The Vera Community forums have moved!

Advanced => Security => Topic started by: tedp on June 26, 2013, 02:45:40 pm

Title: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: tedp on June 26, 2013, 02:45:40 pm
http://it.slashdot.org/story/13/06/26/1339253/black-hat-talks-to-outline-attacks-on-home-automation-systems?utm_source=rss1.0mainlinkanon&utm_medium=feed (http://it.slashdot.org/story/13/06/26/1339253/black-hat-talks-to-outline-attacks-on-home-automation-systems?utm_source=rss1.0mainlinkanon&utm_medium=feed)

Should we be worried?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on June 26, 2013, 03:07:07 pm
Should we be worried?
It depends upon what you worry about...   I'm not concerned with people turning on/off might lights, I'd be more concerned with people breaking into the MiOS servers, and getting access with that path. 

For that reason, anyone that's really worried:
a) probably isn't going to do HA; OR
b) will minimize the connected devices to their HA system; OR
c) will isolate the HA Network from their home Network (since, when hacked, MiOS will provide an effective gateway to everything on your Home Network)
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: tedp on June 26, 2013, 04:28:49 pm
Agreed.. I personally don't have any tie ins to locks and alarm systems, but it seems that many z-wave users do allow access to locks and alarm systems which could be vulnerable even if the network aspect of the gateway is isolated.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on June 26, 2013, 04:41:42 pm
Someone wanting to physically break into the house will only be marginally put off by an Alarm system, and isn't likely to have the skills to run an electronic hack before they enter (for the average house)

Breaking into the house electronically, and getting access to unprotected Shared Files/Documents on the Home-LAN, is a wholly different class of thief... one that's probably not interested in coming physically near to you, and isn't at all worried about physical perimeter protections like Alarm systems.

In the latter case, they're much more interested in account details, passwords, financial information and/or SSN's (etc) they can get...

For this type of hacker, I'd guess that identity theft, rather than physical theft, is more profitable.


I always wonder how many people are assuming they're home Networks are "safe", and so don't put in other controls to prevent one of the devices on the Home Network doing something "errant".  As we get more connected, this will become a lot larger problem (IMHO) than making the lights blink.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on June 26, 2013, 04:56:21 pm
... and to swing this back to a Vera-context, all it would take is to break into a cp.mios.com account.

Once you've done that, via say a URL-based Password cracker, you have access to the Vera unit.

From there, as has been discussed before, you can fire off a URL that'll cause Vera to open up an outbound/anonymous SSH tunnel to any machine on the Internet, and the hacker can now gain access to your whole-home Network.... poking around as much as they want.

... and that's the easiest example.


So I'd be more about asking when more security (like Account lockout, among others) will be implemented against cp.mios.com than the Z-Wave stuff.  But that's just my perspective   8)
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Da_JoJo on June 26, 2013, 06:58:56 pm
when on the home internal network one can just trigger a url for the ip:3480 and so steer any device without loggin in.
imho thats one of the reasons i dont have a automatic opener on my frontdoor and my ip-cams record directly to mail&ftp account on a online source outside of the vera.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on June 27, 2013, 03:30:43 am
Maybe, but at least most home networks have some rudimentary, not-too-easy, security in place.... Usually requiring physical access (cable), or physical proximity (Wifi cracking).... So the process to use this to look at stuff is slow, and likely requires physical presence.

Things that open Proxy tunnels from your Network, to third party servers (without adequate access controls in place), leave them potentially exposed to someone in a barcalounger 1/2 way around the world going after PII and/financial data.

ie. write a Bot to crack open accounts/passwords on the Internet-facing end, and you potentially open up 100's, or 1000's of home networks.... Remotely, and cheaply, with low risk.

There are even HTTP proxy servers in some countries that'll mask your identity whilst you're doing the scans (.se domain, IIRC from looking at the folks hacking the forums here)

I know what I'd target....
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Da_JoJo on June 27, 2013, 07:51:56 pm
most dangerous thing about it is that when the blackhat people have found a way and post the findings somewhere, some scriptkiddo runs away with it and start annoying ppl i guess
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on July 13, 2013, 01:49:15 pm
With any "new" technology that is becoming main stream, security is normally an after thought.  People are inherently curious, and for some, the thrill and challenge of being able to crack open something is an urge they can't resist. 

I wouldn't be surprised if someone hacks the home automation systems at the Z-Wave, Zigbee, etc. protocol level, using an Arduino processor and a  homebrew piece of software for a proximity based attack, bypassing the controller completely.  Or worse yet, spoofing the HA controller, and setting up a rogue controller that relays things to the real controller, as a man-in-the middle attack.

Anything is possible.  Since Z-Wave is a black box to anyone who hasn't signed an NDA, we don't know what happens at that level. 

I wonder if anyone has reverse engineered the Z-wave firmware files yet?  I bet someone has.

 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dparkinson on July 30, 2013, 08:23:32 am

@SOlivas -- yes, I think that's one of the topics in the talks here:

https://www.blackhat.com/us-13/briefings.html#Fouladi (https://www.blackhat.com/us-13/briefings.html#Fouladi)

@guessed , you mentioned the following:

Quote
c) will isolate the HA Network from their home Network (since, when hacked, MiOS will provide an effective gateway to everything on your Home Network)

and on that, I assume you're talking about a DMZ or separate VLAN to isolate the HA network?  And then using an access control list or something to allow management from the PCs inside the house?
 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RichardTSchaefer on July 30, 2013, 08:34:08 am
Do not allow port forwards except for Authenticated and Encrypted protocols like SSH and VPNs.

Do not use a DMZ.

If you buy a device to add to your LAN ... and the device, or it's APP, asks you to make router changes ...
DON'T! DON'T! DON'T! DON'T!

You should be a security expert, or know one, before you open the barn doors on your router.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on July 30, 2013, 10:20:08 am
@guessed , you mentioned the following:

Quote
c) will isolate the HA Network from their home Network (since, when hacked, MiOS will provide an effective gateway to everything on your Home Network)

and on that, I assume you're talking about a DMZ or separate VLAN to isolate the HA network?  And then using an access control list or something to allow management from the PCs inside the house?
 
A VLAN, and appropriate routing rules (and devices) separating the high-trust parts of your home Network from your low-trust components.

This separation isn't about a no-trust DMZ (Internet exposure).

Instead, it's about further separations within your LAN to ensure data/control cannot flow from a low-trust HA region to a high-trust region, and using these additional [LAN] separations to protect critical assets.

Other controls need to be put in place on the LAN, depending upon how serious you are about this type of stuff.

ie. what are all the points of vunerability, what are you doing to lock those down, how much convenience do you really want.

Similar techniques are used to create [protected] low-trust guest (Wifi) Networks in homes, where the high-trust LAN zone can talk to the Guest Network, but not the other way around (but all contained within the LAN, with no WAN exposure)
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: capjay on July 30, 2013, 10:54:18 am
Do not allow port forwards except for Authenticated and Encrypted protocols like SSH and VPNs.

Do not use a DMZ.

If you buy a device to add to your LAN ... and the device, or it's APP, asks you to make router changes ...
DON'T! DON'T! DON'T! DON'T!

You should be a security expert, or know one, before you open the barn doors on your router.

and disable UPnP "feature" in your router. You really do not want the router opening ports on its own!!
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Crismaison on July 30, 2013, 11:06:22 am
Disabled UPnP, but I have 2 cameras which I want to access remotely, is there another way then opening a port?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dparkinson on July 30, 2013, 01:51:01 pm
I guess my Linksys won't cut it then ;)
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RichardTSchaefer on July 30, 2013, 11:05:15 pm
@Screamhouse

Learn how to setup a SSH tunnel ... or do not be surprised if the boys on the West coast do not start manipulating devices in your home remotely as well.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Pestus on August 01, 2013, 10:10:00 pm
Now that the cat's out of the bag, what do we all do about this?

In the PDF that outlines all the quite shocking vulnerabilities, the author states;

"As the vendor has refused to fix or even acknowledge these
vulnerabilities, the authors consider it highly likely that this product has additional undiscovered
vulnerabilities."

If this is the case, we need to get Micasaverde's attention!

I'm going to bet that in the next few days, someone makes a play at cp.mios.com... 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Brientim on August 01, 2013, 10:14:42 pm
There is a corresponding thread running in parallel see:
http://forum.micasaverde.com/index.php/topic,15892.msg121185.html#msg121185
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Intrepid on August 02, 2013, 09:38:30 pm
So this got me to try out vpn on a ddwrt router tonight.  My current setup is everything through an AirPort Extreme, Vera doing it's thing, a windows pc running blue iris dvr with a static forwarded, my dsc alarm with en eyez on, sonos, a synology nas, and many other devices. 

My Comcast business smcd3 has 4 ports.  The airport is using one.  I also have a dlink upnp on port 2 used only for Xbox live.

I set up vpn in the ddwrt and connected with my iPhone on wifi.  It seemed to work.

If I add the ddwrt router to port 3 of the smcd3, connect the Vera, blue iris PC, and dsc, they'll all be on a different subnet isolated frommy normal home stuff.  I can vpn to access these devices which need to get outside my LAN.  I will lose the convenience of viewing my cameras and vera locally.  I will have to vpn or hit them through mios or the Internet.

Is this a good idea?  Am I missing anything?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on August 02, 2013, 10:31:17 pm
It's a little hard to tell from the description, but it sounds more like you protected your Vera from your Home network, than your Home Network from Vera.

...it depends on which router/gateways products are running in which modes. 

eg. What is NAT, what is Bridged

For a more acid test, plug a PC into you WRT box and see if you can connect to your home network.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Intrepid on August 03, 2013, 09:23:07 pm
It's a little hard to tell from the description, but it sounds more like you protected your Vera from your Home network, than your Home Network from Vera.

...it depends on which router/gateways products are running in which modes. 

eg. What is NAT, what is Bridged

For a more acid test, plug a PC into you WRT box and see if you can connect to your home network.

Two isolated subnets.  One for camera dvr server, Vera, DSC (Vera communication with the dsc it critical).  One for everyday use.  And actually a third for Xbox live.   :)

I wish I were better at networking because I know I'll want to have my Vera control my sonos, but I like my sonos on my 'everyday' network.  But I now have the risky stuff isolated so I feel better until I can understand all this better.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on August 04, 2013, 12:05:23 am
Two isolated subnets.  One for camera dvr server, Vera, DSC (Vera communication with the dsc it critical).  One for everyday use.  And actually a third for Xbox live.   :)

I wish I were better at networking because I know I'll want to have my Vera control my sonos, but I like my sonos on my 'everyday' network.  But I now have the risky stuff isolated so I feel better until I can understand all this better.
Fair enough.  If both are NAT'd, then a slightly more "connected", but slightly less secure, model might be to daisy-chain the NAT'd routers.

You currently have [NAT'd] Networks "A" (Vera, DSC et-al) and "B" (Home/Everyday Network) as peers, so traffic cannot go between them.

If you sling "B" below "A", and retain the NAT on both, then "B" stuff can see the "A" machines without any magic, but not the other way around.  It would depend upon whether you have components sensitive to Double-NAT, and whether you needed sort sort of [VPN] access into "B" (and the resulting double-forward to the VPN entity).

Not a panacea, by any means...
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 04, 2013, 01:22:35 am
Disabled UPnP, but I have 2 cameras which I want to access remotely, is there another way then opening a port?

Building on what is already being said in this topic, if you really want to have remote access to your stuff without having your network open to the world, there are a few things you can do:

-Invest in a business grade firewall.  If you look around, you can find hardware from the big name players that are on sale or, if you scan through ebay, you can find older stuff that is still good just EOL -- just make sure you have a copy of the latest released supposed firmware/IOS and re-flash the devices you buy.  Block the Vera from making it's call home.  Set it up to act as an end point for VPN access into your network.  Then you can remotely access your system after you have passed this gatekeeper. 

-Get a firewall like above, but instead of having it handle VPN, learn how to setup an OpenVPN server (dedicated box that is all it does), and then use that to access your network and items remotely.  There are clients for Android and, if you jailbreak your IPhone/IPad, there is one for that as well.

-If you really are serious about network security, and don't mind doing some work, then take at look at this:  http://www.sans.org/critical-security-controls/  It is meant for organizations to implement to help get a better handle on networks, and by implementing the top 5, you can realize an increase in security.  Anyways, read this and learn what is being done here, then learn how to adapt this to your home network.  (You could implement this on your home network, just be prepared to manage your home like a corporate network and have your "users" upset that they can't do anything.)




Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: lolodomo on August 04, 2013, 04:53:43 am
You currently have [NAT'd] Networks "A" (Vera, DSC et-al) and "B" (Home/Everyday Network) as peers, so traffic cannot go between them.

If you sling "B" below "A", and retain the NAT on both, then "B" stuff can see the "A" machines without any magic, but not the other way around.  It would depend upon whether you have components sensitive to Double-NAT, and whether you needed sort sort of [VPN] access into "B" (and the resulting double-forward to the VPN entity).

Not a panacea, by any means...

It is what I tried yesterday, meaning Sonos and Vera in different subnets. Vera can control the Sonos but Sonos feedback is probably blocked by the intermediary router, meaning Vera cannot update data coming from the Sonos units.
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: futzle on August 04, 2013, 05:09:02 am
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?

Of course. This is called punching holes in the firewall. Try to make the hole as specific as possible. Give the from-address, to-address, protocol and (if appropriate) port.

For the Belkin WeMo, which uses UPnP, the firewall holes are UDP port 1900 and TCP ports 49152-49167.  Sonos will be something similar. You can use a tool like Wireshark to get the protocols and ports that a given appliance uses.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: lolodomo on August 04, 2013, 07:05:00 am
I suppose it is possible to add a rule in the router to allow traffic coming from specific IPs (Sonos IPs) ?

Of course. This is called punching holes in the firewall. Try to make the hole as specific as possible. Give the from-address, to-address, protocol and (if appropriate) port.

For the Belkin WeMo, which uses UPnP, the firewall holes are UDP port 1900 and TCP ports 49152-49167.  Sonos will be something similar. You can use a tool like Wireshark to get the protocols and ports that a given appliance uses.

Finally, the Sonos plugin is working well (except album art, I have to investiguate why) while in "normal" mode, meaning using calls on port 1400.
As soon as I switch to your UPnP event plugin (event notification), I have no more feedback, I assume events are no more reaching your plugin ?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Intrepid on August 04, 2013, 08:41:05 am
Thanks guessed, futzle, solivas, and everyone else. 

What firewall/switch would be a good home/business choice to give me some additional control and flexibility?  The ZyXEL ZyWALL USG50 is around $225 and looks interesting.

Does anyone have a setup they could share?  specific brands, models, topology?



Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 04, 2013, 01:02:06 pm
Thanks guessed, futzle, solivas, and everyone else. 

What firewall/switch would be a good home/business choice to give me some additional control and flexibility?  The ZyXEL ZyWALL USG50 is around $225 and looks interesting.

Does anyone have a setup they could share?  specific brands, models, topology?

The firewall you use all depends on what you want out of such a device.  Just remember, no matter what you get, the two biggest factors to consider are time and learning curve for setting up and maintaining it. 

That unit comes with a standard license of 10 users. 

Also realize that an IDS will need to be tuned to be effective, and no matter what, you will still get false positives.  Plus, if you do go the route with an integrated IDS, you will need to make it a habit to watch the logs and know what they are telling you.  Not all IDS systems are created equal.

If you are looking for an IDS, there are open source solutions.  Two that come to mind are Snort and Suricata.

http://www.snort.org/

http://suricata-ids.org/

For spam filters, I use Postfix with its Postscreen feature to filter out the spammers/spambots and use a few freely available black/block lists.  As an additional measure, once the sender gets through the Postscreen layer, I have e-mail subjected to greylisting using Postgrey.  This eliminates about 98% of all spam that I get on my system.

I personally use a Cisco firewall on my network.

If you are going to buy a business grade firewall, don't let price alone be the determining factor.  Do quite a bit of research and see what others are saying about the device you are looking at.  Find the online support forums and mailing lists that are out there, and look through them to see what sorts of problems and quirks people encounter.

And if you do settle on a unit, make sure that you understand how to set it up. Unlike the consumer grade firewalls that are normally found integrated into routers, etc.  These are typically not plug and play devices that you can add into your system and forget about.

And realize that firewalls are not the magic bullet to all network security problems you will face.  Security in depth for your network, just like in the physical world, is the best way to protect yourself.  A firewall will only give you a means to help control access to and from your network, and give you insight into what is really going on.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 04, 2013, 01:07:18 pm
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.  True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.  The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.  I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.  I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.  But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.  And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.  So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.  But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.  And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.  When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Intrepid on August 04, 2013, 07:20:36 pm
I personally use a Cisco firewall on my network.

Thanks.

Does your firewall allow you to protect against (block) the SSH tunnel mios-phone-home issue that everyone is concerned about?  And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 04, 2013, 09:16:22 pm
Yes it does.  However, I am not currently blocking my Vera 3 from phoning home, sometime in the future I may, but for now I'm willing to accept the risk that the MiOS servers may be compromised and my HA controller becomes a springboard for something else.  I'm fairly confident that I would catch such an event happening though.


However, there looks to be an easier way than using a firewall to isolate the Vera.  Reading through the /usr/bin/cmh-ra-daemon.sh file (the file that initiates the "phone home" SSH tunnel connection to the MiOS servers), there are two settings in the /etc/cmh-ra/cmh-ra.conf file that are checked:

Code: [Select]
#user disabled MiOS remote service
if [[ "$RA_DISABLED" == "1" ]]; then log "MiOS Remote Control Service is disabled. We won't start RC tunnels..."; exit 1; fi
if [[ "$RA_DISALLOWED" == "1" ]]; then log "We don't have access to MiOS Remote Control Service..."; exit 1; fi

If either RA_DISABLED or RA_DISALLOWED is true, then the script stops and the remote tunnel should not be setup.


If you look at your file (at least on my Vera 3 with the latest firmware), you should see something similar to:

Code: [Select]
#!/bin/bash
RA_DISABLED=0
RA_DISALLOWED=0
PORT=31665

Change the 0's on either line to 1 and you should effectively kill the phone home feature.

You could also change the port to 0 as well if you really wanted to make sure that the system wouldn't connect to anything, since the script also checks for a port less than 1024, and if it finds such a value, terminates.


Hmm, I wonder how hard it would be to create a plugin that lets you toggle this behavior on and off, making it simple for the user who is afraid to poke under the hood?

 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on August 04, 2013, 09:56:08 pm
@SOlivas,
Here's @futzle's original discussion thread showing how it's disabled:
    http://forum.micasaverde.com/index.php?topic=4782.10

We should probably keep the discussions centralized there, and any adaptations needed per-release, since it'll be easier to "pin" a single security thread for others to find.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: guessed on August 04, 2013, 11:04:17 pm
And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?
Each programmable "thing" on your Network has the potential to be abused, and ultimately turned into something you didn't plan for.

For PC's (etc) we're all used to the normal "causes" for this stuff, and the typically starter-access comes from inside your own network (often, but not always)

Most devices connect your home to cloud services via some form of controlled Protocol and, barring bugs, there's a limit to what can be done over that protocol.  In the case of devices that use Operating systems at the core, and then layer open access protocols (eg. SSH), there's increased scope for something "bad" to be initiated at the "other end", and for the potential exploit to result in much greater damage.

It's been discussed before (aka using "RunLua" to launch a new Tunnel), but the potential damage isn't about loss of house access, or making your lights blink and/or garage open.  The potential in these cases is for any information you keep on your LAN to be exposed (Financial Records, PII, etc)

Of course, that would require breaking into a user's account via cp.mios.com and the fwd*.mios.com servers.

If someone wanted to do that, they'd likely write a password scanner, using the usual suspects, and then scrape usernames from the Forums.  The combination, whilst slow, would (in theory) eventually net some accounts/passwords, and then it's only a step away before they'd use the resulting SSH Tunnel to gain full access to that user's LAN.

Last time I checked, passwords on cp.mios.com were forced to be simpler than normal, and there was nothing that would lockout a user, or force secondary authentication, when they failed account access repeatedly...  If that's still the case, then it's simpler to write a bot.... that and you know there's a great concentration of people with "interesting stuff" all centralized behind those addresses, which makes it a great target if not well locked.

(broken into paragraphs for easier reading  8) )
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 04, 2013, 11:51:26 pm
@SOlivas,
Here's @futzle's original discussion thread showing how it's disabled:
    http://forum.micasaverde.com/index.php?topic=4782.10

We should probably keep the discussions centralized there, and any adaptations needed per-release, since it'll be easier to "pin" a single security thread for others to find.

Doh!

Sorry, I forgot to do a search before posting this.  Sorry. :)
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 04, 2013, 11:58:01 pm
And Vera can't be the only device that does this port 80 SSH-thingy, is it?  What makes this device so concerning regarding mios hacks?  The fact that it's a router and can be used to tunnel to other things on the LAN?
... someone wanted to do that, they'd likely write a password scanner, using the usual suspects, and then scrape usernames from the Forums.  The combination, whilst slow, would (in theory) eventually net some accounts/passwords, and then it's only a step away before they'd use the resulting SSH Tunnel to gain full access to that user's LAN.

Last time I checked, passwords on cp.mios.com were forced to be simpler than normal, and there was nothing that would lockout a user, or force secondary authentication, when they failed account access repeatedly...  If that's still the case, then it's simpler to write a bot.... that and you know there's a great concentration of people with "interesting stuff" all centralized behind those addresses, which makes it a great target if not well locked...


This brings two things to mind that every user should (or should not do):

1.  Do not have your forum username and same as your Vera login.  Also, don't try using a variation of your username either -- use something different that is unique and only you know
2.  Don't use the same password (or groups of passwords) on the sites you use (groups meaning, you have like 3 or 4 passwords that you use between all the sites you access, safer than 1 password for all, but still not as good as 1 password=1 site).  The "keys to the kingdom" threat is very real, if someone breaks one, knows some of the sites you visit, and then tries it on other sites.......



Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Intrepid on August 05, 2013, 06:29:24 am
Each programmable "thing" on your Network has the potential to be abused, and ultimately turned into something you didn't plan for.

For PC's (etc) we're all used to the normal "causes" for this stuff, and the typically starter-access comes from inside your own network (often, but not always)

Most devices connect your home to cloud services via some form of controlled Protocol and, barring bugs, there's a limit to what can be done over that protocol.  In the case of devices that use Operating systems at the core, and then layer open access protocols (eg. SSH), there's increased scope for something "bad" to be initiated at the "other end", and for the potential exploit to result in much greater damage.

It's been discussed before (aka using "RunLua" to launch a new Tunnel), but the potential damage isn't about loss of house access, or making your lights blink and/or garage open.  The potential in these cases is for any information you keep on your LAN to be exposed (Financial Records, PII, etc)


Excellent explanation.  Thanks. 

Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: capjay on August 05, 2013, 08:39:30 am
@micasaverde

thanks for the clarification. I hope Mios servers have tightened security to prevent intrusions via that route..
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: FireBird on August 05, 2013, 11:31:58 am
I'm hoping the https://cp.mios.com page has a policy that doesn't allow more than 3-5 failed logins in 30-60 minute time frame this would help with any brute force attacks to the web portal.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: oTi@ on August 05, 2013, 11:55:42 am
Thanks @micasaverde.

Now quoted with friendly white space added:
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.

The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.

I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.

I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.

But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.

And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.

But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.

And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.

When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 05, 2013, 01:19:29 pm
I wanted to add that along with vlans to separate your network, I make sure I apply firewall rules on my computers and servers in my house. Especially my main server. For all of the services the box hosts (nfs, samba, squeezebox server, etc). I apply firewall rules to only allow certain computers that need access on my network to those services. Same goes for all of my virtual machines. I also run network scans to see what devices have what open and secure what I can from there. It might sound like over kill, but better safe than sorry.

So if someone were to gain access to MCV's fwd servers and try and open a rogue port into my network, they would have a hard time gaining access to my internal boxes because of the firewall restrictions. I also disable upnp at the firewall to prevent  unauthorized devices punching a hole into my firewall.

If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 05, 2013, 01:23:29 pm
Quote
I hope Mios servers have tightened security to prevent intrusions via that route..

Actually this is what we've been working on the past 9 months.  We've re-written the whole back-end server infrastructure ourselves, from scratch in C++, and will no longer be using .php.  We now have an OpenID (like facebook's) authentication mechanism, with various permission tokens.  And we have 3 different data centers now in the US, Europe and Asia, with DNS regional routing/load balancing so users will get faster access.  This new version has been in our internal beta testing for a couple months, but there are so many changes it's taking us longer than we wanted to get it out (it required re-writing all the scripts on the Vera, plus a lot of changes to the engine).  With the new servers we've changed the way everything works and data is stored to provide more security, redundancy and speed.

However, even with the current servers, to my knowledge they have never been compromised.  We have gone through 3rd party security audits already.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 05, 2013, 01:37:29 pm
Thanks Aaron for the info.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 05, 2013, 11:43:50 pm
If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

I personally like sshguard for blocking anyone from trying to hit my SSH server too hard, with a really long block period and really touchy trigger.  Down side is, if I am remote and screw up, I'm toast for a while (unless I come in from somewhere else).

Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 06, 2013, 12:55:41 am
If you want to go even further my linux boxes all have a service to block any ip after so many failed attempts. There are also firewall's that allow for this as well.

I personally like sshguard for blocking anyone from trying to hit my SSH server too hard, with a really long block period and really touchy trigger.  Down side is, if I am remote and screw up, I'm toast for a while (unless I come in from somewhere else).

I use fail2ban and configure it for most of my services that require a port open on the server itself. I ban failed attempts for at least 24 hours.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 06, 2013, 02:35:43 pm
Hi, this is Mr. Crowley, the researcher who discovered and presented on vulnerabilities in the VeraLite. I wanted to respond to the post from MiCasaVerde to present my side and to clarify the vulnerabilities discovered a bit, so here it is with comments in-line marked with >>>

"""
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.

>>> While having malware on your computer is bad, having malware on your computer which can open your door or disable your alarm system is REALLY bad. There's no need for MiCasaVerde to ignore the additional risk. Additionally, if you have an open wireless router, weak passphrase, or weak wireless security (WEP) an attacker could access and exploit the VeraLite. More than that, since UPnP allows cross-protocol exploitation, a malicious web site could instruct your browser to set up a backdoor on the VeraLite to allow remote control without exploiting any flaw in your browser or requiring any user interaction.

The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.

>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.

>>> MiCasaVerde did not have a conversation with me directly, but with the advisories team at Trustwave. I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws. I disagree with the decision to ship it in a condition that allows only highly technical users to have a system which isn't easy to attack.

I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.

>>> If you use a CA signed cert, this should be no issue.

But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.

>>> WiFi networking, malware, and cross-protocol exploitation make it unnecessary to be physically inside a target home.

And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.

>>> The flaws allow an attacker to bypass authentication and separation of privileges implemented by MiCasaVerde. It's a very odd feature that I can get root code execution with one UPnP request, as it directly conflicts with the security features available on the VeraLite.

But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.

>>> I do not deny that media attention benefits both myself and my company. While media attention was part of the motivation behind this research, improving the security of devices which control our homes was a large part of it as well.

And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.

>>> My only communication with MiCasaVerde about the VeraLite was after the research. MiCasaVerde responded by saying that the vulnerabilities discovered (several of which allow for root level compromise of the VeraLite unit, some without any prior information or credentials) were all features and the explanation of these features went no further than saying that these were considered features.

When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.

>>> Neither myself nor Trustwave offered services to you, we offered to discuss the vulnerabilities and help you design and deploy fixes at no cost, as it is irresponsible for us to disclose vulnerabilities without attempting to coordinate a patch with the vendor selling the vulnerable product. In our communication with you, you asked which of your competitors paid us to do this, and if we were asking for hush money. Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money. My research suggests that you're right about home automation gear being vulnerable in general. This doesn't make it any better to have a vulnerable product. If people continue to buy and deploy home automation gear and connect their door locks, security cameras and alarm systems to this gear, it should undergo security review.
"""

I'd also like to state that after all the media attention, MiCasaVerde has reached out to me asking to discuss the vulnerabilities. Despite this post stating that Trustwave is in the business of extortion and email communications from MiCasaVerde stating that they would be looking closely for any slander or libel, I will be working with MiCasaVerde to try to get these issues patched up and improve the security of MiCasaVerde's products at no cost.

For those who want technical details of the vulnerabilities so they can decide for themselves what the severity of the issues are, look here: https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt (https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt)

EDIT: Clarified details on how VeraLite can be compromised from afar
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 06, 2013, 02:46:58 pm
Mr. Crowley,

Thank you for posting a response and providing the details.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: oTi@ on August 06, 2013, 03:52:10 pm
Thanks @dcrowley.

Quote from: @micasaverde
In the interview with Crowley, he says that allowing local access over the LAN to control the Vera is a security risk because then if someone gets a virus or other malicious software on your computer, then they can remotely control your home.

True, BUT, (a) the hacker will also be able to log your keystrokes and get all your passwords and logins for everything, including online banking, and can do bill pay or payment transfers to take the money out of your bank account, and he'll have access to all your files, NAS devices, etc.  (b) there's nothing we can do about this anyway because if someone has a virus installed on your computer giving them remote control, even if there were no local access, the hacker would still log your password when you logged on remotely.
>>> While having malware on your computer is bad, having malware on your computer which can open your door or disable your alarm system is REALLY bad. There's no need for MiCasaVerde to ignore the additional risk. Additionally, if you have an open wireless router, weak passphrase, or weak wireless security (WEP) an attacker could access and exploit the VeraLite. More than that, since UPnP allows cross-protocol exploitation, a malicious web site could instruct your browser to set up a backdoor on the VeraLite to allow remote control without exploiting any flaw in your browser or requiring any user interaction.

Quote from: @micasaverde
The only way around this is to have hardware authentication--one of those token/fobs that generates a number each time you press the button using a special algorithm, and which number is required every time you want to log in.  This is how banks handle the problem for things like commercial wire transfers.  But this means every family member would need to carry a fob with them at all times and go through a complex login process every time he wanted to just turn on the lights.
>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

Quote from: @micasaverde
I discussed with Crowley months ago that we HAVE gone through security audits, and we implemented it the way we did for a reason because we had to balance usability with security.  And, we do allow the power users who understand all these tech issues to lock down the system, such as installing self-signed certs and modifying the browser settings to accept them.  He never disputed any of this.
>>> MiCasaVerde did not have a conversation with me directly, but with the advisories team at Trustwave. I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws. I disagree with the decision to ship it in a condition that allows only highly technical users to have a system which isn't easy to attack.

Quote from: @micasaverde
I also pointed out that we've thought many times about whether we should allow local access over the home network, since, it's impossible to secure connections over the local network since most browsers by default will reject self-signed certs for local devices.
>>> If you use a CA signed cert, this should be no issue.

Quote from: @micasaverde
But in the end, we've always concluded that if someone is physically inside your home already, and plugged into your home network, there's no reason why he'd want to hack into the Vera to unlock the door since he could just reach over and turn the door knob by hand anyway.
>>> WiFi networking, malware, and cross-protocol exploitation make it unnecessary to be physically inside a target home.

Quote from: @micasaverde
And allowing direct access to Vera over the home network has a lot of benefits; it's faster with less latency, it works even when the internet is down or in remote locations without internet, it allows the security-conscious homeowner to be disconnected from our servers, and it means we don't need to charge a monthly fee since we don't need to provide server infrastructure to facilitate everyone's day-to-day usage of the system.

So, none of the points TrustWave brought up were new; they were all things we've debated for years anyway.  And none of the "flaws" were accidental oversights, like he implied.
>>> The flaws allow an attacker to bypass authentication and separation of privileges implemented by MiCasaVerde. It's a very odd feature that I can get root code execution with one UPnP request, as it directly conflicts with the security features available on the VeraLite.

Quote from: @micasaverde
But, his goal is to get his name in the papers, and his story has a lot less intrigue once all the facts are revealed.  So, he took features, like upnp access, that are fully documented in our wiki anyway, and spun them as "discoveries" he made while doing his extensive research on the product.
>>> I do not deny that media attention benefits both myself and my company. While media attention was part of the motivation behind this research, improving the security of devices which control our homes was a large part of it as well.

Quote from: @micasaverde
And he took design decisions we made, and explained to him, and presented them as though these were hidden flaws we weren't aware of, which TrustWave managed to uncover, presumably because he wants the exposure and thinks he'll get companies to hire him to do security audits.
>>> My only communication with MiCasaVerde about the VeraLite was after the research. MiCasaVerde responded by saying that the vulnerabilities discovered (several of which allow for root level compromise of the VeraLite unit, some without any prior information or credentials) were all features and the explanation of these features went no further than saying that these were considered features.

Quote from: @micasaverde
When he reached out to us several months ago, offering his services, and we declined, my assumption is he probably made similar offers to the other HA providers as well, since the issues are ubiquitous to every HA system, and that the others simply agreed to retain his firm and thus buy his silence, and the products he chose to bash are the ones that refused to pay up.
>>> Neither myself nor Trustwave offered services to you, we offered to discuss the vulnerabilities and help you design and deploy fixes at no cost, as it is irresponsible for us to disclose vulnerabilities without attempting to coordinate a patch with the vendor selling the vulnerable product. In our communication with you, you asked which of your competitors paid us to do this, and if we were asking for hush money. Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money. My research suggests that you're right about home automation gear being vulnerable in general. This doesn't make it any better to have a vulnerable product. If people continue to buy and deploy home automation gear and connect their door locks, security cameras and alarm systems to this gear, it should undergo security review.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 19, 2013, 02:18:15 pm
Crowley,

First, there are some technical inaccuracies in your claim, but most significantly is the gross way you misrepresent the product.  For example, in this interview: http://edition.cnn.com/video/?/video/us/2013/08/14/pkg-laurie-segall-hack-your-house.cnn&iref=obnetwork

They say that you, as a hacker, are able to lock and unlock the door.  What they don't say is that you are doing it using the software and tools that we provide in the user's manual, and that ANYBODY, even with no technical skills, could do what you're doing because the whole point of the system is to allow someone to remotely control the system.  It's like saying "A hacker identified a serious security flaw in Ford automobiles.  If the hacker is inside the car, he can actually unlock the doors and open the trunk by using these hidden buttons (door unlock and trunk open).  Worse yet, if the hacker has the keys to the car, he can actually unlock the car from the OUTSIDE!  This is a major security flaw."

>>> The way around this is to require a username and password to control the VeraLite, even from the LAN, even on the UPnP interface.

I'm not sure whether you're technically unfamiliar with network protocols or deliberately being naive.  However you understand that HTTP authentication is NOT encrypted.  When a device on the local network prompts for a username/password, like a wifi router, that password is broadcast UNENCRYPTED over the network, so any hacker that has access to the network will have access to the password.  So, we deliberately, therefore, do not ask the user to enter his password over the local network because then we would be exposing his password to anybody on his network, and there's a likelihood that could be the same password he uses for email, banking, etc.  The passwords on local network devices if anything give a false sense of confidence because people think that means it's secure, when in fact it's not, and the password is broadcast for anyone to see.

The fact that you would suggest that we introduce such a glaring security flaw as a "fix" is shocking.

Regarding a password over UPNP, well, then it would no longer be standard UPNP now would it.  You make it sound like having UPNP control is a "flaw" that we somehow overlooked, when it's the opposite, it's a feature we advertise which we spent countless hours implementing.  The whole point is to have an open platform so that more advanced users can control the system using a plethora of commonly available UPNP clients.  We have users controlling the system with picture frame viewers, TV apps, etc.  If we put a password on UPNP, none of those clients would work.

>>>  I do not dispute that it's possible to close all the holes in the VeraLite if you have the skills and time and tools to perform a comprehensive security audit and patch all the security flaws.

We HAVE gone through comprehensive, third party security audits.  Understand that our software engine is licensed by utility companies, telephone companies, cable TV operators, and our clients have collectively hundreds of millions of clients.  And these licensors, many of which are huge companies with tens of thousands of employees and security teams, have hired third party security companies to do a full audit of the system.  They obviously have not, and would not, hire you, because anybody who suggests you fix the vulnerability by broadcasting the users password unencrypted would never be trusted by those kinds of clients.

>>> If you use a CA signed cert, this should be no issue.

Again, I'm not sure if you're clueless about the technology or what.  But you should lookup how SSL works.  When a CA signs an SSL certificate, that certificate is bound to a static IP and a domain name.  So, like I said already, to use https on the local network the user would have to have a static IP, a resolvable domain with DNS, and pay money to a third party SSL signer to issue a cert.  Or configure his browser to accept self-signed certs.  Either way, it's beyond the skill set of anyone but an IT developer and, although Vera is the "techy" version of our product, we're trying to simplify setup and telling users to get a commercial T1 and buy an SSL cert to use the system is a big step in the other direction.

I'll give you the benefit of the doubt and assume that you're proposed "fixes", which, in fact would only introduce security flaws, are due to ignorance of the technology rather than deliberate misinformation.  However, what is inexcusable is that I explained all these issues to TrustWave months ago, and you just chose to ignore them (unless they're just too technical and went over your head), and run silly pieces like that one on CNN where you take a Vera, follow the instructions in the user's manual, and demonstrate that the product works as advertised (namely that you can control the door over the network), and preface it by saying "a hacker demonstrates how you can unlock a door".

Lastly, we have for years offered an alternative solution, which is what the service providers use, which turns off all local access (UPNP and otherwise), and only allows the user to access his system through our servers over https.  This is a secure system that has never been compromised.  But, naturally, it requires an ongoing service commitment since we provide server infrastructure that is used every time a user wants to turn off a light.  So, there's always a monthly fee.  And, it doesn't allow third party upnp clients to control the system.  The VeraLite is marketed as an alternative with no monthly-fee, that does NOT require the use of our servers, and does NOT even require
internet access so it can be used in remote locations, and which is open for power users to do what they want with.  And we put right in the docs that because of this it's imperative the user secures his wi-fi network because everyone on the local network is assumed to be a trusted user.  You take what is a marketable feature and claim it's some security flaw even after we explained it to you.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 19, 2013, 02:27:29 pm
Crowley,

Regarding your statement: "Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money"

That's a flat-out lie.  Please, post here publicly on the forum a copy/paste of whatever communication you claim TrustWave sent us that says anything remotely to this effect.  I never saw it.  The only communication I got from Trustwave was from Robert Foggia, who appears to be in your sales side, and was offering services to us.  Here is a direct quote of his email:

"Our organization performs network and application penetration services for clients who hire us to identify weaknesses in their own business environments. The main goal in these engagements is to assess the security of the network by allowing the "good guys" to attempt to break-in to a business network before the "bad guys" have the opportunity to do so."

Unless you can provide any communication that you were "not interested in money", I stand by my assessment that you engaged in some kind of shakedown, threatening to spread laughable claims about our product, unless we paid you money.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 22, 2013, 11:50:29 am
Crowley,

All our communication with trust wave was over email, so if you really did tell us 'you were not interested in money' you would have accepted my challenge to copy/paste this.  The fact is, as I said before, it's a total lie.  Trust wave has the exact same business model as a patent troll.  You contribute absolutely nothing, you produce nothing, and are parasites that make a living trying to figure out how to get people to give you money.

The fact is that, as I copied/pasted, your sales person contacted us explaining that you were going to do a security review of VeraLite.  At the same time he offered us your services to be the "good guys" and play on our team.   Since we've already gone through several 3rd party security reviews, I declined.  Then he says they've uncovered some 'defects' and wants to work with us to get them resolved.  So I asked for the defects, and he sends me 6 items--all of which were features documented in our user's manual, like the fact that we allow control over UPnP, and that user's are exposed if they don't secure their wi-fi.  I refused to pay trust wave for an 'audit' that consists of just reading to us what is already in our user's manual, including the warnings that we ourselves already published.  And I asked if trust wave had any proposed solutions, in other words, if trust wave could actually contribute anything of value at all or if it was purely a shakedown.  But you were unable to propose any solutions.  So, then trust wave tells us that you're going to publicly report this "research".  And then you go on cnn and anybody else who will listen to you, and you say "I'm a hacker, look how I can unlock this door lock.", not telling everybody that you are unlocking YOUR OWN door lock with YOUR OWN Vera using the tools we provide and the API's we document in the user's manual.  In other words, all you do is demonstrate that the product works as advertised, and it's immaterial whether you're a hacker or a nurse.  But because these claims are prefaced with the "I'm a hacker" claim, you know that viewers will wrongly assume that you were able to control someone else's door lock.

You operate exactly the same way as patent trolls, like Pangea Intellectual Properties, who claimed they patented the very concept of e-commerce, and then went threatening small companies with law suits if they didn't pay up, and their rational was always that it would cost less to pay them off than to fight a law suit.  Similarly, trust wave, like PanIP, offered absolutely nothing of value, and made it clear that it would cost us less to pay you guys off than to deal with the fallout from your lies and slander.  But, since, according to Boston University, you trolls cost the economy an estimated $29 billion, we figured it would be unethical to pay you parasites because you would just use the money to go after other innocent companies and keep perpetuating the problem that puts a drag on the economy.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 28, 2013, 01:49:09 am
@micasaverde: I don't have time to argue this endlessly and as such this will be my last post on the matter.

If you want to claim that my company and I are engaged in extortion, please post the entire email thread so that people can make their own determinations about what happened. On a related note, Robert Foggia is on our advisories team. When an employee of Trustwave discovers a vulnerability, it is the job of the advisories team to try to work with the vendor to communicate the details and help figure out a strategy for producing and distributing a fix, then inform the public once the vendor confirms (either through communication or refusal to communicate) that no fix is forthcoming or that a fix has been distributed. This is known as "responsible disclosure". http://en.wikipedia.org/wiki/Responsible_disclosure

The vulnerabilities in the VeraLite allow, among other things, for any person who can directly contact it on the network (or trick someone on the same network to visit an attacker-controlled webpage) to instruct the VeraLite to run arbitrary code under the highest privilege level account on the system. This may have been by design, but if this were a part of any operating system or piece of software, it would be considered a glaring security hole. It is, in fact, a glaring security hole in the VeraLite, despite its potential usefulness to your customers. If I build a product that allows anyone full control without verifying that they should have it, that is a vulnerable product. Period.

The technical report on the flaws is available at https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt (https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt) and those interested can draw their own conclusions on whether your product as-is poses a risk to its users.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RexBeckett on August 28, 2013, 07:19:59 am
@micasaverde,

I'm a VeraLite owner with a vested interest in potential security vulnerabilities. Regardless of the rights and wrongs of the process, details of these have now been published. Are you able to tell me what steps MCV are taking to reduce the potential for unauthorized access to my system?
 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 28, 2013, 11:03:00 am
@dcrowley, nobody is asking you to "argue endlessly".  There is one simple, glaring, obvious, black & white issue which you keep avoiding.  I will even word it as a simple 'yes' or 'no' question, so all you need to do is post a simple reply with 'yes' or' no'.

Now you have had time to verify my claims that (a) we cannot use https (secure) with a device on the local network because browsers by default will only accept certs that are verifiable by a 3rd party CA and bound to a specific domain/IP, and (b) if we put a password on a local network device using standard HTTP authentication, as you recommended, that password is transmitted across the network unencrypted, so that a hacker who access to the network will be able to see the password and thus will STILL have access just as he does now, but will ALSO now know the user's password, which might be shared with other sites, like email and online banking.

So the simple question is: Do you acknowledge that the claims made above are correct?

YES OR NO.  All you need to do is say YES or NO.

The reason why you keep running from this simple issue is that if you answer 'No' and deny those claims, then anybody with rudimentary networking knowledge will realize that you have no clue what you are talking about, since the claims are basic knowledge that, if you were a legitimate security consultant and not some troll, you would have known.  If you answer 'Yes', then you have admitted that the "fix" which you have proposed would not only fix nothing, it would actually introduce a much, much bigger glaring security problem.

I dare you to answer that question.  But I can safely predict that you will run from that challenge, just like you ran from my challenge to copy/paste the email you claimed to have sent saying that TrustWave wasn't trying to get money from us.  Since I'm not looking for a debate, just a simple 'yes' or 'no', do you seriously think anybody can't see through the fact that you're just a pathetic troll trying to extort money without actually contributing anything of value?

Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 28, 2013, 11:14:06 am
@RexBeckett, we are still discussing how to address the issues TrustWave has brought up.

We are debating about putting a 'security' tab in the UI that gives the user the following options:

1.  Leave local network access open.  The advantage is you can use the system even if your internet is down.  But the drawback is that you must ensure your wi-fi is secure because anyone on the local network will have access to the device.

2.  Accept the recommendations that TrustWave has proposed of using HTTP authentication with a local password.  TrustWave has gone on many major media outlets recommending this.  However we do not recommend this since any hacker on your local network will be able to see the password anyway and thus will not only have access to the system, but will also know your password.  We have hired a credible, neutral third-party security agency to review TrustWave's recommendations, and their conclusion about TrustWave is __HERE__.

3.  Install a self-signed certificate.  This requires configuration changes to your browser, but it is secure.  Instructions are __HERE__.

4.  Turn off local network access completely, and require you to only access the system through our servers.  This is secure, however it means you cannot use the system if you do not have internet access, other devices on the network will not be able to control the system, and there is a monthly fee associated.  To sign up, click __HERE__

@RexBeckett, if the UI presents you with those 4 options, would that satisfy you?  Or can you think of another 5th option that you would prefer?  Given the choices, which option would you choose?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RichardTSchaefer on August 28, 2013, 11:53:38 am
While you are at it you should consider also requiring a password on:
   /sta1.mios.com/locator_json.php
When it is NOT on the LAN.
This will effect 3rd party Apps that try to locate the proper connection server when on the internet.

When not on a LAN with Vera try:
http://sta1.mios.com/locator_json.php?username=Richard
http://sta1.mios.com/locator_json.php?username=John

I find it a problem that you can guess some names and find they have a Vera ... Then presumably try a password cracker to gain access through your servers.

They should only get valid information with a Proper Username and Password.
Otherwise they should get the same result as NO Vera found on LAN.


Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 28, 2013, 12:19:07 pm
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

That will address the issue that information like the firmware version and serial number is exposed, although those are not particularly useful to a hacker anyway.  However the concern you bring up in your post seems to be that this URL allows a hacker to determine if a username is valid or not.  I can see why a hacker would want to know if a username was in use before spending the time trying to crack the password.  But I don't see any way around this.  Even though MMS doesn't have the locator service, any hacker could simply choose 'register an account' and try to create an account with the username he wants to target.  If the username exists and is valid, the system will tell the user to pick another username, since it has to be unique.  I've not seen any system that is able to keep whether or not a username is valid a secret.  Even with google, facebook, yahoo, amazon, banking sites, etc. they are all exposed the same way--it's very easy to determine if a username is already in use.

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RexBeckett on August 28, 2013, 12:25:44 pm
@micasaverde,

Many thanks for your detailed response to my question. I like the idea of giving users the option as to how they would like local access to be secured. I have not been able to follow your references, though. None of the __HERE__ links contain any url.

I would want to maintain local access both with and without internet availability. I am attracted by the use of a self-signed certificate - subject to my better understanding of the process.
 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: OtisPresley on August 28, 2013, 12:32:24 pm
You can also use hashed passwords over HTTP for local access, but it will require JavaScript to hash it on the client side before the form is submitted and this could potentially cause some problems for app developers.

A self-signed cert over HTTPS is certainly the better way to go for local access, and you could even create a script that downloads onto the Vera that creates and installs the cert for you when you click __HERE__, maybe using information from an account on the MCV servers, that requires the user to log in after after clicking __HERE__, for the cert.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 28, 2013, 12:58:36 pm
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

That will address the issue that information like the firmware version and serial number is exposed, although those are not particularly useful to a hacker anyway.  However the concern you bring up in your post seems to be that this URL allows a hacker to determine if a username is valid or not.  I can see why a hacker would want to know if a username was in use before spending the time trying to crack the password.  But I don't see any way around this.  Even though MMS doesn't have the locator service, any hacker could simply choose 'register an account' and try to create an account with the username he wants to target.  If the username exists and is valid, the system will tell the user to pick another username, since it has to be unique.  I've not seen any system that is able to keep whether or not a username is valid a secret.  Even with google, facebook, yahoo, amazon, banking sites, etc. they are all exposed the same way--it's very easy to determine if a username is already in use.

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

I have not been contacted by anyone at MCV regarding these new changes that are needed for my app. I am sure that others like RichardTSchaefer, Automator.app, intveltr and others would like to be contacted as they also have apps that are used by a large user base for vera. So please have someone from MCV contact each of us and discuss the needed changes to support the new system.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 28, 2013, 01:38:34 pm
@OtisPreslsy, the problem is that a hashed password doesn't help with the security issue.  Even if the password is transmited as, say, an SHA1 hash, it's still transmitted unencrypted so a hacker can still see it and re-use it to have access to the system.  The only away around this that I know of is to use salt (a random number added to the password before encryption), but this (a) becomes non-standard http, and (b) requires a 2 stage process to access the site (get the salt, then submit the password), and (c) unless the salt is good for ONE and only ONE request, it still allows the hacker to use the same hash for access, until the time when the salt becomes invalidated.

We've discussed this at length over the past year with real security auditors, and the conclusion has always been that there's no way to secure access on the local network using accepted protocols, so we're left with either turning local access off, or using something that is not widely accepted, like self-signed certs.  If there was, then other network devices would use it.  But the fact is that every device with a local web ui (your router, nas device, etc.) has the same vulnerability and nobody has solved this, other than to turn off local access.

Further, an underlying philosophy is that if a hacker gains access to a homeowner's network, the hacker can do all kinds of damage that is more severe than just sending Z-Wave commands through his Vera.  All devices I've seen which have a web UI that is accessible directly on the local network (like NAS, routers, etc.) either have no password, or use http authentication where the password is transmitted unencrypted.  So if a hacker is on your network, he will be able to access your router and setup whatever port forwards he wants, he can view your ip cameras (none of the commonly available commercial ones use encryption), he can control most any device on your network, like your Nest thermostat, or your Philips Hue lighting system, and he might be able to use vulnerabilities in Microsoft Windows to take over your PC and do keystroke logging, so that he can get even your secure passwords for online banking, etc.

In most of the interviews I've seen with Crowley, all he did was demonstrate that a user could control his own Vera to unlock his own door from his own network, and he never mentioned that there was no way for a remote hacker to do this so that his demo was simply that the product worked as advertised.  The only time I saw him address how this would benefit a remote hacker was when he said that _IF_ a hacker was able to install malicious code on your computer to give him remote access to your network, THEN he would be able to remotely control the Vera system.  And that is true.  But if he has malicious code on your computer, he'll also be logging all your keystrokes and passwords, and he'll be able to do things like banking bill pays and transfers, he'll have access to all the files on your computer and your email, and all your personal data, and he can take your money and do identify theft remotely.  So, why would a hacker who had that access want to expose himself by coming to your home in person and unlocking your door to physically rob you, when he can anonymously, from a remote country, take your money and identity anyway?  Besides, what Crowley didn't mention anyway, is that once the hacker has control over your computer, even IF we turned off local access and only allowed access through a secure web portal, the hacker will still capture that password anyway.  In other words, when a hacker takes over your computer you have a lot more to worry about than your home automation system, and there's nothing we can really do to stop him from accessing your home automation system unless we use external authentication, like the keyfobs that banks give commercial customers to initiate wire transfers.  But, this means that when you want you to turn on a light using your iphone, the app will prompt you to hit the button on your fob and enter the unique 6 digit code that appears.  And then the system would be so cumbersome that nobody would use it.

So, we're going to try to offer customers solutions besides "secure your home network" because of the FUD that TrustWave has caused because we refused to pay them off.  But, no matter what we do, if you don't secure your network and a hacker is able to run malicious code on your computer, or get on your local network, you're in serious trouble and getting access to Vera is minor compared to the other problems that creates.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: RichardTSchaefer on August 28, 2013, 01:39:10 pm
Since you need the Serial# - UserName  - and Password to access the Server.
The Serial# and UserName should be the key for access.
An attacker would have to launch a separate attack for each Vera.

I.e.  User Marc with Serial #123  should be different than User Marc with Serial #234
You can still group devices, So that users of #123 are in the same scope as #124

I look forward to more details about changes with OpenID.
I have two APPS that access Vera Remotely - Vera Alerts and HAL.  I would like to know what is required to support this. I do not see how this addresses any of the security access from the LAN.

You Should allow an option for Vera to "Import" and require certificates for access.  You should have an option to require certificates for LAN access. I personally would like to secure all Remote access for Vera to certificates.  Including Access from MCV Support, and Users via MCV.

If I enable MCV remote access ... then it should only accept connections on my behalf that were locally imported by my Vera.

I know this can cause problem if people loose their certificate ... but you can still allow SSH with PASSWORD from LAN without a certificate. And of course you can have the option (probably defaulted to enabled) to import the MCV Support Certificate to allow MCV support to remote login.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 28, 2013, 01:47:27 pm
@dcrowley, nobody is asking you to "argue endlessly".  There is one simple, glaring, obvious, black & white issue which you keep avoiding.  I will even word it as a simple 'yes' or 'no' question, so all you need to do is post a simple reply with 'yes' or' no'.

Now you have had time to verify my claims that (a) we cannot use https (secure) with a device on the local network because browsers by default will only accept certs that are verifiable by a 3rd party CA and bound to a specific domain/IP, and (b) if we put a password on a local network device using standard HTTP authentication, as you recommended, that password is transmitted across the network unencrypted, so that a hacker who access to the network will be able to see the password and thus will STILL have access just as he does now, but will ALSO now know the user's password, which might be shared with other sites, like email and online banking.

So the simple question is: Do you acknowledge that the claims made above are correct?

YES OR NO.  All you need to do is say YES or NO.

No. The claims made above are incorrect because you have misrepresented my suggestions.

I agree that an SSL certificate would cause a browser warning due to the mismatch between any domain name you might use and the IP address of the local VeraLite unit. This is a limitation of SSL, and unfortunately there is no "good" solution here. Much has been written about the limitations of SSL and the need for a different solution. I recommend reading Moxie Marlinspike's work on the topic. However, there are different warnings for domain mismatch and self-signed certificates. This is enough to enable users to determine when a man in the middle attack is occurring, and is enough to thwart passive eavesdropping attacks.

I did not recommend using Basic HTTP Authentication. I recommended using SSL. You're already using Digest authentication if someone enables authentication on the web interface of the VeraLite unit.

Quote
The reason why you keep running from this simple issue is that if you answer 'No' and deny those claims, then anybody with rudimentary networking knowledge will realize that you have no clue what you are talking about, since the claims are basic knowledge that, if you were a legitimate security consultant and not some troll, you would have known.  If you answer 'Yes', then you have admitted that the "fix" which you have proposed would not only fix nothing, it would actually introduce a much, much bigger glaring security problem.

If you were to implement the change you claim I suggested, it would not fix anything. However, the ability to run arbitrary code as root on the Veralite by getting someone to click a link in an email is a much bigger security problem than one that requires an attacker to have local network access and the ability to eavesdrop on traffic. But as I said, I did not suggest that "fix".

Quote
I dare you to answer that question.  But I can safely predict that you will run from that challenge, just like you ran from my challenge to copy/paste the email you claimed to have sent saying that TrustWave wasn't trying to get money from us.  Since I'm not looking for a debate, just a simple 'yes' or 'no', do you seriously think anybody can't see through the fact that you're just a pathetic troll trying to extort money without actually contributing anything of value?

As I said in the past, you did not communicate with me. By your own admission, you communicated with one of the people on our advisories team. Why would I have access to his email? You are the one who claims I am a troll and an extortionist, so why should I be the one to prove myself innocent? If you want to prove that I am a troll and an extortionist, you have access to the email thread. You can post the emails and let people see for themselves what happened.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 28, 2013, 11:49:15 pm
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

So, now the question is.  For those of us who have invested some time and effort into the Vera platform and have an interest, how do we become a Beta Tester?  Not to see the newest features, but also to give some feedback.  (I'm fairly confident I can backup my system before applying a firmware that my cause unwanted/undocumented features to manifest themselves.)

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support. 
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: garrettwp on August 29, 2013, 12:44:43 am
@RichardTSchaefer, we have a new back-end server system, MMS, which uses OpenID authentication and a standard, secure RESTful API, and it has gone through an external security audit.  We have already modified our mobile apps to use the new backend and are working with 3rd parties as well to get the apps updated.  We're hoping to push this new firmware to our Beta Testers next month.

So, now the question is.  For those of us who have invested some time and effort into the Vera platform and have an interest, how do we become a Beta Tester?  Not to see the newest features, but also to give some feedback.  (I'm fairly confident I can backup my system before applying a firmware that my cause unwanted/undocumented features to manifest themselves.)

To get added to the beta testing group, the beta testes would have to vote. There are a few factors that we take into consideration.

1. How long you have been active on the forum.
2. Your contributions to the forum.
3. Technical knowledge.
4. ...

Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support.

Not a bad idea, but then it would get very complicated for third party developers to support all of the authentication methods in there apps. I would rather see one good secure method to support, than to support multiple methods.

- Garrett
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: SOlivas on August 29, 2013, 01:18:29 am
Have you ever seen a system where they are able to keep it a secret whether a username already exists or not?  If so, how did they accomplish it?  Since a username is universally considered to be unique, how do they keep from notifying you if a username is already in use if you try to register it?

While you can't keep the username secret, you can use generic messages that state username or password don't match when a user is authenticating.  Don't be too specific, since errors that specifically tell you something is wrong makes it easier for a brute force attack.

I do have one suggestion.  Why not add in API hooks so that third party authentication modules can be made for the Vera?  Then, if someone implements, say Google's two factor authentication, you refer them to the one who created the plugin for support.

Not a bad idea, but then it would get very complicated for third party developers to support all of the authentication methods in there apps. I would rather see one good secure method to support, than to support multiple methods.

- Garrett
[/quote]

True, it could be a pain to support multiple authentication methods.  A happy middle ground would need to be reached.  You could do that in one of two ways:

1.  MCV controls the access to the API and granting who can write an authentication layer. 
2.  Some sort of community controlled system is put into place that would decide.

If an API did exist, there would have to be more than just the hooks to make the modules available to make it feasible.  A standard would have to be implemented (homegrown or adapted from elsewhere) that would make it easier to manage this for application developers (think similar/along the lines of PAM, but without the limitations it has).

Personally, I would like to see a two factor authentication scheme implemented for the Vera -- something that would be optional and one of the choices MCV gives in that list we saw earlier.  While not a cure all, it would go a long way to making the Vera a lot harder to break into.

Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 29, 2013, 09:03:50 pm
@dcrowley,

You previously wrote:

"Trustwave told you that we are researching this on our own dime, that we would publish the report regardless of any action by MiCasaVerde, and that we were not interested in money."

When I said that's a lie and challenged you to paste whatever correspondence you sent to this effect, you reply:

"As I said in the past, you did not communicate with me. By your own admission, you communicated with one of the people on our advisories team. Why would I have access to his email?"

So, in other words, you're now saying that you were lying when you made the first claim, since you really had no evidence that TrustWave was not interested in money and were just making it up.  You then say: "You are the one who claims I am a troll and an extortionist, so why should I be the one to prove myself innocent?... You can post the emails and let people see for themselves what happened."  FACT: I did already post the email proving that Trustwave WAS hitting us up for money to be "good guys".

Lastly, you're latest post is backpeddling.  When I first challenged you to post your recommended fix you said: "The way around this is to require a username and password to control the VeraLite".  I pointed out that an http password is not encrypted, and therefore makes a bigger security hole, and only SSL certs work, but there's no practical way to deploy them on Vera since browsers by default won't accept them.  Now, you claim to have taken my position all along and say "I did not recommend using Basic HTTP Authentication. I recommended using SSL."  Again, I challenge you to copy/paste anything that you said on the forum or to the media or in your vulnerability reports that recommended using SSL certs, before I pointed out to you that an SSL cert was required to protect the password.  From my vantage point, you only started "recommending using SSL" certs AFTER I already told you that was necessary.  And then you never acknowledged that SSL certs aren't practical and that "This is a limitation of SSL, and unfortunately there is no "good" solution here. Much has been written about the limitations of SSL and the need for a different solution."  So, finally, you've come around 180 degrees and are actually taking the position I have taken all along, which is that the "vulnerabilities" you pointed out are NOT specific to Vera, but they are general problems with current networking technology and that there is no good solution until the network technology allows for some secure http communication over a local network.

Like I said all along, the "vulnerabilities" you've pointed out are nothing we haven't been aware of for years, they're not specific to Vera, and we've tried using both self-signed and CA-signed certs on Vera but many browsers won't accept them, so there is no user-friendly solution other than to turn off local access altogether, which is actually a main selling point of Vera.  So, like I said in the beginning, there is no good solution.

Now you finally admit the exact same thing...  "there is no good solution" to this issue.  So then why were you going on CNN and every news outlet reporting that you found some glaring hole in our product and that they were "easy to fix" but we were negligent, when the fact is the vulnerability has nothing to do with our product, it's common to all networking devices, and "there is no good solution".  This just proves that you were deliberately misleading people, trying to peddle fear, uncertainty and doubt amongst customers.

I also want to point out that you don't dispute that when you got on CNN and said "I am a hacker, I am controlling this door lock", that the fact is you were controlling YOUR door lock with YOUR Vera using the API and tools we provided and documented in our user's manual.  In other words, all you did was demonstrate the product worked as advertised, you did NOT hack into anybody else's system, but you deliberately mislead viewers into thinking you did.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 29, 2013, 11:44:04 pm
@dcrowley

If you were a legit security company performing a public service, you would have been warning people that ALL devices on their home network (NAS, router, VeraLite, etc.) have the exact same vulnerability.  All routers and access points from all major networking vendors do, like Vera, treat all devices on the local network as 'trusted', allowing you to setup port forwards using both unencrypted HTTP POST's, as well as UPnP calls.  Just like Vera.  So the cross-site exploit you reference could just as easily be used by a hacker to setup port forwards on a router, and thus give him access to all the devices on your network.

We've never disputed that this is a vulnerability of Vera AND every other network device.  LEGITIMATE security advisers, like Moxie Marlinspike, DO perform a public service and warn people that the https/SSL technology developed over 20 years ago to validate servers only should be updated to allow secure communication over the local area network too since there are so many devices on the home LAN these days.

But, note that Moxie doesn't do what you do.  He doesn't pick one company out, like say, Cisco, to sensationalize and go on CNN with a self-promoting rant saying "This is a horrible security flaw in Cisco routers that would be easy to fix but Cisco is negligent and refuses to do a security audit."  If he did, it would be dishonest, and an unjustified attack on Cisco.  And probably a good indication he either had a bone to grind with Cisco or was trying to extort money out of them.  Rather, Moxie performs a legitimate public service providing an HONEST discussion of a fundamental, ubiquitous weakness in home networking technology.  There is no comparison between his serious work, and the activity of a troll like TrustWave.  If you were actually doing a public service, why did you deliberately mislead viewers on CNN, attacking us with some smoke and mirrors demonstration after we refused to pay you off?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 30, 2013, 01:01:30 am
@micasaverde I will let the users of your products decide whether the flaws disclosed by Trustwave are legitimate. What you think of me does not matter to your customers. What matters to your customers is whether or not an action as simple as clicking a link in an email could put them at risk. I have shown that it can. You could change this and you refuse to, saying that you have decided your products should be this way.

Your customers can view our report at https://www.trustwave.com/spiderlabs/advisories/TWSL2013-019.txt and decide for themselves whether or not your product poses a risk to them.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 30, 2013, 11:23:17 am
Now you've flip-flopped again.  In your original claims you said we could fix this by simply putting a password on it, but that we negligently failed to do so.  Then, after I pointed out that your ?fix? solved nothing and created a much bigger security problem, you back-peddled and said that by 'password' what you really meant to say was an SSL cert.  Then, after I pointed out that this won't work on devices on the local area network, you finally conceded it was a fundamental networking issue and that "there is no good solution".  Finally we were in agreement.  But then you apparently realized that this confession simply proves that everything you've done has been a deceitful con because these vulnerabilities are ubiquitous to ALL devices in the home that allow web/upnp access over the home network, and your advisory report tricks users into thinking this is some flaw with Vera.

So, now you flip-flop again and say ?You could change this and you refuse to...?.  But you've refused to ever state what this ?change? is to fix the issue.  Why can't you specifically state if you are recommending:

1. HTTP authentication, which is what you initially recommended until I explained the technical issues that this solved nothing and just opened a much more serious security hole.

2. CA-signed certs.  After I pointed out your flaw with #1, you wrote: ?If you use a CA signed cert, this should be no issue.?  However, I then pointed out this requires a commercial internet connection, a domain, reverse DNS, and the user has to go through a costly identity verification process with a 3rd party CA signer.  After I pointed out this, yet again, you simply failed to understand the technology, then, as far as I can tell, you edited your previous post and removed this comment, since it obviously showed how little you know about security.

3. Self-signed certs.  I explained this to you in the very beginning, but explained it's not a user-friendly solution since many browsers by default will reject the cert.

4. Turning off all local access.  This is secure, but means the user has to do everything through our server, which requires a monthly fee, and he can't use his system without internet access.

So be specific.  Which of those 4 ?fixes? are you actually proposing?  You keep waffling and flip-flopping.

Lastly, if there was a good solution to this issue, then why is it that nobody else uses it?  You haven't disputed that this vulnerability exists with every access point and router from all the major companies, like Cisco, Netgear, D-Link, all the network storage devices, and every other device on the home network with a local UI.  Yet, your advisory singles out our product and claims that we're to blame for this vulnerability that effects every network device.  How can you possibly claim your advisory is anything other than a vindictive hatchet job as revenge for us not giving into your extortion scheme?  If you genuinely were providing some public service, why do you single out our product instead of reporting that this is a fundamental issue with the way networking works?  And why get on CNN and do a deliberately deceitful piece where you simply unlock your door with your Vera, using the user interface we provide and document, which shows nothing but that the product works, but preface it with the misleading claim that you're a hacker to trick viewers?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 30, 2013, 12:17:38 pm
@micasaverde: If you're interested in improving the security of your product, I can discuss recommendations with your Director of Product Development, Colin, who has already reached out to me to get more information. I am STILL willing to work with you AT NO COST to improve the security of your product.

My paper is available at https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf. If you read it, you will see that your product was not the sole focus of my research; it simply was the most interesting to the media as compromising the VeraLite potentially means physical access to a building or covert surveillance. In fact, the flaws I found in a "smart" toilet were more interesting to the media than unlocking doors. Go figure. My research set out to prove what you yourself alluded to: "smart home" technologies as they exist today are full of security flaws.

I also have also discussed the UPnP protocol by itself in a separate presentation you can view at http://www.slideshare.net/BaronZor/why-upnp-is-awesome-and-terrifying . In your words as quoted below, this means I am genuinely providing a public service:

Quote
You haven't disputed that this vulnerability exists with every access point and router from all the major companies, like Cisco, Netgear, D-Link, all the network storage devices, and every other device on the home network with a local UI.  Yet, your advisory singles out our product and claims that we're to blame for this vulnerability that effects every network device.  How can you possibly claim your advisory is anything other than a vindictive hatchet job as revenge for us not giving into your extortion scheme?  If you genuinely were providing some public service, why do you single out our product instead of reporting that this is a fundamental issue with the way networking works?
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 30, 2013, 12:54:17 pm
>> I can discuss recommendations with ... Colin

Fine.  Since our company culture is focused on being transparent and honest with our users and not withholding anything, I, of course, prefer that any discussions about recommended solutions be done publicly, in the forum, for everyone to read and comment.  I still feel the reason why you're refusing to discuss your "solution" publicly is simply that "there is no good solution", which is something you conceded at one point, and now have backed away from and edited your prior posts discussing a solution.

Regarding the public service, I will leave it up to the viewer.  The interview is below.  The viewer can decide if you were honestly discussing a vulnerability in the networking protocol which we discuss openly in our docs and that effects every device in the home, and if your demonstration was honest and let viewers know that you were simply unlocking your own door lock from within your own network using the user interface that we provide and document.  My opinion is still that you deceived users by suggesting this was a vulnerability specific to our product and that you tricked users into thinking you were demonstrating hacking someone else's door lock.  If the viewer concurs with my analysis that it was all a scam, then the obvious question is to ask what your motivation was for going on tv and deliberately deceiving users about our product.  There had to be a reason, be it 1) trying to get your 15 minutes of fame at someone else's expense, 2) trying to capitalize on our success to promote TrustWave, and 3) as payback for us not giving into your shakedown for money.  I've explained in detail why I believe the answer is all 3.  Once the viewer decides if the interview was honest, then they can decide if they buy your explanation that your motive was an altruistic desire to perform a public service.

http://edition.cnn.com/video/?/video/us/2013/08/14/pkg-laurie-segall-hack-your-house.cnn&iref=obnetwork
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 30, 2013, 07:47:00 pm
@micasaverde: Actually, that's a good idea. I'll start a new thread to discuss the flaws and potential fixes.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: micasaverde on August 30, 2013, 08:21:02 pm
@dcrowley, I certainly would welcome a new thread that discussed fixes and solutions.  Everybody who understands networking technology understands the flaws in the technology and the vulnerabilities.  The challenge is finding a solution that is actually secure, but is also feasible for novice user's who won't be able to do things like change browser settings to support self-signed certs, or buy CA-signed certs.  And, since the main selling point of Vera vs. our other managed solutions (which are secure) is that the Vera does not require the user to use our servers, have internet access, or pay a monthly fee, it must still allow local access.  Further, to please the techie users, it needs to include a standard, ubiquitous control protocol that is supported by with standard devices like TV's, DVR's, music players, etc.

As I explained to TrustWave months ago, we do not know of a solution that fits all the criteria--and we HAVE hired professional security consultants to work with us.  Therefore, like I already said, in our next rev UI, we are planning on putting a security tab which gives the user 4 options:

We are debating about putting a 'security' tab in the UI that gives the user the following options:

1.  Leave local network access open like it is now.  The advantage is you can use the system even if your internet is down.  But the drawback is that you must ensure your wi-fi is secure because anyone on the local network will have access to the device.

2.  Add HTTP authentication with a local password.  It's universally accepted by all browsers, but it's not secure and the password will be exposed.  So it wouldn't thwart hackers.

3.  Install a self-signed certificate.  This requires configuration changes to your browser, but it is secure. 

4.  Turn off local network access completely, and require you to only access the system through our servers.  This is secure, however it means you cannot use the system if you do not have internet access, other devices on the network will not be able to control the system, and there is a monthly fee associated.

Additionally, we would add a check-box to enable UPnP or turn it off.  Adding the option of secure UPnP is at this point useless since no clients support it, so you might as well just turn it off.

If you have some other idea beyond those 4 choices that is commercially viable, I would love to hear of it.  And, since you don't dispute that the vulnerabilities you attribute to Vera effect EVERY network device in the home with a local web UI, there are no doubt hundreds of other companies that would love to hear what fix you have for the problem.

Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 30, 2013, 10:09:31 pm
MCV, let's put this discussion in the other thread.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on August 31, 2013, 11:13:02 am
@MCV: In response to your comment about the misrepresentation from the media in the technical thread:

I said that lack of authentication and encryption are basic security problems that should be addressed in any product, especially when people can control door locks and alarm systems from that system. I never said MCV was incompetent. The VeraLite is a wonderful product and I like it a lot. I said in multiple interviews: "I love the VeraLite, it's an awesome product, but I'm heartbroken that it has these vulnerabilities." Unfortunately, many media outlets misquoted me to make it more generic. Misrepresentation is something media outlets are prone to do.

You see, the media is interested in producing a compelling story so that their ratings go up and they can charge more for advertising. This is exactly why we've seen so much coverage of Miley Cyrus and not Syria. If you want to blame someone for misleading stories, blame the media. I interviewed with CNN for over an hour, and the piece you linked to is less than five minutes long. The part of it devoted to discussion from myself and my co-researchers was less than one minute long in total. Additionally, most of CNN's viewers are non-technical. Even if the media weren't financially motivated to care more about showmanship than accuracy, CNN must still try to condense over an hour of very technical material into a few minutes of non-technical, compelling material. That's a difficult task and even major media outlets do it wrong.

If people are looking for technical accuracy, though, they can read my paper or watch my talk (it will be available to the public once DEF CON uploads it) and get the real story. I still maintain that an attacker can use the SSRF flaw and the RunLua UPnP action in conjuction with each other to trick a user into giving control of their VeraLite to the attacker. In my DEF CON talk, I show the audience the UPnP request used to open the lock and note the lack of any authenticating information. I also showed this to the media outlets with which I interviewed, but they neglected to include the footage because it was too technical.

As far as demonstrating control over someone else's home, it is illegal under the Computer Fraud and Abuse Act for me to do that without getting permission from another user. I don't know any VeraLite users nearby, but if you'd like I would be willing to demonstrate for a willing party within driving distance of me.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Da_JoJo on September 03, 2013, 11:54:37 pm
seriously... this is like 2 people trying to convince they are right and it doesn't really adds to the point where it all comes down to.. how to more secure the vera in a way that novice users can understand also.. pointing to use ssl ? this has been compromised allready and only TLS1.2 is not yet. only internet explorer is supporting this so this is not a solution.. http password protection ? no go as it puts it encrypted or not over the network easy to man-in-the-middle attack and read by for example wireshark. using a website to make a user click on a link with http://vera-ip:3480 in it ? lol ok...
for the best interest of us , the users, it would be nice to have a php or C++ authentication or something , but this would be neccesary to implement in the various remote apps and thus the code is required to be in the open.
i think micasaverde does a very good job in making the vera stuff as easy and secure as it is. even willing to add additional features for us users to use to secure it more.. personally i think the direct acces to port 3480 should be passworded too but it on the other hand renders the upnp features less usable for other devices that cannot be changed to have this functionality.
no please stop biatch-slapping eachother with useless stuff for us common users of the system and get us some real security options which are userfriendly and usable. like aaron pointed out the only higher level security would be having a dongle which does not address the vulnerability in the z-wave protocol , so in my eyes its pointless to us users of the system. and like crowley pointed out demonstrating control over someones lan is illegal and would be prosecuted by law. so in short there is no solution to the problem. if anyone happens to have one please do share it so we can feel more secure. at least until someone comes by and throws a rock to the window and jumps in and steels ur flatscreen xD .
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Da_JoJo on September 04, 2013, 12:11:47 am
SSRF ... where would you do that ? on the ssh connection vera makes to their servers lol?
upnp request ? like aaron pointed out that is part of the vera and gives it its nice feature to be able to control it from a upnp device which indeed does not use a login.. its on purpose
if you can do that you might as well use the http command on port 3480 to open a port to the outside world and control it from there..
it needs local acces and if you have this , a bank account would be nicer to gain then turning on a light. its like saying your car should not have a lock coz any idiot can use a screwdriver and a wrench to open it.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: dcrowley on September 06, 2013, 12:48:31 pm
SSRF ... where would you do that ? on the ssh connection vera makes to their servers lol?

The SSRF flaw can be used in conjunction with social engineering (sending a user a link via email, for instance) to trigger the RunLua UPnP action and execute code as root on the VeraLite from anywhere in the world. It can also be used to load Javascript content from any location and have it run within the domain context of the VeraLite. This violates cross domain policy and allows for control of a user's VeraLite remotely through a user's browser.

Quote
upnp request ? like aaron pointed out that is part of the vera and gives it its nice feature to be able to control it from a upnp device which indeed does not use a login.. its on purpose
if you can do that you might as well use the http command on port 3480 to open a port to the outside world and control it from there..

Whether I leave my door unlocked on purpose or by accident, someone can still enter.

Quote
it needs local acces and if you have this , a bank account would be nicer to gain then turning on a light. its like saying your car should not have a lock coz any idiot can use a screwdriver and a wrench to open it.

It does not need local access as I have already shown. Also, lights are not the only device the VeraLite can control. Door locks? Garage doors? Alarm systems?

The car analogy is flawed, firstly because I'm not suggesting we don't fix these things, and secondly because high security locks are designed to withstand enough torque that someone with a screwdriver and wrench would not be able to apply enough pressure to pry the lock open.

If you're interested in fixing these vulnerabilities and have something to contribute, I recommend posting in the thread I started for that.
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: Da_JoJo on September 07, 2013, 09:31:46 pm
...
it still doesnt solve the problem
Title: Re: Black Hat Talks To Outline Attacks On Home Automation Systems
Post by: tomhung on February 03, 2014, 01:16:15 pm
Here is the DefCon 21 video about VeraLite.

https://www.youtube.com/watch?v=d0O-oq_4e0o#t=1793