Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


So, how about shellshock?


JanJoh

Recommended Posts

Given how little is acutally known about how the remote feature works in HomeCenter. I have today added ACL's in my firewall to drop any traffic from my HC2 units and internet

Because i will assume that HC2 has bash.

Please login or register to see this link.

Link to comment
Share on other sites

Very good point.

Another thing they should try not to copy Apple. just like dodgy upgrades that don't work for everyone.

Link to comment
Share on other sites

I've set up my router to block all external traffic to and from the box as I don't have a world of trust in Fibaros security settings... Only issue is the lack of weather forecast - and it is an irritating function anyway as i can't choose the weather provider.

Link to comment
Share on other sites

Fibaro uses indeed bash

I hope they don't think we are posting our HC2 back to Poland for an update.

Link to comment
Share on other sites

Fibaro uses indeed bash

I hope they don't think we are posting our HC2 back to Poland for an update.

I've seen a guy in a white van with polish plates roam around our neighborhood at night lately... I wonder if that is their delivery guy who is trying to figure out which houses have a fibaro system...

Link to comment
Share on other sites

If the bash vulnerability "shellshock" now suddenly is a reason to keep your HC2 off the internet then you're probably lost already.

As mentioned above, the "Remote access" feature is poorly documented - but when you just think about how it works... You should not want it:

  • - You enable "Remote access" in your HC2
    - Your HC2 connects to a unknown remote system with unknown levels of security
    - You use your portable device app to connect to this unknown remote system
    - Your connection to the unknown remote system proxies you into your own HC2...
    - The only way that can work is when there is a permanent tunnel between your HC2 and the unknown remote system.

You think that was ever safe? You have absolutely no idea what else goes over that tunnel. Given that your HC2 is basically a Linux box, someone on the other end who has control over the unknown remote system could be running all sorts of code on your internal network by abusing your HC2. You would not even notice it...

Link to comment
Share on other sites

I haven't blocked my HC2 based on shellshock - I blocked it as one of the first things when I got it - as I have no idea how the remote access works... Looking at how the app worked, I could only imagine that it would be extremely simple for even the most amateur of hackers to gain access to the system.

My awe at how simple it was to break into the box even without connecting monitor and keyboard also didn't help in my trust in the Fibaro security.

Link to comment
Share on other sites

Today we will post statement about shellshock

Link to comment
Share on other sites

What I don't understand is how the HC2 is able to connect to the remote server. Does it work through a port that is enabled anyway (80 is presume then?) or does it use another port? I asked this question a couple of months ago, but Fibaro didn't give an in-depth reply, just saying that disabling remote access would be sufficient.

I guess to block any unwanted access completely I would have to install a firewall?

Link to comment
Share on other sites

Most routers can block access to the WAN from a specific IP or MAC-address. So unless you have a box from your ISP that you can't control, you should be able to simply deny the HC access outside the confines of your a LAN. Your user guide for the router will most probably have a guide how to do that.

Link to comment
Share on other sites

Guest mhn
What I don't understand is how the HC2 is able to connect to the remote server. Does it work through a port that is enabled anyway (80 is presume then?) or does it use another port? I asked this question a couple of months ago, but Fibaro didn't give an in-depth reply, just saying that disabling remote access would be sufficient.

I guess to block any unwanted access completely I would have to install a firewall?

Your firewall is by default open for traffic from inside to the cloud. Any program can make a "tunnel" by starting from inside.

The normal way to do it from Linux is to make a SSH connection from inside to the company server and use that connection for traffic both ways. So I guess (not know) that's what Fibaro does.

Regards

Morten

Link to comment
Share on other sites

What I don't understand is how the HC2 is able to connect to the remote server. Does it work through a port that is enabled anyway (80 is presume then?) or does it use another port? I asked this question a couple of months ago, but Fibaro didn't give an in-depth reply, just saying that disabling remote access would be sufficient.

I guess to block any unwanted access completely I would have to install a firewall?

Your firewall is by default open for traffic from inside to the cloud. Any program can make a "tunnel" by starting from inside.

The normal way to do it from Linux is to make a SSH connection from inside to the company server and use that connection for traffic both ways. So I guess (not know) that's what Fibaro does.

Regards

Morten

Would make sense as the box has ssh enabled.

Link to comment
Share on other sites

Your firewall is by default open for traffic from inside to the cloud. Any program can make a "tunnel" by starting from inside.

You are making a very big assumption here. Anybody who takes security and firewalls serious knows that this is THE biggest mistake you can make. When configuring a firewall the first rule to put in place is to block all traffic regardless of source or destination. Nothing goes in or out unless explicitly allowed...

You are right though - when you take SOHO firewalls into account, the vast majority is setup to "allow all outbound" unless explicitly dropped, which is the wrong default setting.

Anyway - not really on topic. I'm curious to see what Fibaro has to say about the Bash / Shellshock vulnerability.

Martijn.

Link to comment
Share on other sites

Guest mhn

You are making a very big assumption here. Anybody who takes security and firewalls serious knows that this is THE biggest mistake you can make. When configuring a firewall the first rule to put in place is to block all traffic regardless of source or destination. Nothing goes in or out unless explicitly allowed...

You are right though - when you take SOHO firewalls into account, the vast majority is setup to "allow all outbound" unless explicitly dropped, which is the wrong default setting.

Martijn.

I have set up firewalls for a living for a very long time.

Please login or register to see this image.

/emoticons/default_icon_smile.gif" alt=":-)" /> When anybody use them, it's possible to make an SSH connection out without any problem.

But I am just gussing about Fibaro.

Now i have started writing.

Please login or register to see this image.

/emoticons/default_icon_smile.gif" alt=":-)" /> Dalle1985: The SSH you see is the demon. For what I am writing about HC2 will use a SSH client.

Enough off topic from me.

Please login or register to see this image.

/emoticons/default_icon_smile.gif" alt=":-)" />

Link to comment
Share on other sites

Servers that handle our remote access connections are safe from Shellshock-type attacks. To ensure highest possible level of security we were carefully monitoring situation regarding this potential soft spot in software. I can assure you that no attempt of this kind of attack took place and all latest updates needed to protect our system from future ones were performed. Hence there is no need for shutting off communication ways to or from our controllers.

Link to comment
Share on other sites

Does the HC2 itself use bash (I suspsect it would), and if so is there a plan to release updates that patch bash?

Link to comment
Share on other sites

HC2 uses Bash indeed, however the way our controllers connect with remote servers ensures immunity from external attacks. But to make sure every entry to system is properly protected, we will soon issue patch with all necessary fixes. When it comes to HCL, security hole that was lately detected in Bash does not apply to it at all, since it uses different shell.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...