The Vera Community forums have moved!

Advanced => Security => Topic started by: anthonyris on October 17, 2017, 11:38:25 pm

Title: Vera vulnerable to Wi-Fi Krack exploit?
Post by: anthonyris on October 17, 2017, 11:38:25 pm
I must assume the MCV folks are aware of the Wi-Fi issue. Any news on a patch?
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: BOFH on October 18, 2017, 08:39:15 am
The issue is not so much with Vera as it is with the WPA/WPA2 encryption protocol. Which is part of the underlaying OpenWRT OS that MIOS runs on.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: akbooer on October 18, 2017, 09:00:54 am
TBH, this is really the least of your worries with Vera, because of the very sloppy approach to secure handling of data and the inherent vulnerabilities of UPnP.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: RichardTSchaefer on October 18, 2017, 11:04:08 am
The fix is for clients that attach to a WIFI hotspot ...
If you connect your Vera via WIFI you are vulnerable ... Use a wired connection!
There are LOTS of wifi devices in my house ... that I doubt I can get software updates for.
The software in Vera is VERY OLD ...
It's based on the OpenWRT Barrier Breaker release from the end of 2014.



Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: futzle on October 18, 2017, 05:19:10 pm
The latest OpenWrt (15.05.1) is also vulnerable to KRACK. You would need to move to the fork of OpenWrt, LEDE, release 17.01.4, to have the version of hostapd/wpad/wpa-supplicant that is patched against KRACK.

I don?t see Vera doing this TBH.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: BOFH on October 18, 2017, 05:43:55 pm
I have WiFi switched off on my Vera's as I have an existing WiFi setup already. Running DD-WRT so I'm keeping an eye out for a patched version of that.  It has a whitelisted MAC table, which although not foolproof (MAC spoof anyone) will make it a bit more time-consuming. Hopefully giving my IDS enough time to catch on and have it tell the gateway to drop the LAN port for the WiFi network and send me an alert.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 18, 2017, 11:04:24 pm
I wouldn't stress out too much. How valuable is the information that is being sent to and from Vera via wifi? Valuable enough for someone to take the trouble of sitting within range of your wifi connection to monitor and intercept it? I hope not. VERA and products like it are toys and should never be used for anything beyond the trivial.

I don't send any information that is worth a plug nickel to anyone via wifi .  I have a few devices that can initiate scenes, but that's about it. S.P.E.C.T.R.E. or T.H.R.U.S.H. would be profoundly disappointed in the extortion opportunities provided by gaining control of my kitchen light. In other words,  the best security system is not being a valuable target in the first place.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: BOFH on October 19, 2017, 09:09:22 am
I'm not really worried. As I said Vera's WiFi is off. As for my WiFi network, I'm hoping for a patch for DD-WRT soon so I can plug the hole but I'm not sweating it. If someone sits on the street in front of my house in a car, my K9 security system will detect that and alert. Since I have a camera on them, I'm pretty sure I will notice their behaviour. I also have a camera aimed down my drive so I would be able to see Mr. or Mrs.B. Hat and catch them in the act. :-) Easy enough to SSH into my home server and drop the WiFi LAN port to stop their game.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: akbooer on October 19, 2017, 09:46:17 am
Quote
How valuable is the information that is being sent to and from Vera via wifi? Valuable enough for someone to take the trouble of sitting within range of your wifi connection to monitor and intercept it? I hope not.

Probably more than enough to tell whether you're in or out...
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: aa6vh on October 19, 2017, 10:45:20 am
Probably more than enough to tell whether you're in or out...

Or they could just knock on the door....  (and yes, that has happened to me.)

All of the local bad guys that I am aware of do not have the smarts to perform computer hacking.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: BOFH on October 19, 2017, 12:38:33 pm
Like I said, I have a K9 security system which is quite capable of handling physical break-ins.  8)
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Sorin on October 19, 2017, 02:39:54 pm
Hello guys, wanted to ping in, and tell that, this is looked for as I speak.

Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: RichardTSchaefer on October 19, 2017, 05:00:39 pm
@BOFH ...
Have your trained your K9s for cyber security ?
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: BOFH on October 19, 2017, 06:41:59 pm
@Richard: Now there's an idea... For now they just handle the physical side. I wonder if Alexa understands dog so they could bark at her to get stuff done. :)
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 20, 2017, 05:50:15 pm
Quote
How valuable is the information that is being sent to and from Vera via wifi? Valuable enough for someone to take the trouble of sitting within range of your wifi connection to monitor and intercept it? I hope not.

Probably more than enough to tell whether you're in or out...

It shouldn't be. I keep my security system and automation devices separated. Same with my cameras. Vera can close my garage door but the trigger runs through a reed switch so it it physically isolated if the door is closed. My cameras are hard-wired on an isolated subnet and I use a physical contact closure to activate panic lighting via the alarm. Vera and products like it are not security or life safety devices and should not be relied upon for critical functions.

Just my two cents. Which I intend to keep safe.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 20, 2017, 05:55:05 pm
@BOFH ...
Have your trained your K9s for cyber security ?

Does your dog byte?
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 20, 2017, 06:08:00 pm
Probably more than enough to tell whether you're in or out...

Or they could just knock on the door....  (and yes, that has happened to me.)

All of the local bad guys that I am aware of do not have the smarts to perform computer hacking.

Nor the desire to deal with a dog. Thieves are opportunists who look for low-hanging fruit. My greyhounds are great watchdogs. They'll watch someone come in; Watch them take my stuff; And watch them leave...probably. Then again maybe not. That's enough to make my house less attractive than the neighbors. Like the old joke says "I don't have to out run the bear, I just have to out run you".
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 20, 2017, 06:10:57 pm
Like I said, I have a K9 security system which is quite capable of handling physical break-ins.  8)

Even a small dog is a great security system. A barking dog attracts a lot of attention.
Title: Re: Vera vulnerable to Wi-Fi Krack exploit?
Post by: Alex Waverley on October 20, 2017, 06:27:15 pm
I'm not really worried. As I said Vera's WiFi is off. As for my WiFi network, I'm hoping for a patch for DD-WRT soon so I can plug the hole but I'm not sweating it. If someone sits on the street in front of my house in a car, my K9 security system will detect that and alert. Since I have a camera on them, I'm pretty sure I will notice their behavior. I also have a camera aimed down my drive so I would be able to see Mr. or Mrs.B. Hat and catch them in the act. :-) Easy enough to SSH into my home server and drop the WiFi LAN port to stop their game.

Agreed. I have two Veras, neither of which have WiFi activated. I have wall mounted tablets with ImperiHome that use WiFi but so what. I never use them of anything but initiating  scenes. What folks should do is use HTTPS Everywhere and/or VPN's when transmitting private information, and encrypt all critical information until and unless it is being used.

I like my Vera units a lot but, as I've said before, trusting them with any critical function is like racing a motorcycle while wearing a $10 helmet.