Accessing your Vera is as simple as logging into your WiFi… But that’s a problem. Anyone who either has connected to your WiFi before or somehow acquires access, can remotely operate your devices.
I’ve secured my Vera through https/mios but I’m still able to unlock my door using my iPhone without a password.
Any suggestions on how to assert access control?
The best way is to have a separate guest wireless access from your Vera and the rest of your network. There is no way to secure Vera access from third party apps on the local network.
I thought about the guest network but sometimes when I have friends over I want them to have access to my media.
I have a Netgear WNDR3700 router.
I took a look at the manual for that router. It’s a high-end consumer model but subnetting doesn’t appear to be a feature. That’s not too surprising; subnets are normally only on the commercial stuff, or the DIY firmwares like OpenWrt.
You might be able to serve up media to the guest wireless network and the main private network simultaneously but I’m struggling to think of how. And if any of your guests gain access to an Ethernet port then they can bypass all of this security anyway.
Unless you plan to spend money and time setting up a proper firewall with specific rules to your situation, and even then you have to trust your guests’ movements within your house, you are probably stuck with the next-best form of security: ask them not to mess with Vera.
FWIW, the only reason I subnet Vera is to protect the rest of my network from it. Blackhole those pesky DHCP messages, and contain the damage if ever MCV gets hacked.
Why MCV do not add the login also for internal access?
It is too unsure!
[quote=“teonebello, post:5, topic:172592”]Why MCV do not add the login also for internal access?
It is too unsure![/quote]
Isn’t there an option in the settings (something like secure my Vera) that does exactly this???
Flo
Yes, but only access to the Vera Web interface. Not for when using their api for 3rd party apps on the local network.
using the vera mobile app and being in a friend WIFI, I was able to control his vera without any login.
For me, it is very unsafe to have only the wall of WIFI password.
Yes. This is ridiculously insecure. Especially for someone who has a zwave lock.
Vera needs a network password built in. Period.
Acceptable:
One solution I think will work is MAC address restriction for the non-guest network.
Since adding a new device is rare, this will be sure that only allowed devices can access it.
electricessence, Internet protocols just don’t work that way. The way you are supposed to solve this in the land of TCP/IP is to make a subnet and control the traffic in and out of it with firewall rules.
MAC address filtering, as well as password protection, both fall into the trap of assuming that packet sniffing is hard. Packet sniffing is dead easy, and is not a deterrent to malicious or mischievous people (or viruses).
People who “secure” their Vera with these methods and think they’ve done anything to protect their Vera are in denial. Worse, they’ll take risks like opening port 80 to the world. And then blame MCV when they’ve been hacked.
Ha. Well this is a well needed discussion. And MCV should take note.
My current setup as of last night:
Changed default wifi password so only I have access an anyone who I may have given access to will simply need to use my guest network next time.
Futzle:
What holes do I have at the moment? Yes, packet sniffing is easy. What can I do to maximize my security profile?
@futzle’s post before last is a good high level on what’s needed to lock it down within practical limits… each of these items really is environment specific, and typically requires solid networking know-how to put it in place, and to correctly validate it afterwards (and more discipline to maintain it over time).
If you have a more advanced Router you my be able to use it to (roughly) separate inbound Vera access to your home network… which is probably a greater risk than guest level network access to Vera (why have guests on your home network if this is a concern)
Unfortunately this isn’t really something that can be taught in a forum post but there are books on it… just that I’ve not seen any for entry/home systems…
Right. I’m looking for easy quick fixes and maybe a mild risk assessment.
The correct solution is to add the login page also for internal access to vera.
MCV?
Enabling “secure my vera” allows for requiring the username and password to access the “Web interface” and not the backend/api side. The correct way and it requires MCV to do this, is to require credentials to be sent when using the api. This will require the 3rd party apps to use your mios account to authenticate and issue every command being sent.
… and the minute you do that you’ll break all of the Control points…
… and you’ll trigger SSL, because otherwise the password can be scraped anyhow…
… and SSL will trigger custom certificates that need to be renewed ($$)
And the list goes on. Passwords, passed in clear text over the wire are not security.
[quote=“teonebello, post:15, topic:172592”]The correct solution is to add the login page also for internal access to vera.
MCV?[/quote]
Securing the Vera is like a last line of Defence… If some has access to your network it is either you gave it to them or they have gained it maliciously. If the later is the case, securing your Vera is more than likely not going to stop them… And you should be worried about more physical security aspects of your home, such as separate alarms system, reporting breaches via alarms, SMS and potentially enabling a script to secure your premise and remove codes.
Now back to one of the original post about someone changing your Vera, a good backup plan but if your worried about security to the extent of the previous remarks in this thread, this would be a real concern as it contains… Your codes.
You can put as many things in place as you desire but this will only act as a deterrent for the honest people in the world and if your guest don’t fall into that category, it might be best to find so new ones. As to giving access to media contained on an NAS, most NAS have a media server interface, look at how you can best utilize this within your environment.
I have not seen one reference in any thread or even on the Internet that a thief used a HA system to gain access to a home, that is not to say it cannot happen but is is not something that would happen on the spot and would take a very direct effort in doing so.
Worse case scenario type thinking. Never put your mobile down or out of your sight because it contains everything they need to get access to your HA system if you use an app on it… Very limited Defence can be done - only add a pin to secure your phone.
Honestly, in my world, I am not concerned and if I was really concerned I would stop using it. I think sometimes reality can sometime get blurred and focus can be misdirected and worse case scenario are brought to the forefront of the conversation but what is the likelihood of that occurring should be the first question.
Maybe I can related to an old comedy script were an apartment door had multiple locks up one side but the window was opened with a fire escape. They would go inside lock all the locks with the various keys and then someone would use the window to climb straight in.
@Brientim:
Straight talk. Nice. 
@Brientim (and everyone else):
I agree that there is a balance of effectiveness. At some point it’s overkill and mostly a waste of time. But I think electronic security and privacy discussions are important for the masses of people who don’t have a clue. Knowing what risks are there and how probable they are to occur presents this balance.
I think, for the majority, if you use ‘secure my vera’ feature and only sparingly give WiFi access to trustworthy friends, then you are mostly covered, and going any further than that will start to imbalance effectiveness. But any less, and you might as well put your door locks backwards and place all your light switches on the outside of the house.
For those who have the luxury of having a separate sub-net on your home network, I think that is a great idea and will provide another level of security and flexibility. You have to ask what is the ease of implementation is compared to the result.
Myself, for now, I’m happy to know that access to my home is mostly mitigated by either a code at the door, or a minimum of a single password. But I do think that MCV should at a minimum provide to new users guidelines that cover this topic. Possibly, they should offer more levels of security for those who want it including forcing the use of MIOS versus WiFi.
Best Home Automation shopping experience. Shop at Ezlo!
© 2024 Ezlo Innovation, All Rights Reserved. Terms of Use | Privacy Policy | Forum Rules