Interesting article in Forbes: Vulnerability Warning: Hackers Can Haunt Homes Hitting Horrible Honeywell Security Holes
It appears to be a cross site vulnerability problem from last year. I assume it’s been addressed.
It would be good to know for sure. Hopefully someone from Vera can respond.
Based on the article it sounds like the affected Vera was running Ui5 which has far weaker security when accessed via cp.mios.com then Ui7 while accessed via home.getvera.com. However, both Ui5 and Ui7 are still vulnerable if the attacker manages to get on the same local network. Unless you have ‘secure my vera’ checked. Which forces login via the servers.
But it’s nowhere near as bad as Fiat/Jeep/Chrysler vehicles with UConnect. Since the local Sheriff’s dept is in the process of switching from Crown Vic’s to Dodge cruisers, I’m sure they are not happy with that vulnerability. “Dispatch, I lost them, they hacked my cruiser and switched off my engine!”
I’ve secured my WiFi as best as possible with decent encryption (AES) and a pretty difficult password. As well as MAC filtering. Only listed MAC’s can connect. That doesn’t mean it’s impenetrable, it just means it takes a seasoned hacker rather than a script kid.
For the local lan, why doesn’t Vera require a login like wireless routers do? From my understanding, one of the issues with the secure my vera is that if your internet goes out, you wouldn’t be able to login?
Edit: A retract my question as this has been answered
[quote=“mrv777, post:4, topic:188193”]For the local lan, why doesn’t Vera require a login like wireless routers do? From my understanding, one of the issues with the secure my vera is that if your internet goes out, you wouldn’t be able to login?[/quote]This subject has been covered many times in this forum. There are even explanations on how you can add password controlled access to your Vera’s web UI. See .htaccess
The primary reason for it not being implemented from the factory is that while it might make the clueless feel good, it would not secure the Vera in any meaningful way, but it would break many current and desirable behaviors.
Vera’s present design is based on the UPnP standard which essentially requires unauthenticated access to the control interface. That’s part of the reason why security people recommend disabling UPnP on routers. Unauthenticated opening of firewall ports equals not so good.
Of course, Vera could, and may eventually, redesign the entire system to eliminate this access method. The Secure my Vera option is a major step in that direction. But, as you’ve realized it breaks local access. What you probably didn’t realize is that it also breaks local access for integrating other devices. Things like the Amazon Echo integration and the HomeKit gateway that are currently being so heavily discussed on this forum won’t work if Secure my Vera is enabled.
If you’re feeling like spending some time and effort, you could manually configure your Vera’s firewall to block “everything” but permit a specific list of allowed device(s) on your LAN. Again, this might make people feel secure, and I suppose it is quite a bit more secure than wide open access, but it doesn’t defend against the “attacker” using your allowed IP address. The point being that once you start allowing exceptions for any type of local access, then the security is so weak that may as well not bother. So far, this has been the route that Vera has chosen. Either secure or wide open.