Just saw this article today on CNN Money. A Vera Lite unit was used as the demonstration. Just thought I would share it. As a new guy in home automation, any advice/suggestions?
http://money.cnn.com/interactive/technology/hackable-house/?iid=Lead
This was the video I meant to provide: Business News - Latest Headlines on CNN Business | CNN Business
Most of the video is accusing the Belkin WeMo of vulnerabilities. There is no mention at all of Vera, although there is a Vera Lite on the desk.
The hipster “hacker”/security expert with earrings, ironic graphic tee shirt, glasses, while also having gaudy sunglasses on top of his head, is quite amusing to me.
Vera does have a security weakness. The weakness is that it has no local authentication, at least not by default. This means that anyone on the local area network(LAN) can have complete access to Vera and everything that Vera controls. This makes it especially important for you to have secured WiFi. Without secure WiFi, anyone can walk up to your door, connect to your Vera via WiFi and unlock your Z-Wave door lock.
If’ your LAN is secure, your Vera is probably secure enough. There are several threads on the forum debating Vera’s security or lack there of.
I found that funny too. I know about securing the local network, particularly the wireless. But int he video, I got the impression that “if” someone got into my network, they could install a backdoor that would then grant them access to the unit later on. Is that possible and would I know. Since I have no code on my unit, seems like I should be able to tell.
I don’t know how you got that from the video.
But, IF someone got into your network, they COULD possibly install a backdoor on ANY machine in your network including the PC you’re posting from and, if they are any good, you would NEVER know about it.
Secure your network. Vera does not increase your risk if the network is secured.
Actually the Vera does increase the risk on your LAN: it’s really trivial to get full/root access to the Vera when on the same LAN. A simple script can automate this step and made publicly available.
Getting root/administrator access to Windows/Mac/Linux computers may or may not be easy (depending if security updates are properly performed)… OK, except for NSA & co guys I guess.
The risk also increases due to the tunnel with MCV servers. Anyone with access to MCV infrastructure also have full/root access to your Vera (and full access to your own LAN).
My own solution to mitigate this is to isolate the Vera in it’s own dedicated VLAN without access to the Internet (except to a couple of web services that I’m using form the Vera) and without access to the home LAN + only allow a couple of well identified LAN devices to connect to it. Not really realistic for average Joe…
A “secure by default” Vera installation would certainly help.
BTW, the same applies to any connected consumer device (TV, bluray, music streaming…), all of them being potentially easily hackable – Vera is just so easy to get into that it can’t be worse (and by nature, it manages sensitive data).