Re: [slim] Security risks of old Squeezeboxes(?)
Regarding VLANs, just think of it as a postal system: 1: you write a letter to someone in Moskow - this is your data 2: you put the letter in an envelope - this is your Ethernet package 3: you send the letter which is then transported to the sorting center - this is the wire between your computer and the switch 4: in the sorting center the letter is put in a bag that is labeled Moscow - this your VLAN tag 5: the bag is transported to the airport, together with bags to other destinations - this is the wire to the next switch 6: on the airport the bags are placed on the correct planes - you shouldn't need that many switches, but this for story consistence 7: in Moscow the bag is opened - this is the removal of the VLAN tag 8: the letter is transported to the final destination - this is the wire between the switch and the receiver 9: the receiver opens the envelope, reads the letter and writes a letter back. As for masquerading, this is a special case of NAT where the router replaces the origin of the package with its own address (SNAT - Source Network Address Translation). Yes if you cascade consumer type routers this will cause this NAT process to occur just as many times as you have routers stacked, but because every next router cannot see that the package has previously been masqueraded already this will not cause any issue. The main issue that you can have with NAT is usually related to destination rewriting (DNAT) where the target machine is configured to use a different router to send the reply (which in this type of NAT is the original sender IP). This is something like you asking Bob who is not wearing his hearing aid what time it is and Adam shouting from the other room that it is 10PM which is probably not related because it is broad daylight and annoyingly Bob is not responding so you still don't know what time it is. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > So to answer the main question whether you need VLANs: > > No. The same can be accomplished by simply adding more hardware. For > instance to separate your internal network from SB devices you can > simply place a masquerading router in between. The same for less trusted > IoT devices, just branch it off by adding secondary routers directly > behind the ISP router. That's not a bad idea either way because many > ISPs install back doors in their supplied routers, officially to be able > to perform maintenance but who knows what else they do?Could you please > expand on "masquerading router"? Wouldn't that introduce double Nat problem? Also are vlan subject double Nat? All examples of the vlan use seems to introduce vlan subnet and dhcp so I would assume that double Nat also applies.. However I believe vlan is on different layer so maybe not.. I clearly don't quite get it yet.. BTW looking at my gear it should be possible to set up vlans.. Guest network vlan seems straight forward as no other devices should be visible to guests and double Nat should not be concern. However for squeezebox vlan I would somehow need to make NAS member of SB vlan and main vlan (or non vlan traffic) Ideally if only lms docker container is part of both (for extra security) - perhaps this can be done with macvlan. BTW I have found someones hack for NAS becoming member of few vlans, however it apparently does not work with vswitch which I'm using for vDSM There is still topic of sorting mesh network to work with vlan I'm not sure about (maybe no big deal if it's just bridged to tagged lan port ) Anyway more I learn more complicated it all is. 3x Squeezebox Touch, 4x Squeezebox Radio, Squeezelite (RPi 3B with HiFiBerry DAC+Pro on OSMC), Material Skin Apk, Squeeze Commander, Logitech Media Server Version: 8.2.0 with Material Skin (Docker in DS218+) Jaca's Profile: http://forums.slimdevices.com/member.php?userid=58187 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
So to answer the main question whether you need VLANs: No. The same can be accomplished by simply adding more hardware. For instance to separate your internal network from SB devices you can simply place a masquerading router in between. The same for less trusted IoT devices, just branch it off by adding secondary routers directly behind the ISP router. That's not a bad idea either way because many ISPs install back doors in their supplied routers, officially to be able to perform maintenance but who knows what else they do? gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
I wonder if this deserves it's own topic? At least it seems appropriate to explain some of the definitions as this appears to confuse a lot of people. NETWORK TOPOLOGY (HARDWARE WIRING) In essence there are three different ways to connect your machine to a network: bus, ring and star. On a bus all devices branch of from a single wire, like a battery powered string of Christmas lights. Ring is similar however each node has two connectors that in turn each connect to just one neighbour. Both these methods are no longer used for ethernet¹. Present day networks all use a star shaped topology, but like a snowflake it may contain branches that form a new star. Nelson's drawing is a nice example of that. ¹) Fun fact: Ethernet is named such because its very first implementation was in fact wireless. It was developed by the University of Hawaii to allow computer communication between the islands. The original protocol was unmanaged and was nicknamed `Aloha` as each node would simply start sending information regardless of whether another node already occupied the line, garbling the signal. STAR NETWORK COMPONENTS - The heart of a star network is either a hub or switch. The difference between the two is that a hub simply repeats all data from one incoming line to all other lines whereas a switch will only forward the data to the line to which the target machine is connected. An exception to this are so-called broadcast and multicast messages which will be repeated to all lines. - A managed switch is a special type of switch where you can configure individual ports to allow or disallow specific data streams or assign higher priority. - A router is yet another type of switch that allows going from one IP address range to another. This may be static pass through, but in many cases it involves what is known as masquerading where the router rewrites the package so that the receiver cannot see the original sender but only the router. - An access point (AP) is a hub that uses wifi radio instead of wiring. Consumer devices usually combine this with a router function. DEFINITIONS - An SSID is the public name of a wifi network. A single AP may publish multiple SSIDs, each which it's own policies (password, encryption method, etc) attached to it. - VLAN is a method to allow sending multiple networks over a single wire. A poor man's solution to this is to simply use multiple IP address ranges, but in that case multicast messages sent by one network will also be seen by the other network(s). VLAN tagging allows network components that are able to process it to be isolated from other traffic (having either a different VLAN tag or no tag at all). Machines that cannot process VLAN tags will always drop tagged packets. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
After reading this discussion, I need to improve my security of Internet of unsecured Things (IoT). If everything was wireless, I could put them on a guest wireless network SSID(s). However, my old DirecTV box, Arlo camera system, and Roku are connected via ethernet. (I could switch the Roku to wireless on the guest network). My understanding is I need to create a virtual LAN (VLAN) for the IoT devices connected via ethernet. The ASUS router does not support VLAN. My research mentions adding a managed switch that supports VLAN could be a solution. I am not sure if a switch would be placed before or after the ASUS router. Here is a picture of my current set-up (sorry for my awful writing): 35585 The ASUSs WiFi appears to be sufficient power to have good signal for the house. The only time I will need to turn-on WiFi at the second router is when I need to have WiFi in the backyard and the guest cottage, which is infrequent. Does anyone have any suggestions, that are hopefully easy, on how to improve the security of the Arlo, Roku, and DirecTV? Thanks in advance! +---+ |Filename: Network small.jpg| |Download: http://forums.slimdevices.com/attachment.php?attachmentid=35585| +---+ P Nelson's Profile: http://forums.slimdevices.com/member.php?userid=58158 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
I bet it has to possible to allow specified traffic to pass from guest to main wifi on openwrt. The main challenge here really is that you can't have any routing between the SBs as this will block the broadcasts (which is of course the objective), so this won't work with a fully wireless `poor mans mesh` setup. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > That won't matter. The VLAN info will only be on the outside connection, > otherwise nothing in your house would be able to talk to each other. You > can simply create new VLANs and you could even re-use VLAN IDs from the > main router as long as you make sure that no tagged data is sent on your > outside line. If your SBs are all wired you could set this up with your > current hardware (don't know what you run LMS on?) > > Not exactly an expert on openwrt, but from what I've seen it is > basically Linux and it does offer guest wifi so probably all that you > require for segmenting your network is already inside those boxes. > Somebody may in fact have already done something similar and posted it > on their 'user forum' (https://forum.openwrt.org/) Thank you, that all sounds encouraging. I run LMS in docker on synology NAS. Also I have in past manged to create guest wifi on openwrt but it is completely separated from lan devices (including NAS with LMS) hence my original question about phones as controllers.. I bet you are right about openwrt... And wonder if perhaps it's just matter of correct firewall settings BTW most of my squeezebox devices are wireless with exception of 2 (1st wired from openwrt AP and 2nd from managed switch) Looks I will have to do some testing now. Thanks a lot for all your help [emoji106] 3x Squeezebox Touch, 4x Squeezebox Radio, Squeezelite (RPi 3B with HiFiBerry DAC+Pro on OSMC), Material Skin Apk, Squeeze Commander, Logitech Media Server Version: 8.2.0 with Material Skin (Docker in DS218+) Jaca's Profile: http://forums.slimdevices.com/member.php?userid=58187 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
Jaca wrote: > Thank you for going into trouble of this comprehensive answer.. > > I will try get my head around it when I find a minute.. I mean quite few > hours to scratch my head.. > > I think my main problem was fact that due to rural location my lan is > actually already vlan of next-door meraki router managed by isp (it was > only way to get fibre speed connection) So not sure if I can create > another vlan within vlan( like nested vlan) without admin access to main > router.. I do have switch with vlan capability and few openwrt routers > acting as dumb AP mesh wifi so few possible options are there. However I > remember worrying about double NAT as dhcp is running on managed router > next door. Not sure if that's relevant to vlans or not.. > > I can request some vlan config changes from isp, but I would need to be > actually sure I know what I'm doing [emoji23].. That won't matter. The VLAN info will only be on the outside connection, otherwise nothing in your house would be able to talk to each other. You can simply create new VLANs and you could even re-use VLAN IDs from the main router as long as you make sure that no tagged data is sent on your outside line. If your SBs are all wired you could set this up with your current hardware (don't know what you run LMS on?) Not exactly an expert on openwrt, but from what I've seen it is basically Linux and it does offer guest wifi so probably all that you require for segmenting your network is already inside those boxes. Somebody may in fact have already done something similar and posted it on their 'user forum' (https://forum.openwrt.org/) gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > I have a somewhat older device, an Excito B3 (armv5, 1GHz, 2*Gb NIC + > Wifi). I don't actually use the second NIC adapter internally though > because this also serves as my internet router. What I did was enable > VLAN tagging on the internal NIC and create multiple SSIDs on the wifi > and then I bridged some of these virtual objects. Confused? > > WIFI: > The idea is the same as a guest wifi. Assuming you run Linux and your > machine has a wifi adapter, you need to install `hostapd`. The default > config should get you going to create a wifi AP. The next step is to > identify your adapter name and note it's MAC address but change the > first two digit number to become `02` (e.g. if you have > `09:ab:cd:ef:12:34` write down `02:ab:cd:ef:12:34`). In your > hostapd.conf add/edit the following directives: > > Code: > > interface= > bssid= > > > I use a udev rule to override the so-called predictable names to > follow the old standard where the wifi adapter is wlan0. To create > additional SSIDs extend the hostapd.conf with directives like the > following: > > Code: > > bss=wlan0_0 > ssid=squeezeplay > > bss=wlan0_1 > ssid=guest > > bss=wlan0_2 > ssid= privileged > wpa_key_mgmt=WPA-PSK > wpa_pairwise=CCMP > wpa=3 > wpa_passphrase=ExtremelySecretPassword > > > > Note that the original wlan0 is your primary SSID, so if you add all > of the above you will have 4 wifi networks in total. Of course all of > these need their own static IP address and you require a DHCP server > to distribute IP addresses to connecting machines. Despite its name, > `dnsmasq` works excellent for this. > > VLAN TAGGING > In a nutshell this means that you wrap your network traffic in an > additional envelope. Both peers must support it, meaning that you > require a switch that is able to understand this protocol (802.11q). > Since however the switch can either add or strip the additional VLAN > tag you do not need to make changes to other devices as well, but you > will have to mark which physical port on the switch is linked to what > VLAN.Thank you for going into trouble of this comprehensive answer.. I will try get my head around it when I find a minute.. I mean quite few hours to scratch my head.. I think my main problem was fact that due to rural location my lan is actually already vlan of next-door meraki router managed by isp (it was only way to get fibre speed connection) So not sure if I can create another vlan within vlan( like nested vlan) without admin access to main router.. I do have switch with vlan capability and few openwrt routers acting as dumb AP mesh wifi so few possible options are there. However I remember worrying about double NAT as dhcp is running on managed router next door. Not sure if that's relevant to vlans or not.. I can request some vlan config changes from isp, but I would need to be actually sure I know what I'm doing [emoji23].. 3x Squeezebox Touch, 4x Squeezebox Radio, Squeezelite (RPi 3B with HiFiBerry DAC+Pro on OSMC), Material Skin Apk, Squeeze Commander, Logitech Media Server Version: 8.2.0 with Material Skin (Docker in DS218+) Jaca's Profile: http://forums.slimdevices.com/member.php?userid=58187 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
Jaca wrote: > Thanks, so your set up is actually not affecting phone operation..that's > sound great. Could I ask what device is you lms hosted on so it has 2 > lan connections.. I was trying to set smth similar but got nowhere, > thanks I have a somewhat older device, an Excito B3 (armv5, 1GHz, 2*Gb NIC + Wifi). I don't actually use the second NIC adapter internally though because this also serves as my internet router. What I did was enable VLAN tagging on the internal NIC and create multiple SSIDs on the wifi and then I bridged some of these virtual objects. Confused? WIFI: The idea is the same as a guest wifi. Assuming you run Linux and your machine has a wifi adapter, you need to install `hostapd`. The default config should get you going to create a wifi AP. The next step is to identify your adapter name and note it's MAC address but change the first two digit number to become `02` (e.g. if you have `09:ab:cd:ef:12:34` write down `02:ab:cd:ef:12:34`). In your hostapd.conf add/edit the following directives: Code: interface= bssid= I use a udev rule to override the so-called predictable names to follow the old standard where the wifi adapter is wlan0. To create additional SSIDs extend the hostapd.conf with directives like the following: Code: bss=wlan0_0 ssid=squeezeplay bss=wlan0_1 ssid=guest bss=wlan0_2 ssid= privileged wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP wpa=3 wpa_passphrase=ExtremelySecretPassword Note that the original wlan0 is your primary SSID, so if you add all of the above you will have 4 wifi networks in total. Of course all of these need their own static IP address and you require a DHCP server to distribute IP addresses to connecting machines. Despite its name, `dnsmasq` works excellent for this. VLAN TAGGING In a nutshell this means that you wrap your network traffic in an additional envelope. Both peers must support it, meaning that you require a switch that is able to understand this protocol (802.11q). Since however the switch can either add or strip the additional VLAN tag you do not need to make changes to other devices as well, but you will have to mark which physical port on the switch is linked to what VLAN. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > Those talk to LMS and that server has a secondary address on my regular > LAN which also provides a route to the outside world so I can listen to > radio.Thanks, so your set up is actually not affecting phone operation..that's sound great. Could I ask what device is you lms hosted on so it has 2 lan connections.. I was trying to set smth similar but got nowhere, thanks 3x Squeezebox Touch, 4x Squeezebox Radio, Squeezelite (RPi 3B with HiFiBerry DAC+Pro on OSMC), Material Skin Apk, Squeeze Commander, Logitech Media Server Version: 8.2.0 with Material Skin (Docker in DS218+) Jaca's Profile: http://forums.slimdevices.com/member.php?userid=58187 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
Jaca wrote: > Just wondering how you control your squeezeboxes? I cannot image life > without material apk on my phone or tablet. Those talk to LMS and that server has a secondary address on my regular LAN which also provides a route to the outside world so I can listen to radio. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
Just a quick thank you to the people who provided extensive explanations and elaborated on what risks there are and how big. In any case I get that, in principle, the risk that my local network would get compromised due to LMS and the SBs alone is very small (I'm not forwarding any LMS ports to the internet). Still, I also get that the risk is not entirely zero, and I also have my Philips Hue system and other stuff that might bring their own risks (to my surprise, yesterday, I discovered that I have far more devices hooked up to my network than I realised I have. It gave me a scare for a moment, but they were really all my own). So maybe I'll still create that VLAN (after I figure out how), even if it's just for ease of mind, or for the "idea" of doing it proper. But in any case I know now that there's no need to hurry. jablonski's Profile: http://forums.slimdevices.com/member.php?userid=23317 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > Yeah, I actually run my SBs on an `open` wifi with the LMS machine > acting as the AP (hostapd). I have a MAC address restriction on it > though and the address pool is completely filled. There is also a > restrictive firewall that runs both ways, only allowing ports > 80,3483,9000,9090 TCP and 67,68,53,3483,17784 UDP, so anyone managing to > gain access to this wifi SSID despite the installed barriers will > quickly get bored to hell and leave.Just wondering how you control your > squeezeboxes? I cannot image life without material apk on my phone or tablet. 3x Squeezebox Touch, 4x Squeezebox Radio, Squeezelite (RPi 3B with HiFiBerry DAC+Pro on OSMC), Material Skin Apk, Squeeze Commander, Logitech Media Server Version: 8.2.0 with Material Skin (Docker in DS218+) Jaca's Profile: http://forums.slimdevices.com/member.php?userid=58187 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
philippe_44 wrote: > All my untrusted devices run on a separated WiFi network that has its > own public IP (my ISP allows me to have two) because I agree with you, > all these gadgets are, intentionally or not, security disasters. Re SB, > one other thing is that you're stuck to older WPA and your WiFi is > subject to KRACK or similar attacks vectors. One option is to run your > SB system in the same "dirty pool" as your other gadgets. Yeah, I actually run my SBs on an `open` wifi with the LMS machine acting as the AP (hostapd). I have a MAC address restriction on it though and the address pool is completely filled. There is also a restrictive firewall that runs both ways, only allowing ports 80,3483,9000,9090 TCP and 67,68,53,3483,17784 UDP, so anyone managing to gain access to this wifi SSID despite the installed barriers will quickly get bored to hell and leave. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
philchillbill wrote: > But don’t forget that the Chinese baby monitor or IP cam you > bought and connected up on your LAN is constantly phoning home to pick > up potential malware. The attacker doesn’t have to target your > home specifically. Targeting the manufacturer’s website is a > single point of attention for a hacker. If successful, the millions of > IOT devices phoning home will pick up the malware with no need for a > targeted attack on anybody specific. The Chinese use off the shelf IOT > stacks they don’t necessarily understand too well and many of > those are riddled with vulnerabilities. All my untrusted devices run on a separated WiFi network that has its own public IP (my ISP allows me to have two) because I agree with you, all these gadgets are, intentionally or not, security disasters. Re SB, one other thing is that you're stuck to older WPA and your WiFi is subject to KRACK or similar attacks vectors. One option is to run your SB system in the same "dirty pool" as your other gadgets. LMS 8.2 on Odroid-C4 - *SqueezeAMP!*, 5xRadio, 5xBoom, 2xDuet, 1xTouch, 1xSB3. Sonos PLAY:3, PLAY:5, Marantz NR1603, Foobar2000, ShairPortW, 2xChromecast Audio, Chromecast v1 and v2, Squeezelite on Pi, Yamaha WX-010, AppleTV 4, Airport Express, GGMM E5, RivaArena 1 & 3 philippe_44's Profile: http://forums.slimdevices.com/member.php?userid=17261 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > That's all hypothetical. I mean, how many SBs are really still out > there? Would there really be someone thinking it might be worth while to > reprogram e.g. a Tuya device to find and manipulate SBs through their > exposed ports? Oh sure. But never say never. The world is full of wackos (me, for instance :cool:). Could also be a generic search for anything running BusyBox on the LAN. philchillbill's Profile: http://forums.slimdevices.com/member.php?userid=68920 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
philchillbill wrote: > But dont forget that the Chinese baby monitor or IP cam you bought and > connected up on your LAN is constantly phoning home to pick up potential > malware. The attacker doesnt have to target your home specifically. > Targeting the manufacturers website is a single point of attention for > a hacker. If successful, the millions of IOT devices phoning home will > pick up the malware with no need for a targeted attack on anybody > specific. The Chinese use off the shelf IOT stacks they dont > necessarily understand too well and many of those are riddled with > vulnerabilities. That's all hypothetical. I mean, how many SBs are really still out there? Would there really be someone thinking it might be worth while to reprogram e.g. a Tuya device to find and manipulate SBs through their exposed ports? gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
gordonb3 wrote: > As some already responded, your SBs sit in a private network. The point > about this is not so much the firewall that sits between you and the > dangerous internet, but that no public router knows how to direct > traffic from any random machine on the internet towards any address on > your private LAN. > > No this does not mean that you are completely safe, but what it does > mean is that a hacker will have to do James Bond stuff to find out your > network details and I would dare question whether you are worth so much > trouble - not meant in any offensive way of course. The methods that > hackers use to get access to devices owned by random people are roughly > the following: > > > - you opening a web page that contains malware - you opening an email that contains executable code inline > (usually a screen saver file) - you opening an email attachment that includes a malicious macro > to be executed by the associated application > > > > > If you are something of a hobbyist the following methods may apply as > well: > > > - you opening port 25 on your firewall to expose an email server - you opening web ports on your firewall to expose a web server > with some kind of preprocessor capability (PHP, Java, Perl) allowing > random code injection - you opening the SSH port on your firewall > > > > > None of this would ever apply to your SBs. For those to load something > malicious someone would first have to hack your entire network > topology to redirect traffic from your SB away from its intended > target, towards a machine that is controlled by the hacker. Again way > too much trouble for what this type of hacker wants to accomplish, > which is really nothing else than sending spam, finding other > vulnerable machines and occasionally organizing so-called Denial of > Service attacks. > > > All of this said I still run my SB devices in a separate VLAN as I > found they are extremely loud, sending broadcasts even at a higher > rate than Apple devices do and I don't really need my workstation to > be constantly distracted from the processes I want it to run by > investigating whether it should act on those broadcasts. But dont forget that the Chinese baby monitor or IP cam you bought and connected up on your LAN is constantly phoning home to pick up potential malware. The attacker doesnt have to target your home specifically. Targeting the manufacturers website is a single point of attention for a hacker. If successful, the millions of IOT devices phoning home will pick up the malware with no need for a targeted attack on anybody specific. The Chinese use off the shelf IOT stacks they dont necessarily understand too well and many of those are riddled with vulnerabilities. philchillbill's Profile: http://forums.slimdevices.com/member.php?userid=68920 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
As some already responded, your SBs sit in a private network. The point about this is not so much the firewall that sits between you and the dangerous internet, but that no public router knows how to direct traffic from any random machine on the internet towards any address on your private LAN. No this does not mean that you are completely safe, but what it does mean is that a hacker will have to do James Bond stuff to find out your network details and I would dare question whether you are worth so much trouble - not meant in any offensive way of course. The methods that hackers use to get access to devices owned by random people are roughly the following: - you opening a web page that contains malware - you opening an email that contains executable code inline (usually a screen saver file) - you opening an email attachment that includes a malicious macro to be executed by the associated application If you are something of a hobbyist the following methods may apply as well: - you opening port 25 on your firewall to expose an email server - you opening web ports on your firewall to expose a web server with some kind of preprocessor capability (PHP, Java, Perl) allowing random code injection - you opening the SSH port on your firewall None of this would ever apply to your SBs. For those to load something malicious someone would first have to hack your entire network topology to redirect traffic from your SB away from its intended target, towards a machine that is controlled by the hacker. Again way too much trouble for what this type of hacker wants to accomplish, which is really nothing else than sending spam, finding other vulnerable machines and occasionally organizing so-called Denial of Service attacks. All of this said I still run my SB devices in a separate VLAN as I found they are extremely loud, sending broadcasts even at a higher rate than Apple devices do and I don't really need my workstation to be constantly distracted from the processes I want it to run by investigating whether it should act on those broadcasts. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
Thanks a lot for your replies. The main trigger for my concern are the frequent warnings in the media about smart home appliances (like dishwashers with wifi) that are often not updated, so that unpatched weaknesses can be exploited by hackers who then can enter your home network and sniff out what you're doing on your other devices, such as phone and computer. I believe that the SB was indeed designed with an "innocent" network in mind: we're all good people and we give you access to this little Linux box (Touch & Radio). It wouldn't be done this way nowadays any more. That being said: these devices are inside your network. An attacker would have to get in to your network before they could get access to your device. There is a potential risk of a manipulated audio stream causing an issue on the device. It would be interesting to see whether a hacker could exploit a buffer overflow or whatever in a codec to get access to the device itself... One of the problems with many devices is the "cloud" connection - which using mysb is. As long as you can trust this cloud, you're good. But it gives outside users (limited) access to your devices. I can control your player at any time. Your fridge vendor can probably monitor the content of your new smart fridge. The real problem starts when other people you don't trust get access to these services. Or when a device could have a bigger impact on one's live than a radio. Imagine the smart cars out there nowadays. If those cars get hacked (and it has been done before), an attacker can control your breaks or whatever. I believe the biggest risk in the SB universe is opening LMS to the internet. Even if protected with a password, I wouldn't trust it. And there have been attacks involving reading full disk content from LMS installations. This is easily done and real. Very little to no risk I see with the old players (up to the Classic). They're rather dumb devices. Radio/Touch/Controller, with their Linux based OS, offer way more potential. But again: the attack surface is rather small, as they're hardly ever exposed to the internet. ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
jablonski wrote: > Thanks a lot for your replies. The main trigger for my concern are the > frequent warnings in the media about smart home appliances (like > dishwashers with wifi) that are often not updated, so that unpatched > weaknesses can be exploited by hackers who then can enter your home > network and sniff out what you're doing on your other devices, such as > phone and computer. > So my assumption was that eventually in every device that is longer on > the market, weaknesses may be discovered and exploited. The same also > applies for computers and phones, of course. But your testing puts my > mind at ease a little, awesome that you did that, philchillbill. Here's a link to where I published that script in the Domoticz Wiki in 2017: https://www.domoticz.com/wiki/Logitech_Media_Server#Using_Ambient_Light_Sensor_in_SB-Radio_and_SB-Touch One more thing I'd add is that firewalls give people a false sense of security. People also think if you don't open any ports in your router, you're safe. However, any device already inside your LAN can 'phone home' without being blocked and e.g. most modern TVs or Smart Thermostats and even Philips HUE do that. After you install them, they constantly contact their manufacturers web portals for all kinds of things like checking for updates or uploading your viewing habits data. -Outward- traffic from your LAN is always allowed, unless you set up a very restrictive firewalling regime. The 'danger' is that bugs or backdoors in these newer devices talking regularly to the cloud inadvertently retrieve compromised payloads which can then run inside your LAN and can snoop around for other (older) devices to infect. When that new device gets patched (because it is still being updated by the manufacturer) the older device -will- stay infected because it never gets updates to clean out the malware. Not worth sleepless nights, but just something to keep in the back of your mind :D philchillbill's Profile: http://forums.slimdevices.com/member.php?userid=68920 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
philchillbill wrote: > A few years ago, I wrote a shell script that I installed on my SB-Radio > to read out its internal light sensor and post that data to Domoticz in > a 5-second CRON. I could do that by SSHing into the Radio and by knowing > its a Linux-based device, I could find my way around on its file system > pretty quickly. > > When my script is running, it in no way changes the behavior of the SBR > from a users perspective. That did make me very aware of what happens > when a device on your local LAN is compromised to become part of a > botnet. My code wasnt malicious and I wrote it myself, but what if? > > To get in to the SBR, you have to navigate the menu structure in the > players GUI and enable SSH. In theory you need physical access to the > player to do that. But of course if theres a zero-day in the BusyBox > then who knows > > The chances are very, very, very small. But never, ever, say never. Thanks a lot for your replies. The main trigger for my concern are the frequent warnings in the media about smart home appliances (like dishwashers with wifi) that are often not updated, so that unpatched weaknesses can be exploited by hackers who then can enter your home network and sniff out what you're doing on your other devices, such as phone and computer. So my assumption was that eventually in every device that is longer on the market, weaknesses may be discovered and exploited. The same also applies for computers and phones, of course. But your testing puts my mind at least a little, awesome that you did that, philchillbill. jablonski's Profile: http://forums.slimdevices.com/member.php?userid=23317 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
A few years ago, I wrote a shell script that I installed on my SB-Radio to read out its internal light sensor and post that data to Domoticz in a 5-second CRON. I could do that by SSHing into the Radio and by knowing its a Linux-based device, I could find my way around on its file system pretty quickly. When my script is running, it in no way changes the behavior of the SBR from a users perspective. That did make me very aware of what happens when a device on your local LAN is compromised to become part of a botnet. My code wasnt malicious and I wrote it myself, but what if? To get in to the SBR, you have to navigate the menu structure in the players GUI and enable SSH. In theory you need physical access to the player to do that. But of course if theres a zero-day in the BusyBox then who knows The chances are very, very, very small. But never, ever, say never. philchillbill's Profile: http://forums.slimdevices.com/member.php?userid=68920 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] Security risks of old Squeezeboxes(?)
jablonski wrote: > Hi All, > > After searching the internet and this forum for a bit, I decided to > start this subject because I could not really find anything about it. > Apologies in advance if I overlooked something obvious. > I wanted to post it on the new logitech forum that was announced > recently, but it seems to be down at the moment. So here it goes... > > I have a bunch of Squeezeboxes (some Classics, a Duet and then an > additional controller), and since very recently, they are connected to a > recent version of LMS on Picoreplayer. > > I really still love my Squeezeboxes and would prefer to keep using them > for as long as possible, however, I have become increasingly concerned > about any potential security risks. > The firmware (obviously) isn't updated anymore, at least not that I'm > aware. > > So does anyone know if there is any clear and present danger, to use > these devices on the same network as my phone, laptop, company laptop, > and so on? > > And is there any difference in that risk between being connected > directly to mysqueezebox.com vs being connected to the latest available > LMS? > (Would connecting to a recent LMS mitigate any of the security risks of > directly connecting with an old SB to the internet?) > > I am considering to setup a separate network, but if it turns out that > there's not much reason to worry, then I'd prefer to avoid the hassle. I dont think there are any security risks applying to SB Devices as they themselves dont hold data and are built purely to stream music. You are far more likely to introduce a malware into your network by clicking on a link in an email or on a website than you are of introducing it via LMS. VB2.4[/B] STORAGE *QNAP TS419P (NFS) [B]Living Room* Joggler & Pi4/Khadas -> Onkyo TXNR686 -> Celestion F20s *Office* Joggler & Pi3 -> Denon RCD N8 -> Celestion F10s *Dining Room* SB Boom *Kitchen* UE Radio (upgraded to SB Radio) *Bedroom (Bedside)* Pi Zero+DAC ->ToppingTP21 ->AKG Headphones *Bedroom (TV) & Bathroom* SB Touch ->Denon AVR ->Mordaunt Short M10s + Kef ceiling speakers *Guest Room* Joggler > Topping Amp -> Wharfedale Modus Cubes Everything controlled by iPeng & Material on iOS d6jg's Profile: http://forums.slimdevices.com/member.php?userid=44051 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
[slim] Security risks of old Squeezeboxes(?)
Hi All, After searching the internet and this forum for a bit, I decided to start this subject because I could not really find anything about it. Apologies in advance if I overlooked something obvious. I wanted to post it on the new logitech forum that was announced recently, but it seems to be down at the moment. So here it goes... I have a bunch of Squeezeboxes (some Classics, a Duet and then an additional controller), and since very recently, they are connected to a recent version of LMS on Picoreplayer. I really still love my Squeezeboxes and would prefer to keep using them for as long as possible, however, I have become increasingly concerned about any potential security risks. The firmware (obviously) isn't updated anymore, at least not that I'm aware. So does anyone know if there is any clear and present danger, to use these devices on the same network as my phone, laptop, company laptop, and so on? And is there any difference in that risk between being connected directly to mysqueezebox.com vs being connected to the latest available LMS? (Would connecting to a recent LMS mitigate any of the security risks of directly connecting with an old SB to the internet?) I am considering to setup a separate network, but if it turns out that there's not much reason to worry, then I'd prefer to avoid the hassle. jablonski's Profile: http://forums.slimdevices.com/member.php?userid=23317 View this thread: http://forums.slimdevices.com/showthread.php?t=115017 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
