Using Public or Free WiFi for Vera Lite

I’m new to Vera but I spent a good bit of time researching a solution for our Myrtle Beach rental condo to control the door lock and thermostat. I’ll try to get right to the point. I wanted a solution that could make use of the multiple free or public wifi signals that are available on the resort property. We DO NOT have our own personal internet service in our condo so by default we don’t have a router to plug in a Vera Lite unit.

First, let me say that the marketing/advertising/specifications for Vera Lite is pretty poor when it comes to being clear about the unit’s wireless capabilities. The unit DOES require it to be plugged directly into your router all the time. The way it’s written it sounds like you might be able to configure it plugged in and then unplug it and move it. This is not true. It must be hard wired with an ethernet cable all the time.

Here’s my solution and I would appreciate some feedback to point out any flaws since I’m new and security is top of mind. Again, there is FREE/PUBLIC wifi available and the signal is strong. I bought a NETGEAR N300 WiFi Range Extender.

There are other similar range extenders but this one has the necessary ethernet port that you will need to plug in your vera lite. And it was only about $50.

The first thing to do was configure the wifi range extender. This was so easy and Netgear did a real good job of creating an interface that runs from your computer that allows you to configure it quickly and easily. So this essentially creates your own PRIVATE network piggybacking off the PUBLIC signal. As a side note, I like that I can now use the public wifi at the resort and it be secure going through the extender. Be sure to set up the security options when you go through the Netgear setup. Now you have a private and password protected network of your own.

Next, I plugged in the Vera Lite to the range extender and within a minute or so, the unit’s lights were all on and ready to go. I won’t go into all the configuration steps since that info is clear in the product’s documentation and widely available on this forum.

Here’s my list of parts that I’m pretty pleased with so far:

? Mi Casa Verde VeraLite Home Controller, White and Green
? NetGear N300 Wifi Range Extender
? Kwikset SmartCode? 914 Electronic Deadbolt with Z-wave Technology (Satin Nickel)
? Honeywell YTH8320ZW1007/U Z-Wave Enabled Programmable Thermostat

The last step was to find a location to put it to keep people from screwing around with it. Unfortunately, our owner’s closet does not have a power outlet. That would have been the ideal location. I hid it on top of the kitchen cabinets and then cut some small holes in the top and bottom of the cabinet to run the power cord down and plug it in behind the fridge. Not 100% secure but someone would have to scale the cabinets or move the fridge to get to it. I feel pretty good about it.

Appreciate some feedback, pointing out my flaws and ways I can improve it.

Tubalcain

One thing to watch out for is that many public wifi systems have an initial web “landing page” where you have to accept terms of use or provide some other information to activate the connection. You didn’t mention this, so I assume your current connection does not require that, but that may change down the road. It would be difficult to have your range extender renew that landing page whenever your existing connection expired.

Do NOT do this. Vera’s Internet security relies on all of the points of presence between your hardware and the Vera servers being trusted. Free public Wi-Fi (even if protected by a password) does not satisfy this requirement.

Here’s an example of what an eavesdropper could do with your scenario:

• join the same free public Wi-Fi.
• listen to the SSH tunnel that your Vera makes to talk to the server. This tunnel uses a known private key (it’s the same on all Veras) so is easy to decrypt.
• access all of your Z-Wave devices just like you can from the web interface, without needing any password.
• install a backdoor program on your Vera to attack other machines on your LAN.

You cannot work around this by adding hardware. The moment that the data stream leaves your control and enters the free public Wi-Fi it can be decrypted.

Edit: this doesn’t apply just to Vera. If you are connecting to your range extender with a laptop, all HTTP traffic that your laptop sends to the world is visible to anyone on the public Wi-Fi. Only traffic that is end-to-end encrypted (like HTTPS) would be safe from eavesdropping. But you’d have that anyway without your range extender.

Get someone else at the resort who hasn’t got the password to your range extender to join the free public Wi-Fi and run Wireshark on heir computer. They should be able to see all your HTTP traffic.

Seconded. Someone could stand near your condo with a laptop, tablet or phone and hack into your Vera with relative ease. Gaining full access to your lock and thermostat and whatever else you have hooked up to it. Even with Ui7 and it’s improved security I would advise against this route.

Unless it’s a really nice condo. In which case please do it that way and post the address in these forums.

@BOFH
With a router between the Public Wifi and Vera … it is not that easy to access the Vera.

@futzle is right … that a determined hacker could decode the SSH stream that is NAT’ed by the router. But they would have to capture the entire stream … they can not listen in on the middle of the conversation … they would not have/see the session key.
It would be easier to just break a window to get in.
They would have to know you have a Vera … and be knowledgeable about Vera to hack this …
About the same level of security as providing your entire key ring at Valet parking.

A Netgear N300 range extender mentioned is unfortunately far more vulnerable than most people realize.
Unless this has been fixed and the unit has that fixed firmware…

• N300 DGN2200 1.0.0.36-7.0.37
  NETGEAR N300 DGN2200 contains a flaw in the UPnP Interface as HTTP requests to /Public_UPNP_C3 do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to manipulate the device’s settings.

More details at Security focus [url=http://www.securityfocus.com/bid/65530/discuss]http://www.securityfocus.com/bid/65530/discuss[/url]

It’s also listed as one of the routers that appears to have a bacdoor via port 32764 (http://www.ghacks.net/2014/01/06/find-router-listening-backdoor-port-32764/)

For the pro’s only. Make sure your browser is secure…
http://1337day.com/exploits/21885

Granted, a bit more work than throwing a brick through the window but also far less suspicious and attention getting then said brick.

I completely agree with the cautions listed here. I certainly didn’t mean to endorse the method chosen by the original poster–just a warning about why it may fail. It certainly is nothing I would do personally!

Thanks for all the input. I’m new to Vera so I’ll take your points into account and continue to improve my set up. I think the best point made and it applies only to my particular situation is that if someone wants in it’s just a matter of coming in a window or kicking the door in. I installed Vera for two reasons. I got sick of mailing keys to renters and they get lost in the mail. And being able to turn up/down my thermostat in the off-season. Maybe a third point is being able to let in contractors/maids with an expiring code. It’s not fort knox and I seriously doubt the odds are against me keeping someone out if they really want in. So, it’s a pros and cons gamble where the pros win for adding convenience to me and my renters. It’s a gated resort with on-site security cameras and guards as well so I trust they’ll spot someone leaving with all my furniture. If nothing else, I have a homeowner’s policy to recoup my losses.