The Vera Community forums have moved!

Advanced => Security => Topic started by: therealabdo on February 12, 2014, 03:32:29 am

Title: Summerizing Security Issues
Post by: therealabdo on February 12, 2014, 03:32:29 am
Hello guys

As there are MANY and MANY threads talking about the same matter, SECURITY!! So I would like (try) to gather most of the information in one post and after that in one article.
(Please add/correct so we can put all info in one paper)

First of all lets discuss why someone would be hacked.
The first reason being that if you have a z-wave door lock or maybe a garage switch the attacker can unlock, open your garage or even disarm the sensors and break into your house easily
The second reason is to have access to your Local Network, and this give his/her an access to every LAN connected device as vera is a gateway.

Ways to hack the HA system:
- Locally: by cracking your wifi passward or by pluging in an Ethernet cable into a router or something (the late one is unlikely to happen). This way will give him/her direct access to your local netwrok and then to vera (since vera doesn't ask for username and password locally)
- Attacking vera servers, this needs a huge effort I guess but as well they can for example unlock all door locks and try to break yours.
- Attacking vera account using a password cracking URL.
- Attacking z-wave using Z-force. this is the worse maybe as all the above mentioned points are common in most systems. So breaking the z-wave security will give the attacker a full control of you house

Advises:
- Don't use port forwarding (for IP Cameras) so it would make you easier to be attacked
- Use SSH or VPN for remote access cameras or any other devices.
- Isolate networks, so the HA has a different LAN than you Home Network LAN
- Use long wifi passwords and ofcourse WPA2 encryption

That is for now

Please correct and add as I am kinda newbie
Title: Re: Summerizing Security Issues
Post by: aPL on February 12, 2014, 04:57:56 am
My setup is like this:

(router1) Main router  connected to:
- normal network
- small router with openwrt (vlan0) - vera

Router2 has:
 - different wifi network using radius
 - vpn services - pptp and openvpn

(dis)advantages:
- separate lan from the usual networks
- wifi key for vera is very long and changes from time to time automatically
- can't controll vera directly, you have to use a vpn client from lan or from the internet

About the z-wave what worries me is the automation part. If you have triggers that unlock doors based on sensors, those sensors need to be as secure as the door itself. For instance if you have a trigger based on a motion sensor to unlock/open a door and somebody fools the motion sensor to trigger, it does not matter if the vera itself is secure.

To secure your own network what i recommend is buying an openwrt router and create 2 wifi networks. One for normal use with a strong password and one for mobile phones/guests, which is not bridged to the ethernet network and can access only dns and nat on the router (and also isolate wifi clients).
- create wifi1 for normal use, with a strong wifi password
- bridge wifi1 to lan
- create wifi2 with a simpler password
- block from firewall any connection router - wifi2
- allow port 53 for dns from wifi2 to router
- enable packet routering for wifi2


Title: Re: Summerizing Security Issues
Post by: garrettwp on February 12, 2014, 05:20:11 am
- Attacking vera servers, this needs a huge effort I guess but as well they can for example unlock all door locks and try to break yours.
- Attacking vera account using a password cracking URL.

With UI6 and newer this will be even harder to do. The new MMS service which is a new authentication system is similar to how oAtuh works.

1. You authenticate with the MMS auth server.
    The MMS auth server returns auth token data to be used in your request to obtain a session token for the service you want to use.
2. You request a session token from the service you want to use which includes the auth token data returned from the auth server.
3. You than use this session token for every request on the service (server) you are using.

You will need to request a session token for each service (server). Auth tokens are only good for 24 hours and will require to re-authenticate. Same goes for the session tokens, they are only good for 24 hours.

This new system is more complicated than how current UI5 and older authentications work. It requires more work to implement and more steps.

- Garrett
Title: Re: Summerizing Security Issues
Post by: Armedmetallica on March 09, 2014, 07:28:55 pm
- Attacking vera servers, this needs a huge effort I guess but as well they can for example unlock all door locks and try to break yours.
- Attacking vera account using a password cracking URL.

With UI6 and newer this will be even harder to do. The new MMS service which is a new authentication system is similar to how oAtuh works.

1. You authenticate with the MMS auth server.
    The MMS auth server returns auth token data to be used in your request to obtain a session token for the service you want to use.
2. You request a session token from the service you want to use which includes the auth token data returned from the auth server.
3. You than use this session token for every request on the service (server) you are using.

You will need to request a session token for each service (server). Auth tokens are only good for 24 hours and will require to re-authenticate. Same goes for the session tokens, they are only good for 24 hours.

This new system is more complicated than how current UI5 and older authentications work. It requires more work to implement and more steps.

- Garrett

so I if I disable all internet access to this device from my router/firewall, would I still have issues? somewhere i thought I read that you don't need to connect Vera to anything. If that's true, wouldn't blocking all internet access emulate that kinda setup?