Revision as of 21:07, 17 April 2010

If, when setting up Vera, on the FindVera tab, after creating a username and password for the FindVera service, you check the boxes "Only allow access through the secure FindVera service" and "Disable terminal login", then Vera will be a secure device that you can access only using our secure FindVera.com service, similar to some competing Z-Wave bridges and gateways that mandate you use their remote access service. In that case, the rest of this document may not interest you.

However, we believe that since you already paid for Vera, you own it, and you should have the freedom to choose if you want to use our service or not. Therefore we recommend you read this document to understand your choices and the implications.

There are 2 aspects to the security of your Z-Wave network. The first is the security of the Z-Wave network itself, and the second is the security of the internet connection Vera uses to allow remote control.

Z-Wave Security

Mi Casa Verde did not have any role in implementing the Z-Wave security. This was done by Zensys and the Z-Wave alliance, who assert the system is robust and secure, and who certify secure devices. Z-Wave security is designed to prevent unauthorized Z-Wave devices from communicating with secure Z-Wave devices.

Internet Security

If you turn off Vera's Wi-Fi, and don't connect Vera to your home network or to the internet, then internet security will not be an issue. However, you likely do want to connect Vera to the network so you can access Vera from your web browsers, cell phones, and such.

One solution to internet security would be to mandate that you must only access Vera through our secure service. This is the approach that some competing Z-Wave gateways or bridges have taken. The drawback with this approach is that you cannot use the product, which you already paid for, unless you continually pay the manufacturer for use of their secure server. If you stop paying them, or if they stop providing the service, your Z-Wave gateway becomes useless. Also, if the internet connection goes down in your home, such as a cable/DSL outage, you lose any access to your Z-Wave gateway as well.

Note: We give you the option of only allowing access to Vera using our secure service, just like our competitors' product. However, being an open company and basing our products on open standards and a spirit of transparency, we feel that should be an option, not a mandate. You have the freedom to choose our secure services if you want to, but the functionality of Vera is not crippled if you choose otherwise. Vera functions without any internet connection at all. And, if you choose to disable the firewall, you can expose Vera to the internet and remotely access Vera over the internet and cell phone with limited security.

Therefore, take a moment to read about the security issues so you can make an informed decision what security measures you would like to take.

Find Vera service

The FindVera service is designed to allow you to access your system remotely when you are away from home, by using our secure server as a gateway. With this service, Vera makes a secure, encrypted connection to the FindVera server, and you can remotely connect to the FindVera server over the internet or with your mobile phone. The FindVera server uses the same type of security as online banking, known as SSL.

Naturally even secure servers can be compromised, and even major banks and credit card companies have had their servers hacked into and their databases stolen. Therefore, we believe the best protection is for us to be honest and direct in explaining the security measures that we have implemented so that technical users and security experts can provide peer review and uncensored, open critique. One important thing to note is that at no time during the sign up or setup of your system are you asked for your address. Even if you purchase Vera from our online shop, that is handled by a separate, unrelated online shopping system and your credit card and address verification are handled by third parties, like Google and Paypal. Therefore, even if the FindVera service were compromised, the hacker would not know your address. To learn more about the measures we have implemented to safeguard this service, see FindVera Security Measures. We also have an uncensored forum at http://forum.micasaverde.com dedicated to security concerns.

On the FindVera tab, after you activate the FindVera service, you can check the box "Only allow access through the secure FindVera service", and "Disable terminal login". By doing this, Vera then has comparable security to our competitors' products, and you can only access Vera when your home network is up and you connect securely through https://findvera.com. Unlike our competitor's products, though, if you later change your mind and don't want to use our service, you can do a factory reset of Vera and go back to using Vera without our service (requires firmware version 530 or later).

Wi-Fi security

If you check the box "Only allow access through the secure FindVera service", that means that even if your Wi-Fi network is compromised, the intruder will not have access to Vera.

Vera includes a built-in Wi-Fi access point, which is manufactured by a third party, and the Wi-Fi security is the same as any other access point. The original Wi-Fi security, WEP, was shown to have vulnerabilities and has been hacked. The newer Wi-Fi security, WPA2, which is what Vera uses by default, is considered to be more secure. However, Mi Casa Verde makes no guarantees about the security of Wi-Fi, and, if you are concerned about the possibility of hackers, you can go to 'Advanced', 'Net & Wi-Fi' on Vera's 'Setup' page, and click 'Wi-Fi' Off. Note that if you do that, and then you add another Wi-Fi access point to your home network, or leave Wi-Fi on in your computer, you may be exposing your home network to the same security risk.

Local web access over your home network

Again, if you check the box "Only allow access through the secure FindVera service", this is not an issue, and you may skip this topic.

By default, Vera comes with no security on your home's local network. That means that any other computers within your home, on your local network, or connected to your home network with Wi-Fi, can access and control Vera. So, if someone comes into your home and connects to your home network, or if they hack into your Wi-Fi network, or if you have another router acting as a firewall and it becomes compromised, users can control Vera.

If this is a concern, there are a couple preventive measures you can take besides only allowing access through the FindVera service.

On the Users tab, you can create user names and passwords and check the box "Require a username and password to access Vera from within my home network." This means that even for people within the home, a username and password will be required. This makes Vera as secure as most any other IP device on your home network that requires a username or password. But that is not truly secure. Unlike the FindVera service which uses special encryption like online banking (SSL), you don't have any special encryption on your home network. So, if somebody hacked into your home network and was able to monitor your network traffic while you logged into Vera, someone who knew about network protocols could get your user username and password to Vera.

Local terminal login

If you check the box "Disable terminal login" on the FindVera tab, you don't need to worry about this. If you're not a technical person, you can just check this box. You don't have to sign up for the FindVera service to check this option.

For the technical users out there, in addition to allowing you to connect to Vera from a web browser, Vera allows you to connect directly using what's called ssh or telnet. Vera is, after all, an open system, running the Linux operating system. By default, Vera allows anybody on your local home network to login without any password at all. If you want to set a password, go to 'Advanced', 'Net & Wi-Fi', and click 'Advanced Configuration'. You can then set a password. At that point, you can no longer log in with telnet, which is insecure, but must thereafter login with SSH, which is secure. Or just check the "Disable terminal login" box and all login is blocked. You can uncheck it later if you change your mind.