Complex questions, security, voice control, scenes and many more...newbie!

[quote=“Igroup, post:20, topic:190809”]Net Wifi Configuration was reset again to defaults.

I have the following:

AutoDetect Devices -on
Fail safe tunnels - on

Connection - Manually Config

Net Connection - DHCP ( my router gives it a static IP in subnet)
Firewall - active (only allow LAN connections)
LAN DHCP server - off
Wifi - on, custom WPA2 password, no signal broadcast.

After a while, gets back to defaults. Even now, if applied (save and restart), I am able to acces Vera from outside the network from home.myvera website and from both apps, Vera and VeraMate.
Any suggestions?[/quote]

None of the settings above stop you from accessing vera from their secure servers. Are you trying to remove vera from the internet and why?

I just realized that. I don’t feel comfortable having my house automation out on the web, so the only way to eliminate that is to keep in in the LAN only. Then, I understood that if its not connected on the Internet, I loose some functions, like notifications and app access. Maybe others too.
I will keep it that way, and hope the servers will do a good job by protecting me. I will check the logs for IP login and times.
Would be nice if Vera login, by LAN, WAN and app would implement a MAC address as a secure login devices. Just like a bank or other sites, only certain devices will allow acces.

Thank you again!

[quote=“Igroup, post:22, topic:190809”]I just realized that. I don’t feel comfortable having my house automation out on the web, so the only way to eliminate that is to keep in in the LAN only. Then, I understood that if its not connected on the Internet, I loose some functions, like notifications and app access. Maybe others too.
I will keep it that way, and hope the servers will do a good job by protecting me. I will check the logs for IP login and times.
Would be nice if Vera login, by LAN, WAN and app would implement a MAC address as a secure login devices. Just like a bank or other sites, only certain devices will allow acces.

Thank you again![/quote]

Sure your safe if you vera never touches the internet, but then you loose alot of functions which for most would make vera not worth having. I not doubting that it has ever happened but I don’t think I have ever seen a post where someone broke into a house via a vera security hole. Also I would think that since vera on a local network by default doesn’t require any password or username that if your wifi or local network got hacked they could gain access freely to your vera. Say if your computer at home was compromised they go gain access to your vera without needing vera servers, vera password, or vera user.

But I’m not trying to scare you… it’s just your never 100% safe and if you live your life in fear and try to hide in box your not doing yourself any good. Home invasions happen every minute of the day and no matter if you don’t even have internet in your house, it’s still vulnerable in some other fashion. How many home invasions have you seen due to internet hacks of smart-home systems?

I recommend just going with the normal flow of the obious options and make sure your home wifi and vera passwords are good, change them regularly and don’t over complicate yourself.

Thank you again! Now, I just did what you told me, and that’s connecting to Vera from inside the network, not using Vera servers. And, for my surprise, you were right - does NOT ask for authentication! This is a BIG SECURITY hole, in my eyes. I never realized that, I thought that Vera servers do tunneling and connect to the Device using credentials to login into the Device (not servers!). God, was I wrong!

What can I do to secure this device?

Best I can, is to send it to a virtual private network, to still keep it on the internet, or take it out from the internet and … that’s pretty much.

I will start, if it’s ok, a new thread about this - I wish I knew this sooner. If Vera won’t release a new firmware that offers the minimum security to the device, it’s time for me to move on to a new controller. And yes, I am scared to find out this, and anyone should - the internal network can be penetrated or compromised easy, especially when you have servers, NAS, cameras and so that are not up to date and have ports open, including Trojans on everyday used devices.
For myself, knowing that anyone with some good network / security understanding could gain easy access to Vera is a disappoint. It controls my house, in most part.

Thank you for all help - I will write this up as a ticket, to Vera support, and wait for response. Maybe I will start a new thread about it, in case that anyone can come up with a better solution.

[quote=“Igroup, post:24, topic:190809”]Thank you again! Now, I just did what you told me, and that’s connecting to Vera from inside the network, not using Vera servers. And, for my surprise, you were right - does NOT ask for authentication! This is a BIG SECURITY hole, in my eyes. I never realized that, I thought that Vera servers do tunneling and connect to the Device using credentials to login into the Device (not servers!). God, was I wrong!

What can I do to secure this device?

Best I can, is to send it to a virtual private network, to still keep it on the internet, or take it out from the internet and … that’s pretty much.

I will start, if it’s ok, a new thread about this - I wish I knew this sooner. If Vera won’t release a new firmware that offers the minimum security to the device, it’s time for me to move on to a new controller. And yes, I am scared to find out this, and anyone should - the internal network can be penetrated or compromised easy, especially when you have servers, NAS, cameras and so that are not up to date and have ports open, including Trojans on everyday used devices.
For myself, knowing that anyone with some good network / security understanding could gain easy access to Vera is a disappoint. It controls my house, in most part.

Thank you for all help - I will write this up as a ticket, to Vera support, and wait for response. Maybe I will start a new thread about it, in case that anyone can come up with a better solution.[/quote]

Well that’s not what I intended to do and your local network should already be secured, unless you let random people connect.

Before you flip out and run to vera crying about local connection is insecure, Vera already has a check box called “Secure My Vera” and if checked you’ll be required to login threw their servers at all times even local connections. Now before you go get all happy and check it, realize that first this is the opposite your first post wanted to do (ahahaha) and if the internet is down or vera servers are ever down you will not even be able to connect to your vera locally.

So now that you seem to be totally confused what you want (is it vera servers or is it your own local security) you might want to take a step back and think about it more logically. I personally trust vera’s servers to be secure enough for me. And I also find myself to protect my local network enough to allow local access. Can I lock them both down better sure… Is it necessary? Well I don’t wear tin foil on my head, but that doesn’t mean others don’t.

Perosnally I think your posts are way to paranoid to own a vera. Your one of thousands that own a vera and your not the first. Go with the flow or just unplug your vera from the internet and lock it in a safe.

EDIT:
Before you say you can’t find that check box, its under “Users & Account Info” then “Unit Settings” then toward the bottom under “Secure Vera” . You’ll find you need to be logged into vera servers in order to get to this area to change this… It’s part of their built in security… ;D

I’m not paranoid, but I know what I want, and what everyone should ask for, and that’s security. My options:

-No internet access, I will loose lots of functions, will only connect directly to Vera - if wired, security is as good till physical contact is done with the Device.

–Secure Servers - Maybe the best option, but, as you said, if servers or internet down, there is no access to Vera, period. Security is fine, but reliability is not.

—Leave defaults, with internet on, and hope that none of the household members or any other that will get for a reason or other access to the local network , not isolated, will not be smart enough to scan the network and get into Vera with Administrator rights.

This is my second device that I’ve seen in my life not to require credentials for login (first is cable modems / mostly Surboards XXXX). Any other network device will require a username and password. Even a dumb printer.

I am not trying to run away from Vera, but to find the right thing to do. Can I do that without any help from Vera support - yes, as I said before, I can do restricted subnets, and mess around with the firewall. This takes work and the right equipment - both acceptable / available in my case but not everyone might have.

I will finish saying that Vera could simply integrate a local login - that would give a lot more peace of mind to anyone owning one, I believe. And, if you or me or anyone else has security flaws on any devices running on LAN (old software, open ports …and so) that can be compromised, I could register my computer on LAN over WAN and gain easy access. And now I just figured out with why my Http would be taken that easy - and I was under the impression that since I’m logged in, no credentials required.

I love Vera, and as I mentioned in the beginning, this was a project that was suppose to happen long time ago. I am not here to change that easy to another system, but to learn and get it right. And, I do like to have my “vehicle doors closed when I open the gate to a stranger or anyone else - it just feel secure”.

Please note:

"Local web access over your home network

Again, if you check the box “Only allow access through the secure FindVera service”, this is not an issue, and you may skip this topic.

By default, Vera comes with no security on your home’s local network. That means that any other computers within your home, on your local network, or connected to your home network with Wi-Fi, can access and control Vera. So, if someone comes into your home and connects to your home network, or if they hack into your Wi-Fi network, or if you have another router acting as a firewall and it becomes compromised, users can control Vera.

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

On the Users tab, you can create user names and passwords and check the box “Require a username and password to access Vera from within my home network.” This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don’t have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "

Back to topic - UI7 misses this. Not that is very secured, as mentioned, so most likely sniffing the network will read in plain text, but is better than nothing - my point, like other devices, Vera is or was suppose to be “secure”, but seems like UI7 is new and buggy - there is nowhere to find the option mentioned above.

[quote=“Igroup, post:27, topic:190809”]Please note:

"Local web access over your home network

Again, if you check the box “Only allow access through the secure FindVera service”, this is not an issue, and you may skip this topic.

By default, Vera comes with no security on your home’s local network. That means that any other computers within your home, on your local network, or connected to your home network with Wi-Fi, can access and control Vera. So, if someone comes into your home and connects to your home network, or if they hack into your Wi-Fi network, or if you have another router acting as a firewall and it becomes compromised, users can control Vera.

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

On the Users tab, you can create user names and passwords and check the box “Require a username and password to access Vera from within my home network.” This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don’t have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "

Back to topic - UI7 misses this. Not that is very secured, as mentioned, so most likely sniffing the network will read in plain text, but is better than nothing - my point, like other devices, Vera is or was suppose to be “secure”, but seems like UI7 is new and buggy - there is nowhere to find the option mentioned above.[/quote]

You have completely lost me. First you say things like

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

Then you seem to say the opposite… like the above doesn’t exist

there is nowhere to find the option mentioned above.

Which is it?

As far as I know local access if allowed has no password (you don’t like that, since your local network isn’t secure). Only way to force any user to require a password for local connection is to turn on “secure my vera” which makes every user login first to validate who is who. If you don’t know who is who (have a login process) how can you say this user has to login and this user doesn’t?

On the Users tab, you can create user names and passwords and check the box "Require a username and password to access Vera from within my home network."

This is what I'm talking about. How can you have only certain users require a login? How does it know if it's you or a guest/family member on a local computer?

For what you need I would say you should turn on “Secure My Vera” this will require a secure login for anyone trying to accessing your vera local or not thus making your vera “Secure”. This seems like a logical fit for you needs as far as I can see.

Also So you know ui7 (new and buggy as you put it) was introduced with a totally different security system and servers to beef up the security. ui5 severs had much more lenient security put in place which was great for app makers as remote connection setup was much easier.

If you browse that section when ui7 came out it provided to be difficult and created alot of hate words as security tokens and access permissions were beefed up which makes some tasks like sending http commands from one vera to another like we used to be able to do. So my point is if you still think security is bad on ui7 you should have been around for ui5. Still wasn’t VERA hackers but security was much more relaxed.

This is the Wiki micasaverde link:

http://wiki.micasaverde.com/index.php/UI_Notes

This says:

"Local web access over your home network

Again, if you check the box “Only allow access through the secure FindVera service”, this is not an issue, and you may skip this topic.

By default, Vera comes with no security on your home’s local network. That means that any other computers within your home, on your local network, or connected to your home network with Wi-Fi, can access and control Vera. So, if someone comes into your home and connects to your home network, or if they hack into your Wi-Fi network, or if you have another router acting as a firewall and it becomes compromised, users can control Vera.

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

On the Users tab, you can create user names and passwords and check the box “Require a username and password to access Vera from within my home network.” This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don’t have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "

…

Well, there is not much but this forum help on UI7. These options don’t exist on UI7, and that’s what I was going for.

Sorry for the confusion, I should be more specific, but I lost track at one point.
I do appreciate the help. “Buggy UI7” stands for actions that I’ve seen and apply and failed (see my network reset to default), and by looking on all firmware upgrades (Critical / Improvements). And once again, the system controls your house, your lights - doors ,appliances and so on. It’s not your home computer that has something significant to hide, is the gateway access to your home.
About my network security, I’m pretty sure that I’m fine, but it looks that you do not understand the risk that Vera gets exposed too. That’s not only internal, but also external, through any other devices connected to the same network.
I can’t find more info on the new UI7 about this, so this could be something that changed.

[quote=“Igroup, post:30, topic:190809”]This is the Wiki micasaverde link:

http://wiki.micasaverde.com/index.php/UI_Notes

This says:

"Local web access over your home network

Again, if you check the box “Only allow access through the secure FindVera service”, this is not an issue, and you may skip this topic.

By default, Vera comes with no security on your home’s local network. That means that any other computers within your home, on your local network, or connected to your home network with Wi-Fi, can access and control Vera. So, if someone comes into your home and connects to your home network, or if they hack into your Wi-Fi network, or if you have another router acting as a firewall and it becomes compromised, users can control Vera.

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

On the Users tab, you can create user names and passwords and check the box “Require a username and password to access Vera from within my home network.” This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don’t have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "

…

Well, there is not much but this forum help on UI7. These options don’t exist on UI7, and that’s what I was going for.

Sorry for the confusion, I should be more specific, but I lost track at one point.
I do appreciate the help. “Buggy UI7” stands for actions that I’ve seen and apply and failed (see my network reset to default), and by looking on all firmware upgrades (Critical / Improvements). And once again, the system controls your house, your lights - doors ,appliances and so on. It’s not your home computer that has something significant to hide, is the gateway access to your home.
About my network security, I’m pretty sure that I’m fine, but it looks that you do not understand the risk that Vera gets exposed too. That’s not only internal, but also external, through any other devices connected to the same network.
I can’t find more info on the new UI7 about this, so this could be something that changed.[/quote]

The link you posted Does refrence everything to mios.com which is old ui5 stuff, so that could be one problem… But I searched for several keywords you copied and pasted and I don’t see that information anywhere on the link/page above. Maybe it’s on a different page then what you linked. is UI_notes the write section?

I started with ui5 and have experience with it, but it has been a year since I last ran it so things maybe foggy. I don’t remember that in UI5 either.

I’m still a little confused (maybe your not) on how vera will know who’s using a local computer (or device) and know when to ask for a user and password or not ask for a user an password based on the check mark under their account like you say? How does vera know if my I’m using my computer (laptop or desktop on local network) my kid is using it or a hacker has infuriated my computer? The only option I see is to always request a login (user and password)… Which is an option already.

That's not only internal, but also external, through any other devices connected to the same network.

It connects loosely to other things on your network, which you allow in and have control of..... Security I mean. If you have device you don't trust on your local network then you have an insecure network and that should be delt with. Basically As long as you make sure all your devices on your network have a secure connection going out of the house all you have to do is what the parameter. You shouldn't need to close and local all interior doors of the house when you leave. Just lock and secure all the exterior doors and windows.

This is why vera allows for either free local access (inside your house) or you can secure it making you check in threw a user portal. Your choice.

Sorry, got the wrong link. Here is the one I was talking about:

http://wiki.micasaverde.com/index.php/Security_Concerns

The easiest thing to implement in Vera is a simple login, that will give rights to the user - what I mean, is useless to create 10 users with different rights on a server that once one logins on LAN get admin privileges. So, the credentials / security should stays on Vera Device itself, so it will know on Login who can do what, and NOT on the server - well, it can be on both (on server can be cloud login with local login if no internet available).

I did solve roughly the problem on my end, so Vera is user / password protected now. Not the cleanest way, but will do for now. I will play more later.
About insecure network, we all have it, like it or not. If you don’t believe me, read security bulletins, check Metasploit and so on. There are many devices, let’s say your printer that has lots of vulnerabilities that never been patched - why? Because nobody really cares. But this is a back door inside your network. And many other examples…

If Vera support will consider a user / password protection on LAN later on, that’s fine. I solved my problem for now, so I’m jumping to learn more about Vera. I think that is time to give Pleg a try now.

Thank you!

Igroup,

For your outdoor stuff 50 feet from the house if it has to go through a wall may be a bit far. I have 4 Aeon labs 4 in 1 Motion sensors and Home Depot siren (re-badged Everspring), both of which are battery powered. I am putting them in a newly built 8x8 storage shed in my backyard, (all wood). The corner of my shed is about eight feet from the corner of the house where a Z-Wave outlet is installed on the other side of the wall, (I can’t say what is inside the wall, I assume wood and insulation), The siding on my house is wood.

In the initial tests I have done with the motion detector and siren I place the motion detector on a ledge at the front of the shed and the siren on a ladder in the middle of the shed. I have had trouble maintaining connectivity with both devices, but especially the motion detector. Also, the motion detector was expending so much juice to try and contact the network that the batteries died within a couple of days, compared to the others that I have in the house (same model) and they have been up and running for several months and the battery is still at 62% as of this moment.

I pulled both devices out and haven’t had time to do more testing and analysis to see what nodes it’s trying to use etc to maintain contact with the network. Hopefully soon I will be able to do so.

I’ve seen advertisements for repeaters/range extenders, but I have no idea if they are really viable or if they are snake oil. It may be something I’ll need to look into for my shed to see if they offer any real benefit.

Gordon

[quote=“Igroup, post:27, topic:190809”]Please note:

On the Users tab, you can create user names and passwords and check the box “Require a username and password to access Vera from within my home network.” This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don’t have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera. "[/quote]

Well, not quite… it doesn’t force authentication or HTTP requests, so anyone on the network can get your outputXML, and delete/modify devices.

is there a “Require a username and password to access Vera from within my home network” somewhere in UI7? I can’t seem to find it as an option on the account settings on the latest 7.0.13 firmware. I too have OpenVPN set up, and would like to kill remote access to the Vera from home.getvera.com and only have a local network access with password protection but can’t find any way of accomplishing this currently that will survive a firmware update…

Local network access with a password doesn’t exist without using VERA servers.

"Require a username and password to access Vera from within my home network"

This is found in the UI under users & Account Information/Unit settings/Secure Vera/Check box "Secure Your Vera"

This will now require even local access to login threw the secure VERA portal and be forced to enter a valid user and password to login to your vera.

There is no way to turn off the Vera servers and still have that above.

This is found in the UI under users & Account Information/Unit settings/Secure Vera/Check box "Secure Your Vera"

This will now require even local access to login threw the secure VERA portal and be forced to enter a valid user and password to login to your vera.

There is no way to turn off the Vera servers and still have that above.

this is the exact opposite of what I want sadly. a company that leaves their https homepage ( https://www.getvera.com ) as the default un-configured hosting provider dummy page (for more than a year now), is not a company i trust to keep their infrastructure fully patched and secured.

have others had success with ssh-ing in to vera as root and killing the phone-home services / configs? it’s definitely technically possible, just a pain to do after every firmware update i imagine. or has anyone found the firewall blocking rule to apply for remote access they feel is a good solution?

[quote=“sortadan, post:37, topic:190809”]

This is found in the UI under users & Account Information/Unit settings/Secure Vera/Check box “Secure Your Vera”

This will now require even local access to login threw the secure VERA portal and be forced to enter a valid user and password to login to your vera.

There is no way to turn off the Vera servers and still have that above.

this is the exact opposite of what I want sadly. a company that leaves their https homepage ( https://www.getvera.com ) as the default un-configured hosting provider dummy page (for more than a year now), is not a company i trust to keep their infrastructure fully patched and secured.

have others had success with ssh-ing in to vera as root and killing the phone-home services / configs? it’s definitely technically possible, just a pain to do after every firmware update i imagine. or has anyone found the firewall blocking rule to apply for remote access they feel is a good solution?[/quote]

There is firewall ways of blocking vera server access but then you have a local un protected login, which is also not what you wanted right?

Do you have any knowledge of veras servers or login system compromised? Do you know of any hacked vera’s due to their servers?

To owensct:
Thank you, I think I could push the signal out, just got to find the right way. I’ll post as soon as get to it. Thank you for the info.

Security issue:
A couple of nights ago, when I realized that LAN control does not require a User / Password, I had Vera moved from the main LAN to a separate one thru a router that requires a user / password for any traffic - I used this router normally to deploy guest networks. Well, then, the second day, I realized that I’m blocking Vera servers, so that was not good.

The best I can do right now, is this:

Create a VLAN that allows only certain devices to connect to it local. Only by Wi-Fi. That’s easy, since you can limit the DCHP range to whatever devices you’ll want to be able to access and enable MAC filtering, and static IP / manual assign IP to those devices. I just did that, so it works fine, but I do have appliances (firewalls / switches and router) handy. Vera still can be accessed by Vera Servers, and communicate with those, but nobody else but specified computers / laptops / phone / tablets can access the VLAN.

Personally, I won’t care much about LAN insecurity, but my work is in IT, and I might deploy new “Vera’s” to businesses. If the right balance between security / efficiency / redundancy is not found, my company will be responsible. I know it’s soon to talk about this now, but so was with every product that I deployed before - I’m sure that in less than a year I will master enough Vera to be able to know what works, what doesn’t and how.

PRICE ALERT: For those who are interested in GoControl kit, (1motion, 2 window/door sensors = $ 50.00) and (1motion, 3 window / door and 1 siren = $ 100.00), I was able to find them randomly at HOMEDEPOT for 1/2 price, respectively $ 25 and $ 50. My reports on this (I bought all the stock they had, on 3 store, twice, but I’m sure I’ll find more) is this:

-Window / Door Sensors - not bad, really no complaints there. None failed on me, a little big but can be nicely hidden if the frame door / window is cut into.
-Siren - not bad, can choose between strobe / light or siren only - this will work as a repeater, but I believe ONLY if Plugged in with a adapter that is not provided.
-Motion - Good luck with that - It works, but not great, and when it works, it takes about 3 min. to reset. Test jumpers don’t work. Pet … I don’t know. Settings can be change to a limit. It says it can be used for Scenes, but can’t be reliable. Why: Let’s assume, you have lights on motion, lights off no motion with 1 minute delay. For me, lights ON works and don’t. And when they work, I have about 5 seconds delay. I also had false “motion” due PIR temperature sensor - there is no motion, just temp change sensor, of course. Lights off, if you don’t have delay and after resetting the sensor from motion to active and no movement at that second, even if in the room, will shut down lights. If you do delay, will do the same, but if in the room it my not reset the sensor. It works a bit better with delay.

Price is great, anyway.

Thank all for input. Just order a bunch of z-wave outlets. I’m running out of products here. I’m still looking for a zwave panel to work as a security panel, I found Lynx 7000 and others, but looks like you’ll have to register your sensors with Lynx, meaning they are not anymore on Vera. I will call Honeywell tomorrow and find out more.

Thank you again!