Author Topic: No Login ID/Password required for LAN access  (Read 1458 times)

Offline z-wav

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
No Login ID/Password required for LAN access
« on: April 01, 2016, 10:15:04 am »
How does one setup a VeraPlus to require Login ID & Password when accessed even from LAN?

Being able to access and modify VeraPlus settings, along with controlling things like Thermostats, Garage Door openers, and Door Locks without first being required to authenticate - is a big big security hole.

Offline Brientim

  • Beta Testers
  • Sr. Hero Member
  • *****
  • Posts: 2491
  • Karma: +77/-7
Re: No Login ID/Password required for LAN access
« Reply #1 on: April 01, 2016, 05:06:39 pm »
That is your opinion... But that implies you have open access across your network for "is a big big security hole." This is designed and not an omission of security.🔓

There has been an extreme out pouring of opinions on this and if you ever want to research it, the forum contains reason, logic and other information relevant to the subject. 😉

The other option is User & Accounts > Unit Setting > Secure my Vera... 🔐

However, this is not what you asked for as it will do basically what it states and disable a number of functions which I state are by design🍺 as it does not include Full Access control.

You may wish to investigate the two options and determine the appropriate risk and suitability for you.

Offline z-wav

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
Re: No Login ID/Password required for LAN access
« Reply #2 on: April 01, 2016, 06:39:28 pm »
that implies you have open access across your network for "is a big big security hole."

You are quite wrong.  I have NO open access.

Issue is leaving a device wide Open on even a closed network.  Should a Hacker find a way in closed network (which happens all to often - thanks to mistakes in hardware, software, & firmware), you don't want a device that is wide open for further hacking.  Especially one that involves Door Locks, Opening Garage Doors, and possibly doing harm via extreme thermostat settings.


Offline z-wav

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
Re: No Login ID/Password required for LAN access
« Reply #3 on: April 01, 2016, 06:53:00 pm »
There has been an extreme out pouring of opinions on this and if you ever want to research it, the forum contains reason, logic and other information relevant to the subject. 😉

Let me understand this.  People are against a Check Box that enables the Option to require a Login-ID / Password for LAN access, but have no problems with a Check Box that disables LAN access and forces access only through a Relay (remote)?

Offline Brientim

  • Beta Testers
  • Sr. Hero Member
  • *****
  • Posts: 2491
  • Karma: +77/-7
Re: No Login ID/Password required for LAN access
« Reply #4 on: April 01, 2016, 07:16:47 pm »
The arguments have gone both ways...  I think if you did a survey, most won't secure Vera due to loss of functionality; however, they would he advocates for roll based access control then current exists or  more access control especially over individual devices.

http://forum.micasaverde.com/index.php?topic=15425.0

Have a look at the above thread.   


Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3221
  • Karma: +179/-8
Re: No Login ID/Password required for LAN access
« Reply #5 on: April 02, 2016, 05:50:22 am »
Let me understand this.

Yes, let's.

Quote
People are against a Check Box that enables the Option to require a Login-ID / Password for LAN access, but have no problems with a Check Box that disables LAN access and forces access only through a Relay (remote)

The remote relay uses HTTPS (i.e., TLS) so it is immune to packet sniffing on the LAN.  A direct connection on the LAN would probably* be over HTTP, so any proposed username/password would be transmitted in plaintext and visible to any other device on the LAN that is able to capture packets.  You've stated, correctly, that a threat is a malicious program or virus or worm that finds its way onto your LAN.  Such malicious programs can and will do packet sniffing.  A username/password over unencrypted HTTP will be noticed, captured, and then used by the malicious program or its owners for their own ends.

Precis: Without end-to-end encryption, a password does not reduce the risk of exploitation by malicious agents that can eavesdrop on traffic.

I imagine that the engineers at Vera Control have performed this exact same risk analysis and come to the same conclusion.  A password for LAN access would provide comfort to users without any actual benefit.

* If you can solve the usability problem of self-signed certificates, and make HTTPS the default protocol for Vera out of the box without affecting user experience, this problem goes away.  You will also be a very wealthy person.

Offline RichardTSchaefer

  • Master Member
  • *******
  • Posts: 9104
  • Karma: +690/-126
    • RTS Services Plugins
Re: No Login ID/Password required for LAN access
« Reply #6 on: April 02, 2016, 10:39:43 am »
In todays world almost any device that attaches to the network (Computers, Tablets, Game Systems, TVs, Vera, Cable Boxes, DVD players, Stereo Tuners, Media Players, Cameras, Printers, .... ) all can be used as base for an exploit on your LAN.

The pragmatic way to deal with security is to:
   1) Secure your Network ...  NO incoming connections except maybe a VPN
   2) Trust the devices you install on the network.

By design/conformance to industry standards (UPNP)  Vera can NOT secure all of it's protocols.  So anyone that has LAN access has access to the Devices connected to Vera ... even if you secure the Browser Connection.
If that does not work for you I suggest a different (Non Vera) solution.

Also any device you can download programs (Like Vera downloading Plugins) also opens up a potential source of malware. Most of the GOOD software on Vera comes from 3rd party developers ... any one of us could use Vera to exploit your LAN.

The question is who, what, and how much do you Trust ?





 

Offline z-wav

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
Re: No Login ID/Password required for LAN access
« Reply #7 on: April 02, 2016, 11:27:17 am »
You've stated, correctly, that a threat is a malicious program or virus or worm that finds its way onto your LAN.  Such malicious programs can and will do packet sniffing.
I was thinking more along lines of yet another found flaw (or backdoor) in some Firewall, Router, WiFi hardware, software, firmware.  Whereby, ScriptKiddies gain access to LAN.  From there any wide open device takes no further hacking skills.  A case of Point-n-Click to Unlock home or reek havoc on home by turning on AC during winter or Heat during Summer.

Until now, only open device on my Closed LAN was a printer.  Even printer requires Admin Login/Password to make changes.


Offline z-wav

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
Re: No Login ID/Password required for LAN access
« Reply #8 on: April 02, 2016, 11:32:43 am »
The pragmatic way to deal with security is to:
   1) Secure your Network ...  NO incoming connections except maybe a VPN
   2) Trust the devices you install on the network.
I think that is really an OR situation.    :D

I am going with already Secure (closed & no incoming connections) Network.
AND
Not trusting devices installed on network that lack even basic security.

Being the answer to my Original Post Question is - You can't (and it ain't going to happen)...
I have chosen to pull-plug on VeraPlus.