Vera - Smarter Home Control Forum

Advanced => Security => Topic started by: jtlns on February 18, 2015, 04:04:43 am

Title: This can't be true ... no local security on UI7/Vera Edge???
Post by: jtlns on February 18, 2015, 04:04:43 am
Hi everyone,

I just got a Vera Edge and some zwave devices. Configuration of these devices, scenes etc. went smooth! :)

I was really amazed by the fact that if you browse to the device using it's local IP address, you end up directly on it's web user interface (without providing a username/password). And I can't seem to find an option to add some security locally. The only option I could find is "Secure your Vera" which appears to disable local access to the Edge completely (so you have to go via home.getvera.com). BUT this only works if there is internet connectivity ...

Please tell me there is another way you can secure the Vera Edge locally ...

Thanks!
Jan
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: garrettwp on February 18, 2015, 09:26:34 am
This has been discussed many times on the forum. The answer is no you can not. I suggest you have a look over the forum for previous discussions on this topic. Google will be a better search utility than the built in search.

- Garrett

Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: andreyklinger on February 19, 2015, 04:19:40 am
Actually there is something you can do, but it it depends on your usecase.
I didn't try it, but I guess you can just put an .htaccess file that will require username/password.
However if you use any local device that needs to report status (via http) to you Vera - it won't work
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: RichardTSchaefer on February 19, 2015, 10:36:02 am
That would break all remote apps (mobile).

Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: BOFH on February 19, 2015, 12:33:26 pm
Only for local access. Remote access (even if you are local) should still work as it goes via the GetVera servers.
But I agree on it not being a good idea to use a .htaccess file if you use apps.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: RichardTSchaefer on February 19, 2015, 01:23:14 pm
Also .htaccess would not restrict access to the  LUAUPnP app either (only the access through /port_3480)
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: andreyklinger on February 20, 2015, 12:24:00 pm
Port 3480 can be blocked via the router. (Since apps can't work locally anyway)
I don't think it will block apps working remotely, would it?
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: AnttiK on September 14, 2015, 01:17:34 pm
I'm thinking of dumping Vera for this specific reason. Now I have been moving my "no need to be in LAN" devices to other VLAN without LAN access, but still the problem remains.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Fryswatter on September 09, 2016, 03:53:46 pm
I know this post is old, but if you secure your local network properly then you have nothing to worry about.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: integlikewhoa on September 09, 2016, 05:36:36 pm
I know this post is old, but if you secure your local network properly then you have nothing to worry about.

There is alot of other reasons and solutions also. But for example you want to keep your teenage kids out of certain devices. Some people have roomates or share internet in vacation homes/condos. I know there are many reasons to allow people to share internet but not leave vera wide open to anyone. Sure you can Vlan and other things but why not just allow a user and password to connect to local connections vs. going threw vera servers or isolating a vera on its own Vlan?
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Fryswatter on September 10, 2016, 12:23:12 am
I know this post is old, but if you secure your local network properly then you have nothing to worry about.

There is alot of other reasons and solutions also. But for example you want to keep your teenage kids out of certain devices. Some people have roomates or share internet in vacation homes/condos. I know there are many reasons to allow people to share internet but not leave vera wide open to anyone. Sure you can Vlan and other things but why not just allow a user and password to connect to local connections vs. going threw vera servers or isolating a vera on its own Vlan?

I couldn't agree with you more. However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing. Especially considering those circumstances. But whole heartedly agree with you as far as simplicity is concerned.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: integlikewhoa on September 10, 2016, 12:43:43 am
However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing.

I think I lost you or I don't understand what you mean.

So my teenagers/kids should not have internet access or local wifi? They are old enough and smart enough to eat up cell data if I block them from local wifi nor do I want to regularly block them from wifi or internet. My solution was a Vlan or guest network which works great for my kids and guests. I also could have enabled secure my vera, but that also has its own issues. 
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Fryswatter on September 10, 2016, 12:52:45 am
However in those instances described above, I would be concerned with Internet access for those types of individuals if I were alowing such a thing.

I think I lost you or I don't understand what you mean.

So my teenagers/kids should not have internet access or local wifi? They are old enough and smart enough to eat up cell data if I block them from local wifi nor do I want to regularly block them from wifi or internet. My solution was a Vlan or guest network which works great for my kids and guests. I also could have enabled secure my vera, but that also has its own issues.

Lol...no didn't lose me..those are perfectly good options...when i say "allow such a thing" I'm implying that good security measures are the way to go in such an instance. Lol I never stated that one should just not allow internet access.

I haven't used UI7...and don't think I will anytime soon. Still has alot of bugs. So, do the older UI's, however I am perfectly happy with the UI5.

Aside from that even if you password protect the UI,encrypted or not its still included in the Query string and easily sniffed using for example Wireshark if the traffic is monitored from within your network..
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: rene.rpv on December 18, 2016, 10:09:42 am
Aside from that even if you password protect the UI,encrypted or not its still included in the Query string and easily sniffed using for example Wireshark if the traffic is monitored from within your network..
Thats just like saying; oh, i don't need a lock on my door since someone is still able to duplicate my key. Or not needing pin-codes since someone is able to see you typing it in.

Username/password authentication should be the first barrier. It is only secure if you have a good encrypted connection, yes.
But not having it a huge flaw. Anyone with a connection to your network could just manage your system as if it were you.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Tillsy on March 24, 2018, 06:05:42 pm
Despite being horrified at how bad Vera is on many levels, for consistency reasons I have bought a second one for our holiday home.  It's purpose will be to control a door lock, as well as a few things here and there.

Ready to deploy soon, but just ran into this very problem... that I've just realised if I plug in the local IP address I have full administration of the Vera with NO authentication what-so-ever.

The login we do is purely for the GetVera portal which then relays access to our Vera... the Vera itself has NO security, none what-so-ever?

WTF?  I provide our guests with Internet access - they could simply scan for IPs, connect to the Vera, and have FULL administration access.  Not only that, you can see in plain text the passcodes on the door lock... our permanent codes, their temporary codes, upcoming guest codes...

Tell me this isn't so.... what the hell?!?!?  Surely this can't be true - it renders Vera completely unusable for this application?!?
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Tillsy on March 24, 2018, 06:46:15 pm
I've just noticed the "tick" for "Secure My Vera" is GREY... I'm thinking that might mean something is not quite right, as I'm sure Vera ticks are normally GREEN.

My gut tells me clicking it will turn it off, as tick boxes are normally empty if off and ticked if on.  However, on the other hand Vera does some incredibly stupid things... so it wouldn't surprise me if a ticked tick box is not actually a ticked tick box, but rather the colour of it is what matters.

I won't touch it yet until I hear some feedback, but hopefully it might mean I have no security on at the moment and thus this is easily fixable...
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Don Phillips on March 24, 2018, 07:49:37 pm
My router provides for a separate "guest" connection with no access to my local network including printers, servers, cameras, and Vera.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Tillsy on March 24, 2018, 08:13:38 pm
My router provides for a separate "guest" connection with no access to my local network including printers, servers, cameras, and Vera.

That's true, I've got them on an isolated network, but still... not like there haven't been an immense number of flaws with WiFi over the years, I don't consider my WiFi network (at either home) to be secure.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Sorin on March 26, 2018, 05:45:52 am
@Tillsy

Secure My Vera box will has a green mark if checked and will disable local access to your Vera unit.

This box will be enabled by default with the upcoming firmware.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Tillsy on March 26, 2018, 06:20:00 am
@Tillsy

Secure My Vera box will has a green mark if checked and will disable local access to your Vera unit.

This box will be enabled by default with the upcoming firmware.
Great news thanks Sorin, that explains it then.  Bit confusing that an unticked option actually has a tick there, maybe can be fixed in a future release?
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: integlikewhoa on March 26, 2018, 12:41:37 pm
Great news thanks Sorin, that explains it then.  Bit confusing that an unticked option actually has a tick there, maybe can be fixed in a future release?

Not sure what part needs to be fixed? Says secure my vera....... You put a check and it locks out local use, which means it secures it with a check. It should not be backwards.

Also it should be noted that checking the secure my vera box, blocks local access and requires you to sign in threw vera's server to check your credentials. If your internet or vera's servers are down you are locked out since there is no longer local access and no web access. This makes your vera full dependent on veras servers and internet. 
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: Tillsy on March 26, 2018, 04:37:08 pm
Not sure what part needs to be fixed? Says secure my vera....... You put a check and it locks out local use, which means it secures it with a check. It should not be backwards.

Let me reword that for you :)

"Says secure my vera....... There is already a check there, but that does not mean it is checked.  You must check it again, even though it is already checked, so the check is a different colour check."

On any other operating system/GUI a grey check means it is already on but you can't change it - an empty check means it if off and a black or coloured check means it is on.

For Vera a grey check instead means it isn't even checked, even though it is, AND you CAN click it - talk about bad GUI design.  Clicking that already checked check, even though it is greyed out, then becomes a green check and that means on.
Title: Re: This can't be true ... no local security on UI7/Vera Edge???
Post by: integlikewhoa on March 26, 2018, 06:20:47 pm
Let me reword that for you :)

"Says secure my vera....... There is already a check there, but that does not mean it is checked.  You must check it again, even though it is already checked, so the check is a different colour check."

Got it. Attached an image to give Vera an Idea of how it should look in that case.