My Vera system has been great in a lot of ways, but something has been bothering me...
For someone unfamiliar with network security, Vera may appear relatively secure. Take this for example:http://support.getvera.com/customer/portal/articles/1719039-q-how-secure-is-my-vera-system-?b_id=712
The answer focuses only on the security of Z-Wave, and while Z-Wave itself may be secure (though I suspect there are numerous undiscovered/undisclosed vulnerabilities), the Vera system is only as secure as its weakest link.
That weakest link is without a doubt the network connection. Let me explain:
Some people are surprised/worried about the lack of local security (http://forum.micasaverde.com/index.php/topic,30828.0.html
), but this doesn't really bother me. Most people use Vera behind a private, protected WiFi network, so unless they're handing out their WiFi credentials to random/untrusted people, the local security thing isn't too much of an issue.
The real problem is that Vera is set up to enable remote access by default, and nowhere is it obvious how to turn that off.
Why is remote access bad, you ask? Obviously, remote access is something people want. Part of the beauty of home automation is the ability to do things remotely. But the way it's implemented by Vera is bad. It's bad because even though we'd like to think that our password makes it only accessible to ourselves, that's not true. The truth is, anyone at Vera - and by extension anyone who happens to hack Vera's servers or set up a secret agreement with Vera (i.e., the NSA) - has full access to your home.
Call me a tinfoil hat if you'd like, but in a post-Snowden world, we know this isn't the stuff of fiction anymore - it's happening right at this very moment, and it's pretty scary stuff. If you've got any substantial home automation hardware in your home, the stakes are much higher. We're talking about 24/7 access to webcams and microphones, the ability to lock/unlock doors at any time, even the ability to control your home's HVAC system with the potential to literally burn your house down and/or kill you.
Even without that kind of home automation hardware, the remote access to your Vera device is set up in such a way that it allows full, unrestricted remote access to your entire home network. So if you've got anything critical or sensitive anywhere on your home network / personal computer, that's also at risk.
Again, call me crazy, but how/why/when would anyone give that level of power to someone they don't trust 100%. By definition, we can't trust Vera 100% because we aren't Vera. I don't care if they have periodic security audits, SSL certificates, or whatever-bit encryption. So did Target and Home Depot (and they got hacked). So do Microsoft, Google, Yahoo, and Facebook (but we know the NSA is collecting their data from back doors).
So just "unassociate" your Vera device with your online account, you say? The trouble is, if it's ever
been associated, your device will keep trying to "phone home" either way. Even if you change your password, Vera's relay servers will still have access to your device and home network.
It's not about setting a local password on your Vera, or Vera's servers getting access to your device; that's not how it works. Your device has SSH keys for Vera's servers, and as long as it has an internet connection at all, it will try all day long to connect to them and set up a reverse tunnel (a path for them to connect to your local device / local network). Again, that tunnel does not
password for authentication; it uses Vera's keys, so anyone with access to Vera's servers has full access to your device/network without the need for a password.
To make matters worse, the "Secure your Vera" setting in UI7 sounds like it's adding extra security to your Vera. In reality, it makes your Vera only
accessible via Vera's relay servers. It's causing users to depend
on that third-party relay 100%, where that's the weakest link in the whole chain.
be done? Well, if you ask me, Vera should at the very least:
- Provide an option in the UI to disable remote access
- Be more clear and upfront about how remote access works and the security implications
- Implement, or at least clearly document alternatives for remote access (such as VPN)
Obviously, for the truly paranoid there's no way around it - if you have your device connected to the internet in any way, you're opening yourself to a certain level of risk. But for a practically-minded, security-conscious person wanting the convenience of remote access, the best solution would be to (1) disable remote access via Vera's servers and (2) use your own private VPN server within your home network to connect when you need remote access.
Vera could implement this in an easy-to-use, secure way by doing the following:
- Provide a VPN server built in to the Vera firmware, along with links to popular VPN clients and client configurations to make configuration easy.
- Allow (or better, force) VPN keys to be generated somewhere outside of Vera's control
- Publish the firmware source code so that it can be externally audited, especially with respect to the possibility for leaking keys.
In the meantime, I recommend doing the following:
- Set up your own VPN server on your home network, and configure your phone/laptop to connect to it whenever you need remote access
- Disable Vera's remote access
Unfortunately, I had to dig a little to find out how to disable remote access in UI7. Apparently in earlier versions (http://forum.micasaverde.com/index.php/topic,4782.0.html
), you needed to set RA_DISABLED to 1 in /etc/cmh-ra/cmh-ra.conf. In UI7, I noticed that it was already set to 1, yet the SSH connection was still being made, even on a reboot. In fact, it doesn't look like that value is even read anymore by the daemon, so who knows why they left it there.
Currently (version 1.7.583 for me), the daemon's init script looks at the "Permissions_Relay" setting in /etc/cmh/services.conf. Change the value of that line from 1 to 0, and then either reboot or run (as root) "/etc/init.d/cmh-ra restart". Then double-check that the daemon doesn't start.
As an extra precaution, you should probably (as others have suggested) also block TCP port 232 outbound from the IP address in your router. Or block all outbound traffic, though that may have other side effects.