Author Topic: PSA: Disable Remote Access, Use a VPN Instead!  (Read 5019 times)

Offline algetnkjba

  • Newbie
  • *
  • Posts: 1
  • Karma: +3/-0
PSA: Disable Remote Access, Use a VPN Instead!
« on: May 23, 2015, 01:00:31 am »
My Vera system has been great in a lot of ways, but something has been bothering me...

For someone unfamiliar with network security, Vera may appear relatively secure. Take this for example:

http://support.getvera.com/customer/portal/articles/1719039-q-how-secure-is-my-vera-system-?b_id=712

The answer focuses only on the security of Z-Wave, and while Z-Wave itself may be secure (though I suspect there are numerous undiscovered/undisclosed vulnerabilities), the Vera system is only as secure as its weakest link.

That weakest link is without a doubt the network connection. Let me explain:

Some people are surprised/worried about the lack of local security (http://forum.micasaverde.com/index.php/topic,30828.0.html), but this doesn't really bother me. Most people use Vera behind a private, protected WiFi network, so unless they're handing out their WiFi credentials to random/untrusted people, the local security thing isn't too much of an issue.

The real problem is that Vera is set up to enable remote access by default, and nowhere is it obvious how to turn that off.

Why is remote access bad, you ask? Obviously, remote access is something people want. Part of the beauty of home automation is the ability to do things remotely. But the way it's implemented by Vera is bad. It's bad because even though we'd like to think that our password makes it only accessible to ourselves, that's not true. The truth is, anyone at Vera - and by extension anyone who happens to hack Vera's servers or set up a secret agreement with Vera (i.e., the NSA) - has full access to your home.

Call me a tinfoil hat if you'd like, but in a post-Snowden world, we know this isn't the stuff of fiction anymore - it's happening right at this very moment, and it's pretty scary stuff. If you've got any substantial home automation hardware in your home, the stakes are much higher. We're talking about 24/7 access to webcams and microphones, the ability to lock/unlock doors at any time, even the ability to control your home's HVAC system with the potential to literally burn your house down and/or kill you.

Even without that kind of home automation hardware, the remote access to your Vera device is set up in such a way that it allows full, unrestricted remote access to your entire home network. So if you've got anything critical or sensitive anywhere on your home network / personal computer, that's also at risk.

Again, call me crazy, but how/why/when would anyone give that level of power to someone they don't trust 100%. By definition, we can't trust Vera 100% because we aren't Vera. I don't care if they have periodic security audits, SSL certificates, or whatever-bit encryption. So did Target and Home Depot (and they got hacked). So do Microsoft, Google, Yahoo, and Facebook (but we know the NSA is collecting their data from back doors).

So just "unassociate" your Vera device with your online account, you say? The trouble is, if it's ever been associated, your device will keep trying to "phone home" either way. Even if you change your password, Vera's relay servers will still have access to your device and home network.

It's not about setting a local password on your Vera, or Vera's servers getting access to your device; that's not how it works. Your device has SSH keys for Vera's servers, and as long as it has an internet connection at all, it will try all day long to connect to them and set up a reverse tunnel (a path for them to connect to your local device / local network). Again, that tunnel does not use your password for authentication; it uses Vera's keys, so anyone with access to Vera's servers has full access to your device/network without the need for a password.

To make matters worse, the "Secure your Vera" setting in UI7 sounds like it's adding extra security to your Vera. In reality, it makes your Vera only accessible via Vera's relay servers. It's causing users to depend on that third-party relay 100%, where that's the weakest link in the whole chain.


What should be done? Well, if you ask me, Vera should at the very least:

  • Provide an option in the UI to disable remote access
  • Be more clear and upfront about how remote access works and the security implications
  • Implement, or at least clearly document alternatives for remote access (such as VPN)

Obviously, for the truly paranoid there's no way around it - if you have your device connected to the internet in any way, you're opening yourself to a certain level of risk. But for a practically-minded, security-conscious person wanting the convenience of remote access, the best solution would be to (1) disable remote access via Vera's servers and (2) use your own private VPN server within your home network to connect when you need remote access.

Vera could implement this in an easy-to-use, secure way by doing the following:

  • Provide a VPN server built in to the Vera firmware, along with links to popular VPN clients and client configurations to make configuration easy.
  • Allow (or better, force) VPN keys to be generated somewhere outside of Vera's control
  • Publish the firmware source code so that it can be externally audited, especially with respect to the possibility for leaking keys.



In the meantime, I recommend doing the following:

  • Set up your own VPN server on your home network, and configure your phone/laptop to connect to it whenever you need remote access
  • Disable Vera's remote access

Unfortunately, I had to dig a little to find out how to disable remote access in UI7. Apparently in earlier versions (http://forum.micasaverde.com/index.php/topic,4782.0.html), you needed to set RA_DISABLED to 1 in /etc/cmh-ra/cmh-ra.conf. In UI7, I noticed that it was already set to 1, yet the SSH connection was still being made, even on a reboot. In fact, it doesn't look like that value is even read anymore by the daemon, so who knows why they left it there.

Currently (version 1.7.583 for me), the daemon's init script looks at the "Permissions_Relay" setting in /etc/cmh/services.conf. Change the value of that line from 1 to 0, and then either reboot or run (as root) "/etc/init.d/cmh-ra restart". Then double-check that the daemon doesn't start.

As an extra precaution, you should probably (as others have suggested) also block TCP port 232 outbound from the IP address in your router. Or block all outbound traffic, though that may have other side effects.

Offline blindman75

  • Sr. Newbie
  • *
  • Posts: 20
  • Karma: +1/-2
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #1 on: June 21, 2015, 04:57:08 pm »
I am a newbie with Vera and SSH. I have  Vera Edge UI7 version is 1.7.1181 I logged in using "remote" and temporary password and found my "root" password but could not log in with root password after disabling Remote Access. So I logged back in under "remote" and entered  /etc/cmh/services.conf and received "Permission denied."

I just want to disable remote access but with my lack of knowledge of SSH I could use some help. Can someone give me a walk through of the steps to edit whatever needs changing to disable. Thanks in advance for your help.

Offline xtremeIX

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #2 on: February 01, 2016, 11:39:19 am »
I would also like to see an option in the UI to disable remote access - I'm using a VPN connection.

Offline andrewgarfield

  • Full Member
  • ***
  • Posts: 103
  • Karma: +9/-1
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #3 on: February 01, 2016, 02:04:09 pm »
Definitely +1 to OP's thoughts on this.

One of the first things I did after getting my Vera is to disable remote access into my system through a firewall rule. I have been using a VPN (originally PPTP, now OpenVPN) for all my connections since then.  I even have the VPN setup on my iPhone to automatically connect to my home VPN when I launch one of my vera apps when i'm on the cellular network.  So, in this case there's very little user experience difference between VPN vs using MIOS servers from a usability point of view (minus that I usually have to disable the VPN when i'm done.  This doesn't happen automatically).

The only issue I have with the OP is on the trust issue because that gets into a huge slippery slope.  Just by having a vera (or any other device be it a Mac, iPhone, router, Windows computer, linux computer) on your network you are automatically trusting the entities that provide them for you.  Technically speaking even if you firewall the thing from remote connections, the box itself could be running malware that seeks out the rest of your network for attack from within your network.   My point is that you MUST trust vera by putting the box on your network at all. 

The real issue here is not a trust issue, it's a risk issue.  There's a lot of inherent risks in giving a closed, untested and unpublished protocol remote access into your network.  Remote access is VERY hard to do right, so even if Vera had the best intentions they would still probably make mistakes putting your home at risk.

Most major VPN systems have a proven track record using the latest crypto libraries and best practices to help ensure the most secure remote access possible.  This reduces the risks associated with remote access, regardless of the trust element.

That being said, I *DEFINITELY* agree that there should be a UI element to disable remote access into the system.  I don't mind doing it with a firewall rule, but not everyone wants to do that.

Offline simonclark

  • Full Member
  • ***
  • Posts: 147
  • Karma: +6/-9
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #4 on: February 11, 2016, 06:26:39 am »
I have just set up my own vpn and  interested how you make your ios apps start vpn? I have to turn on and off manually.
Thanks

Offline sdrider

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #5 on: February 11, 2016, 11:03:13 pm »
Thanks for this PSA. I noticed my Vera scanning port 80 on my local network and I found this thread while I was looking for what might be going on.

I've followed the suggestion here and setup OpenVPN so that I can control automation from my Android remotely without requiring the MCV remote server access. I've shut down all outgoing internet connectivity for the Vera at my router, so it can no longer connect outbound. All works well with this setup and I don't have to worry about my Vera's weakest link being the MCV servers or my password at them. Good advice in this thread.

Offline andrewgarfield

  • Full Member
  • ***
  • Posts: 103
  • Karma: +9/-1
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #6 on: February 12, 2016, 09:59:29 am »
I have just set up my own vpn and  interested how you make your ios apps start vpn? I have to turn on and off manually.
Thanks

It has been a few months since I did this, so I don't remember every resource I used to make it work.  However, I definitely remember using this particular one as my main tutorial.

http://simonguest.com/2013/03/22/on-demand-vpn-using-openvpn-for-ios/

My setup was a bit different because in addition to what this person used, I also used per device keys (so it's easy to revoke a specific device's key if it were compromised).  So I had to find a way to make that work with this.

Putting this together was not easy even with the tutorial.  The two best pieces of advice I can give are as follows: First, definitely make sure you have a working VPN setup on your phone before trying to implement this.  This way you can take that part out of the equation when this configuration doesn't work the first time.  Second, make sure to keep an eye on your server side logs to get some clue as to what's going on when things fail.

Lastly, for me using an IP address didn't work to starting the connection.  I had to use a domain.  So I just set up my home network's domain to "home.local" and set it so that whenever my iPhone hits that domain to start the VPN. 

In my opinion, this whole set up works wonderfully.  I'd love for it to auto shutoff the VPN after it's done, but I can live without this.

Offline mcalistair

  • Full Member
  • ***
  • Posts: 178
  • Karma: +6/-3
  • "Luctor et Emergo"
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #7 on: February 14, 2016, 06:23:30 am »
Unfortunately, I had to dig a little to find out how to disable remote access in UI7. Apparently in earlier versions (http://forum.micasaverde.com/index.php/topic,4782.0.html), you needed to set RA_DISABLED to 1 in /etc/cmh-ra/cmh-ra.conf. In UI7, I noticed that it was already set to 1, yet the SSH connection was still being made, even on a reboot. In fact, it doesn't look like that value is even read anymore by the daemon, so who knows why they left it there.

Currently (version 1.7.583 for me), the daemon's init script looks at the "Permissions_Relay" setting in /etc/cmh/services.conf. Change the value of that line from 1 to 0, and then either reboot or run (as root) "/etc/init.d/cmh-ra restart". Then double-check that the daemon doesn't start.

Just wanna say that setting the "Permissions_Relay" setting in /etc/cmh/services.conf to 0 doesn't "survive" a reboot.
It will get reset back to 1. I don't understand why  ???

For now I created a temporary workaround that does survive a reboot (must be rechecked after a FW update):
1. Go to:  /etc/init.d/
2. vi cmh-ra
3. Go to: the function "start()"
4. Comment (add a # in front) of this line:
Code: [Select]
if [ "${Permissions_Relay:-0}" == 0 ]; thenso it becomes:
Code: [Select]
#   if [ "${Permissions_Relay:-0}" == 0 ]; then4. Below that line add a new line:
Code: [Select]
if [ 0 == 0 ]; then5. save changes (esc wq)
6. reboot
7. check to see that the 2 processes for RA are gone (ps -ef)

PS the above is on OS UI7 (for me its an VeraEdge)
« Last Edit: February 14, 2016, 01:06:28 pm by mcalistair »
1x Vera3@UI5 = PROD (1x Edge@UI7 = SandBox ), 15x ZWAVE Devices, 8x 'legacy' X10 devices controlled via Visonic PowerMax Alarm Panel Plugin, 5x Philips HUE devices, 1x iTach IP2CC, 1x Netatmo Weather Station, AltUI

Offline sortadan

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +3/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #8 on: March 16, 2016, 03:12:16 am »
Thanks for this wonderful thread!

ssh root instructions:
http://wiki.micasaverde.com/index.php/Logon_Vera_SSH

verified edits to services.conf are lost on reboot as reported by mcalistair.
Did an equivalent edit to /etc/init.d/cmh-ra to bypass cmh-ra-daemon.sh initialization and am happy with that for now.

Thanks much fellow security-minded home automaters  ;D

Offline yurahuns

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #9 on: March 22, 2016, 12:27:36 am »
So, count me in as one of those people that was blown away by the fact that it has ZERO local security.  While I have a remote VPN setup, I'm still overly protective of my network, especially considering that this device can unlock my doors, control HVAC, flip on lights and potentially set off or disable my alarm.

Is local security on the roadmap?  If I used OpenHAB or Home Assistant as the "brains" and the VeraPlus/VeraEdge as the "dumb controller", could I lock it down using the .htaccess methods discussed or perhaps using one of the replacement GUIs?  I've thought about creating a separate VLAN for it, but it would still need to be accessible via some devices on my network, thus giving it/someone a way to just wreak havoc on my household.

Does anyone from Vera monitor these forums and perhaps they could offer some insight?  I really want to like this, but this major, major oversight may just be the final deal breaker to wait on something else.

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3226
  • Karma: +180/-8
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #10 on: March 24, 2016, 01:15:18 am »
Is local security on the roadmap?  If I used OpenHAB or Home Assistant as the "brains" and the VeraPlus/VeraEdge as the "dumb controller", could I lock it down using the .htaccess methods discussed or perhaps using one of the replacement GUIs?

No, "local security" as you probably mean it will not be on the roadmap. There are good reasons for that. No really, hear me out.

Password authentication over port 80, MAC address filtering, port knocking and other "security-by-obscurity" mechanisms are all vulnerable to packet sniffing and replay attacks.  Bots installed by nefarious people on your PC will absolutely do packet sniffing.  Your "secret" password will be visible to anyone on your LAN. It will be in a database of a hacker in Elbonia in no time.

So you need crypto.  Installing a signed rooted TLS certificate on a Vera is beyond most end users.  Self-signed certificates are hell to work with in most browsers, and they're incidentally beyond most users too.   This is still an unsolved problem with appliances that you stick on your LAN, among which I count Vera.  There are posts in this forum describing how you can put your own certificate on Vera and secure traffic to port 80 (well, port 443).  Once you've secured communication you can think about password authentication again. This level of security comforts some users; it may comfort you too.

TLS still doesn't close the UPnP server listening on port 3480.  UPnP is unencrypted and there's no TLS layer you can wrap around it. The best you can do is firewall it off so that only trusted hosts (or localhost) can access it.  I believe that the "secure your Vera" checkbox may even do this now, but that prevents all local access, which means you now rely on the cloud.  At least you have local security!

Pretty much everything in this subforum is still relevant, so I won't repeat what it says again. Read it. I will finish with by declaring that I've pinned my colours to the VLAN solution: I don't prevent LAN access to Vera, but I prevent Vera access to my LAN.

Offline rumline

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #11 on: August 11, 2016, 05:58:43 pm »
The only issue I have with the OP is on the trust issue because that gets into a huge slippery slope.  Just by having a vera (or any other device be it a Mac, iPhone, router, Windows computer, linux computer) on your network you are automatically trusting the entities that provide them for you.  Technically speaking even if you firewall the thing from remote connections, the box itself could be running malware that seeks out the rest of your network for attack from within your network.   My point is that you MUST trust vera by putting the box on your network at all. 
VLAN FTW.  If you can't do VLANs, you could get a 2nd router/firewall and daisy-chain it behind your current one.  Make that where you connect your computers / devices that you care about, and connect your other junk (Chromecast, Nest, Vera, whatever) to the other one. 

Either way, have one WiFi SSID for your devices and another for your laptop/phone etc.  You can always switch to the "devices" SSID anytime you need to interact with / manage them. 

Offline kigmatzomat

  • Sr. Member
  • ****
  • Posts: 255
  • Karma: +8/-0
Re: PSA: Disable Remote Access, Use a VPN Instead!
« Reply #12 on: August 14, 2016, 10:29:41 pm »
This. 

If you have a router with vlans, separate your HA/IoT from your home network.

Otherwise you really need 3 routers for security.
1) gateway to internet that the others connect to
2) PC network
3) HA network - set up with a vpn server so even local connections require a password.

You need 3 because if you have 1&2, the HA devices can hijack DHCP requests to declare themselves the gateway for man-in-the-middle attacks. If you have 1&3, the HA/IoT devices can tracert to get the IP address for 1 and just walk up and down the IP space to attack your pcs.