Vera security

Hi
Quick question -
I’ve noticed when logging into Vera (home.getvera.com), that it’s not on a secured (encrypted) connection. Furthermore, if I open the web interface to the Vera device by navigating to its IP address on my local network, it loads right up - no password prompt or anything.

Am I doing something wrong? It worries me that there’s 0 security on the local device, and limited (unencrypted) security on the Vera site

Remote access via their website is encrypted via https. Local access is not encrypted nor is it secured via a username or password.

  • Garrett

Am I doing something wrong then? When I go to home.getvera.com and login, there is no security on the site, the password is passed in plaintext. Then I connect to the local interface and its got no security on it at all.
That’s pretty scary, having a device that has the ability to turn on and off virtually any device in my house, unlock doors, etc. with no security? That may be a deal breaker for me long term. Has anyone else had this concern?

Try going to https://home.getvera.com

As @garrettwp pointed out, there is no local security between Vera and a computer on the same LAN. NONE! No HTTPS. No userID/password.

Also understand that if someone has local access to your network that you do not want, I would be more worried about that than local authentication.

  • Garrett

True, but to a point - this Vera unit is sitting on the same LAN as my house network - with my wife’s ipad, my computers, a wifi network, etc. It’s not uncommon for us to have guests over and give them the wifi password so they can get online. Other devices on the local network at my house (servers, NAS, IP cameras, etc) are secured, but the Vera is wide open (!!).

I may have to create a separate VLAN for Vera only…
Can’t believe no one seems to have a problem with it :stuck_out_tongue:

Is it a good design? No. But most modern residential wifi access points already come with a guest vlan that keeps non-household members away from your network yet still gives them internet access. My Asus wifi/router comes with up to 4 vlans.

You can find a lot more discussion about local authentication, SSL, protecting Vera from your LAN and protecting your LAN from Vera on the Security subforum.

It’s my contention that your network was insecure before you bought your Vera. Those other “secured” devices that you have on your LAN: the NAS, the IP cameras. They may have password authentication but almost certainly don’t encrypt the login connection over HTTPS. If you are comforted by this kind of authentication (which is vulnerable to replay attacks) then you can obtain something similar with Vera. See this post by Garrett. But remember: this isn’t “security”. It’s at best “security theatre”.

Go read that other forum I posted the link to; all this has been addressed before, better than I’m doing this time.

Surely you’re not comparing a device that requires a password to access its interface to a device that has 0 security prompt before giving full access to its interface…

That’s like saying a car that has no door locks and a key superglued into the ignition is no more insecure than a car that requires a key to unlock the doors and start the engine… c’mon - I mean I understand the need (?) to defend a product you’re using, but at least acknowledge a serious design flaw. I don’t care if a device requires a 4 digit numerical password to access it, it’s still better than having nothing.

Also replay attacks aren’t generally associated with unsecured protocols - if you’re logging into an interface that’s not secured, then ‘replay attacks’ are the least of your worries - the fact the data is being sent in plaintext is the issue.

Bottom line is it’s worrying to me that a device that has the potential to not just turn a light on or off, but completely disarm a security system, unlock a door, etc. has NO security. My IP cameras? If someone compromises one, they can… view the camera. Most other devices on my network are either secure, or not secure by my choice, because I could care less if someone can access the interface of my environment monitor for my server closet… The device that can unlock my front door and open my garage? (The Vera, if you aren’t following) That’s another story altogether…

Boggles my mind that there’s someone trying to defend a device that has no security built into it, by saying the network it’s on “was insecure before you bought your Vera”. hah.

Thanks for the advice - I think putting the Vera on a separate VLAN with no access to any other internal network is the best solution.

Hi Mysticalice,

Not sure if that’s part of what you’re looking for, but there is an option in UI5 (SETUP -> Unit Settings) that says; Do you want to secure this Vera?:
if you set it to YES, vera will ask you a password even when you connect locally

Claude

Fouclo62 -
Thanks, but it looks like I’m on UI6, so I don’t see that option =(

This will only protect the web interface and not the Vera api / upnp side.

  • Garrett

[quote=“garrettwp, post:5, topic:181290”]Also understand that if someone has local access to your network that you do not want, I would be more worried about that than local authentication.

  • Garrett[/quote]

One word: Kids.