I have Mi Casa Verde VeraLite Home Controller with the latest version and I’m constantly receiving messages warning me that there are unauthorized logins to the controllers.
I’ve had a ticket open with Vera support since June 21st and so far there’s been almost no responses. They only respond about once a week with a standard response that’s only vaguely related to the issue or simply summarizes what the issue is with no further help. It seems like they don’t want to acknowledge the issue, they don’t know what to do, or maybe they are in the process of going out of business? Is this the same support that they’ve always had? Should we be transitioning to another more secure product?
Hi Pete,
I can assure you we are very much in business and we are here to help. After further analysis on your case we found out that the alerts you’re seeing are nothing but normal alerts generated when You are logging in on the gateway.
The only issue there is that the IP addresses that are being shown are matching our relay servers, instead of your own external IP address and we are currently working on addressing this.
It seems GetVera leases space from linode.com as well as is on Amazon’s AWS cloud. Looks like your DNS server has some issues resolving to the right names. I’m wondering if that’s part of your issue.
There is NO uniqueness requirement in the internet for a REVERSE IP lookup.
The key thing is that a DNS address maps to the correct address.
This is validated via an HTTPS connection … because the encryption certificate for the server is verified with the DNS name.
Found this topic by searching for the IP address my Vera connects… I’m fine that Vera connects to the “centralized management”. I’m fine that these servers are at Linode or Amazon AWS. But Vera connects over TCP/23… Unencrypted TELNET port. And transmits something over the Internet IN CLEAR TEXT.
i see that it was mentioned in an earlier post.
is this legit?
I have NO cameras on my vera. but it’s transferred almost 400mb in the last 3 days.
this feels on the high side…
anyone have any thoughts on that address?
If they are using telnet, that’s a big deal. Any technology body in existence today will tell you that it is a bad and unnecessary practice.
I’m going to look for someone from Vera to provide a statement here. If they are still using telnet and cannot say that you will be transitioning away from it ASAP, I’m done as a customer. I don’t care what they are transmitting over telnet; the fact that it is even on their list of available protocols at all would be enough to tell me that my data is not in the hands of someone with appropriate security controls to be trusted with it.
Buy a Raspberry Pi Zero or Zero W ($10 or so) and a micro USB to cat5 adapter ($8) and install Raspbian Jessie. Then install Pi-Hole (https://pi-hole.net/). Easiest solution ever (just a few simple questions) and it even keeps ads away in your phone apps. As well as present Vizio TV’s from spying on you.
The built in webserver shows you exactly what devices is trying to go where. A simple click and access is black or white listed. I’ve had this running on a Pi 3 for several months but since arrow.com is giving me a free Pi Zero W, I’m going to use that one and free the Pi # up for something else.
Do realize, if you have plug-ins installed, it may be those that are accessing certain sites and not Vera itself.
If you have a hub (not a switch, a hub) you can put it between the vera and your router, plug a PC to the hub and use a packet capture tool like Wireshark to watch the data and on up those unencrypted packets.
[quote=“BOFH, post:11, topic:188153”]Buy a Raspberry Pi Zero or Zero W ($10 or so) and a micro USB to cat5 adapter ($8) and install Raspbian Jessie. Then install Pi-Hole (https://pi-hole.net/). Easiest solution ever (just a few simple questions) and it even keeps ads away in your phone apps. As well as present Vizio TV’s from spying on you.
The built in webserver shows you exactly what devices is trying to go where. A simple click and access is black or white listed. I’ve had this running on a Pi 3 for several months but since arrow.com is giving me a free Pi Zero W, I’m going to use that one and free the Pi # up for something else.
Do realize, if you have plug-ins installed, it may be those that are accessing certain sites and not Vera itself.[/quote]
Unfortunately this doesn’t work with the Vera. The device hardcodes Google DNS 8.8.8.8 and 8.8.4.4 so you won’t see DNS requests show up in PiHole. I had to add firewall rules that redirect DNS going to Google and have it goto PiHole. Vera customer support’s response wasn’t satisfactory on why they ignore DNS given out via DHCP.
[quote=“mvader, post:8, topic:188153”]I’m seeing allot of traffic to/from my vera
173.255.250.75 ? li260-75.members.linode.com
i see that it was mentioned in an earlier post.
is this legit?
I have NO cameras on my vera. but it’s transferred almost 400mb in the last 3 days.
this feels on the high side…
anyone have any thoughts on that address?[/quote]
This looks legit. The Vera relay servers are at Linode and the hard coded DNS names resolve to those IP addresses in the /etc/cmh/servers.conf
Vera uses a bunch of different servers for various parts of their infrastructure. Most use Hurricane Electric hosted, a couple (relay servers) use Linode, QuadraNet, for provisioning, and Logs seem to go to a Romanian server.
The logs can (and do) contain Pin info for security systems in clear as well as other sensitive info, so that is my greatest concern. Especially in the past at least that it was using standard FTP to transfer over the internet vs. their TLS / SSH tunnel.
You can see the server assignments on the /etc/cmh/servers.conf file. I have posted in the past how redirect the logs locally by spoofing the DNS resolution locally for the logs servers.
Although I could probably do a better job tracking every outbound connection from my Vera, from what I have seen, there has bee no use of Telnet from my home vera. Maybe a specific plugin vs the core services?
Also, just because something is using TCP/23 does not actually mean that it is actually unencrypted TELNET protocol. It just means that this port is being used and other services could actually be listening on the port vs. TELNET. Best way to verify is use a sniffer inline or by spanning the switch port and actually look at the traffic to see if it is clear or obfuscated/secure in some way.
If I get a chance this coming weekend I’ll drop a dumb hub in line between Vera and my cable modem so the traffic is promiscuous then run wire shark against Vera’s Wan side IP to see what’s talking and how.
This is interesting as I do see entries in the pi-hole log for my Vera’s. All of mine are setup in the net & wifi section of the settings for DHCP and there is an option there to set the DNS. Which is pointed to ‘my leetle friend’ pi-hole. If I am reading you right, not all Vera’s traffic uses that setting but instead uses a hard coded google DNS? Thank you, time to update my firewall.
Attached is what my VeraPlus is doing currently as captured by Pi-Hole. (I’ve masked the IP address for privacy)
[/size][quote=“mike4kz, post:7, topic:188153”]Found this topic by searching for the IP address my Vera connects… I’m fine that Vera connects to the “centralized management”. I’m fine that these servers are at Linode or Amazon AWS. But Vera connects over TCP/23… Unencrypted TELNET port. And transmits something over the Internet IN CLEAR TEXT.[/quote][font=verdana]
This is false, ALL inbound and outbound data is encrypted. No sensitive information is sent in clear text.
Ports do not have vulnerabilities. The services listening on the ports do. Which is not the case here.[/font]
Information in servers.conf file is dynamic and constantly changes based on certain factors la geographic location and the load of a certain server.
The bulk of our development team is located in Iasi - Romania, hence the location of the logs servers. Alongside a hand full of other server around the world, for redundancy and geographic reliability.[/font]
[font=verdana]Our customers privacy and data security is paramount to us, and our security team is constantly improving and updating the security layer, based on the latest threats.[/font]
[font=verdana]If you might have something to report or found a vulnerability don’t hesitate to contact us. But posting publicly all these assumptions does nothing more than creating an unnecessary fear factor.[/font]
[quote=“John M., post:18, topic:188153”][size=1em]Hi there,
This is false, ALL inbound and outbound data is encrypted. No sensitive information is sent in clear text.
Ports do not have vulnerabilities. The services listening on the ports do. Which is not the case here.[/font]
Information in servers.conf file is dynamic and constantly changes based on certain factors la geographic location and the load of a certain server.
The bulk of your development team is located in Iasi - Romania, hence the location of the logs servers. Alongside a hand full of other server around the world, for redundancy and geographic reliability.[/font]
[font=verdana]Our customers privacy and data security is paramount to us, and our security team is constantly improving and updating the security layer, based on the latest threats.[/font]
[font=verdana]If you might have something to report or found a vulnerability don’t hesitate to contact us. But posting publicly all these assumptions does nothing more than creating an unnecessary fear factor.[/font][/quote]
Great to hear that you are geographically distributing the services. This makes it more resilient than some of the other common HA systems that have less robust designs with a single cloud provider within a single AZ or region. Within that file there is a static section. The static seems self explanatory and the host names do not have any country designator.
For the ‘dynamic’ section, Is that created based on the region the Vera is installed in? Thus, does UK based veras use a UK based host entry ?
Most important question however is the logs. In the past these were using regular FTP to the logs server. . These were sent out on the public side without any file or network encryption. Is this still the case? I have noticed in the past these logs do contain pin codes and other sensitive information.
I don’t personally have some of the answers as I need to consult myself with our networking team. But I will update as soon as I have the info.
Pin codes and everything z-wave related is encapsulated with hardware encryption, however some of the user luup code and third party plugin data might still store clear data in logs. These strings should not contain sensitive data.
