrigerator
c) Destroy a bunch of CF-lightbulbs (by frequent on-off cycles)
d) Turn off grandma's heart-lung machine

Cheers & Thanks

[aschwalb]

Vera has NO LAN security

Thank you for being this frank & clear; it helps me stop wasting my time on something that has little chance of success.

I only wish that micasaverde.com would've been this clear, so customers could make an informed decision.

For what it's worth: Micasaverde is in good company with other manufacturers that consider "LAN security" strictly optional.

Denon is another fine example. I leave it up to the readers to decide which is worse.

Denon.com?
a) Having mischievous kids destroy a few thousand $ worth of audio equipment
b) The same kids manage to crank up the volume to a point the neighbours call the police

Or Micasaverde.com?
Well, I guess it depends on what's connected to those appliance modules:
a) Turn your house into a finnish dry sauna
b) Turn your house into a refrigerator
c) Destroy a bunch of CF-lightbulbs (by frequent on-off cycles)
d) Turn off grandma's heart-lung machine

Cheers & Thanks

I think I understand now.  Your concern was that assuming someone had guest access to your LAN (I was thinking you meant guest access to your Vera), then they would be able to do something to it.  Yes if you do not secure your network and have a flat topology for your network then yes people can get to things on your network.  I suppose that is a good debate whether MCV should provide access control on a local LAN or leave the security up to you...

[gerd94706]

Your concern was that assuming someone had guest access to your LAN (I was thinking you meant guest access to your Vera)

They both enable you to take over a Vera device and do with it whatever you want.
Backup + Restore is all that's needed.

Yes if you do not secure your network and have a flat topology

Why do you say "do not secure your network"?

As I see it there's many levels of trust here.

And no, I do not have a flat toplogy, but I do distinguish between wired and wireless devices (for security reasons).

But I do not distinguish between a guest WLAN and a non-guest WLAN (just to allow Vera + Denon to continue to not have any password-restrictions).

Also, with the ubiquity of plug&play protocols such as UPnP and Bonjour, having separate subnets becomes increasingly more inconvenient.

Many of these devices do not offer a configuration option, in case auto-discovery does not work.

Is it really asking that much to have devices attached to a network password protected?

Cheers,

  Gerd

[Ap15e]

Is it really asking that much

Yes, it is.

Vera is an UPnP-to-Z-Wave bridge, and the UPnP protocol, as default, does not implement any authentication; so in addition, you are asking for support for the UPnP Device Security Service and/or UPnP-UP.

[boingolover]

There is no UI way to do this, but you can pretty easily enable digest auth by editing the /etc/lighttpd.users file  (search for that file in the forums for some info), and the passwords are not stored nor transmitted cleartext.  You can also enable SSL security within lighttpd.conf .  You can also disable the tunnels pretty easily, which breaks cp.mios.com but for me personally this lets me sleep at night.  Again, none of this is doable from the GUI, but if you're sufficiently paranoid and sufficiently motivated, there are options for securing the vera.  Hopefully the developers will recognize the value in providing a GUI interface, and I'm guessing they do, but it probably hasn't bubbled up to the top of their "to-do" list yet.

[m34z]

Is it really asking that much

Yes, it is.

Vera is an UPnP-to-Z-Wave bridge, and the UPnP protocol, as default, does not implement any authentication; so in addition, you are asking for support for the UPnP Device Security Service and/or UPnP-UP.

No, no it isn't.  Separate the two functions of this device.  1) This is a device that is assigned an IP address on my local network - ostensibly for the gui-based administration and connectivity to the Mi Casa Verde website.  2) it acts as a z-wave bridge on a separate wireless network.

For the first function, I actually don't see why this device isn't secured with a username/password for the administration console and does not use https by default.  These concepts and implementations have been trivial for a long time now.  I've been using OS firmware (now dd-wrt) on my wireless access point for almost 10 years and of course it's using https and is password protected.  I don't see why the Vera is different.

As another poster mentioned, you can futz around with lighthttpd settings.  For a $40 Buffalo WAP, sure.  But for a $300 device, I shoudn't have to.

You can continue to think that your user base is unreasonable and take a hostile attitude towards them, or you can understand that it's a reasonable security concern and needs to be addressed.  Mi Casa Verde has lost me as a customer and I'm returing the device until these basic security issues have been addressed.

[aschwalb]

Is it really asking that much

Yes, it is.

Vera is an UPnP-to-Z-Wave bridge, and the UPnP protocol, as default, does not implement any authentication; so in addition, you are asking for support for the UPnP Device Security Service and/or UPnP-UP.

No, no it isn't.  Separate the two functions of this device.  1) This is a device that is assigned an IP address on my local network - ostensibly for the gui-based administration and connectivity to the Mi Casa Verde website.  2) it acts as a z-wave bridge on a separate wireless network.

For the first function, I actually don't see why this device isn't secured with a username/password for the administration console and does not use https by default.  These concepts and implementations have been trivial for a long time now.  I've been using OS firmware (now dd-wrt) on my wireless access point for almost 10 years and of course it's using https and is password protected.  I don't see why the Vera is different.

As another poster mentioned, you can futz around with lighthttpd settings.  For a $40 Buffalo WAP, sure.  But for a $300 device, I shoudn't have to.

You can continue to think that your user base is unreasonable and take a hostile attitude towards them, or you can understand that it's a reasonable security concern and needs to be addressed.  Mi Casa Verde has lost me as a customer and I'm returing the device until these basic security issues have been addressed.

It seems this is mis-directed...  I have a network security policy/design that has open wireless access for the kids but no access to internal devices.  I have many devices connected to the network from an x-box to Vera to my Yamaha receiver to DirecTV.  I ensure that no can get to devices that don't have explicit need to get to them.  I look at vera as a black box, just like my yamaha AV gear.  I don't log into my yamaha or my DirecTV device. 

[Matirx]

I agree with the other posts.  It is a failed system that opens up everthing in the house to a guest inside the network or someone that can hack in.  With all do respects xbox, yamaha or DirecTV access can be bad but not at the level of accessing the assets of the whole house.  I already have read a few ways this problem can be corrected and that is the issue.  One should not have to determine the best approach for security with the possiblity of having a false sense of security.  This should be inherent in the system.  What if bank sites said we don't need https:// because there are a number of encryption choices we are allowing you to make.  How long would it take for people to stop using web access to banks?  As Zwave continues to move into the home it must improve security or it will lose the trust of the customer.