Mi Case Verde / Vera Hacked, who's next?

A

Automate

Active Member
Xipiter has started a new series of articles on hacking embedded / IoT devices.  Their first article was just an introduction http://www.xipiter.com/musings/the-insecurity-of-things-part-one
 
The follow up articles will cover their victims:
 


  • A "smart" smoke alarm
  • A used ATM
  • A  "standalone" webcam (A webcam not requiring a computer).
  • A "smart home" hub
  • Another "smart home" hub
  • A "smart" thermostat
  • Another "smart" thermostat
  • A home router/access point
  • A home Networked Area Storage (NAS)
  • A "smart" networked wall outlet
  • A "game console"
  • A Point of Sales System
  • and an Android tablet

 

 
Their first victim is the Mi Case Verde / Vera.  http://www.xipiter.com/musings/the-insecurity-of-things-part-two
 
Both articles published so are very well written.  I look forward to following the whole series as it is released.
 
Any (read as ALL) internet facing devices are subject to be hacked in some way or another. The only thing that will completely remove the risk is to physically disconnect them.
 
Similarly, I see that a NAS is also listed above, which is not all that unlike "cloud" storage. Any data that you store in the "cloud" is also subject to be "hacked". If you don't want someone to have the information, don't store it where someone else can get it.
 
drvnbysound said:
Any (read as ALL) internet facing devices are subject to be hacked in some way or another. The only thing that will completely remove the risk is to physically disconnect them.
Click to expand...
 
True, but a complete air-gap separation of your home network/automation from the Internet severely limits its functionality.  I'm not willing to completely give up an internet connection since some of my automation algorithms are dependent upon it (example, the current weather forecast).  While nothing is 100% safe, it's all a matter of being aware and managing the security risk.
 
This Vera vulnerability certainly reminds us of the security issues with "cloud" services.  I would rather keep security under my own control with things like VPN but this is not an option for all users.
 
I read the news release about Vera vulnerabilities a while ago. However, the first thing I did when I got the box years ago was to disable all communication to their servers. Further, I never store alarm codes on Vera or any app that accesses it.
 
It's hard to keep devices isolated, while still allowing necessary communication between them.
Still, I created an IoT VLAN to help out. The first device in it was my Ooma VoIP box which creates a tunnel to their servers - obviously this one can't be disabled ;)
 
Personally I am selfish and want to take but not give anything back.  Its just getting harder these days.  BUT it still can be done.
 
Automate said:
True, but a complete air-gap separation of your home network/automation from the Internet severely limits its functionality.  I'm not willing to completely give up an internet connection since some of my automation algorithms are dependent upon it (example, the current weather forecast).  While nothing is 100% safe, it's all a matter of being aware and managing the security risk.
 
This Vera vulnerability certainly reminds us of the security issues with "cloud" services.  I would rather keep security under my own control with things like VPN but this is not an option for all users.
Click to expand...
 
Absolutely. I'm not at all saying that I don't have internet facing devices - I do as well.
 
The vulnerabilities described in MiCasaVerde security research paper where quite basic. The HTTP_DotDot vulnerability could easily be found using one of many security scanners (i.e., Nessus).  The “interns” probably didn’t spend too much time finding the described vulnerabilities. Until network security is taken seriously, the manage your life from the “cloud” value proposition will be difficult to embrace.
 
VPN and privilege isolation (VLANs) are one way to minimize the fallout from IoT appliances’s insecurity. But because these services (Weather, Video, Energy Consuption, ...) all want to play together nicely without regard to boundaries, each device must at least have some level of “good enough” security embedded within.
 
You must log in or register to reply here.

Similar threads

pete_c
Securing the Smart Home Network: The Risks of the IoT
Replies
3
Views
292
sic0048
S
pete_c
Don't Buy Anyone an Echo
2 3
Replies
35
Views
3K
pete_c
pete_c
P
CQC? HomeSeer? Control4? Creston? Mi Casa Verde? What to choose?
2
Replies
17
Views
3K
Dean Roddey
Dean Roddey
pete_c
Who / What done it? Why?
2
Replies
26
Views
13K
pete_c
pete_c
electron
[Article] Mi Casa Verde Shows Next Generation Vera Hardware at CEDIA
Replies
0
Views
185
electron
electron
Back
Top