Flic Home

    Community
    • Login
    • Search
    • Popular
    • Users

    Flic hub network security

    Flic Hub
    security network scan
    3
    5
    2666
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stuart
      stuart last edited by stuart

      I have just run a scan on the flic hub wifi interface and find quite a few ports open. Some are straight forward (DHCP client) but not sure why these are available on a client device:

      • domain 53/udp 53/tcp
      • ntp 123/udp

      and not sure what these all do:

      • ssh 22/udp (yes, udp...)
      • 1234/udp
      • Other UDP ports: 1101, 1885, 16697, 19625, 19632, 20425, 21780, 23780, 23781, 25541, 28465, 30697, 34079, 34433, 36458, 49167, 49190, 50708, 62287, 63420, 63555

      UDP is often used for reflection / amplification attacks should someone get access to the device.

      Can you provide an explanation of the purpose / services behind these ports and guidance as to how they should be protected.

      Many thanks,

      Stuart.

      stuart 1 Reply Last reply Reply Quote 0
      • stuart
        stuart @anton last edited by

        @anton said in Flic hub network security:

        Hello, I am one of the developers of the hub.

        Thanks for your time to look at his.

        First of all I would like to ask what kind of technique you are using to decide if a UDP port is open or closed?

        nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" flic

        UDP is connectionless so by design they don’t really behave like TCP when doing port scans. With TCP you often either get a Connection Reset response or no response at all if you try to connect to a closed port, at which point you can assume that the port is actually closed. With UDP it does not work like that since you are not guaranteed to get a response in either scenario. And even if a port is temporarily open it does not mean that you actually have a service on the other side listening.

        I seem to remember that tools like NMAP use ICMP responses to decide if a UDP port is open (correct me if I’m wrong). But this generates a lot of false positives since a lot of ports are not really bound to a permanent service, but rather temporary ports used by both the Linux OS (DNS requests, NTP requests, etc..) and our host application for different features (like action executions etc). This is normal UDP behavior and not an indication of a security flaw.

        Hence the question. It is hard to determine why a UDP port is open so I was interested to find out what should be listening and why.

        I am not suggesting that I have found a flaw, just the potential to discover one and without some background on what the hub does, it is is guesswork at this point. I usually only work with Open Source and in that case, I can work it out for myself but as far as I know, the flic hub code is hidden so only people on your team can investigate.

        The note about amplification attacks relates to services where a small request can be sent which creates a large response (see https://www.us-cert.gov/ncas/alerts/TA14-017A).

        The assumption is that most flic hub users are not security experts therefore it is the responsibility of the device supplier to make sure that the user cannot be exploited. Many IoT vendors are also not thinking about security and the overall outcome is an unsafe and unreliable internet and this is what is behind my question.

        1 Reply Last reply Reply Quote 0
        • anton
          anton FlicTeam last edited by

          Hello, I am one of the developers of the hub.

          First of all I would like to ask what kind of technique you are using to decide if a UDP port is open or closed? UDP is connectionless so by design they don’t really behave like TCP when doing port scans. With TCP you often either get a Connection Reset response or no response at all if you try to connect to a closed port, at which point you can assume that the port is actually closed. With UDP it does not work like that since you are not guaranteed to get a response in either scenario. And even if a port is temporarily open it does not mean that you actually have a service on the other side listening.

          I seem to remember that tools like NMAP use ICMP responses to decide if a UDP port is open (correct me if I’m wrong). But this generates a lot of false positives since a lot of ports are not really bound to a permanent service, but rather temporary ports used by both the Linux OS (DNS requests, NTP requests, etc..) and our host application for different features (like action executions etc). This is normal UDP behavior and not an indication of a security flaw.

          But again, I don’t fully trust the results of this scan. UDP port 22 (SSH) for example I know for sure is not bound to anything.

          If you have any further questions then I will try to answer but you need to be more specific with what kind of tools you use and what kind of amplification attacks you are referring to.

          /Anton

          stuart 1 Reply Last reply Reply Quote 0
          • oskar
            oskar FlicTeam last edited by

            Let me check with my colleague as I am not really qualified to answer this.

            1 Reply Last reply Reply Quote 0
            • stuart
              stuart @stuart last edited by

              @oskar - do you have any thoughts on this?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post