Need extra help installing your Ooma Hub or Telo system? Let us know.
#41511 by indie_dev
Tue Jan 12, 2010 2:42 pm
Aveamantium wrote:No attacks here, just curious... So you have nothing in the Telo's DMZ and nothing forwarded to the Home Port IP (172.27.35.1)?


Well thats good because I'd rather have a meaningful dialog than a food fight.

As indicated, I had the router's IP address (assigned by the Telo) in the DMZ in order to get access to my LAN from the Internet. Of course thats where/when the breach occurs. There would be no breach if the Telo interface was password protected.

Apart from that, if Telo was handling port forwarding correctly, there would never be a need for the DMZ.

I invite any one to tell me what tests to run and I'll go through them and post the results as accurately as I possibly can. But the fact remains that the Telo/Hub interface needs to be password protected and certainly the device's handling of router specific tasks is spotty - at best.

EDIT: I've just now seen this recent post as well: viewtopic.php?f=8&t=5774
#41512 by Aveamantium
Tue Jan 12, 2010 2:51 pm
Interesting! By the way can you do the forum a favor and please go back and change all your 2B's to 2A's? I think this is a great point but the title/first post is a little confusing since we're talking about 2A (modem>Telo>Router>LAN) being an issue not 2B (modem>Router>Telo & LAN). Thanks and Welcome to Ooma! :D
#41515 by Aveamantium
Tue Jan 12, 2010 2:58 pm
Groundhound wrote:OK, so it's not Option 2B that is the problem - it's that, as Murphy pointed out much more concisely, you can defeat security by the method he outlined. This is not something that the average user is going to stumble into.

But in murphy's case he was using Option 2B (modem>Router>Telo/Hub&LAN) and I think the OP is talking about Option 2A!?
#41520 by caseybea
Tue Jan 12, 2010 3:03 pm
The ooma interface indeed does not have a password. For that matter, neither does my cable modem. Neither is designed to, nor are they set up to, be accessed from the outside.

My main point was, your post basically screams 'danger danger, will robinson' - ooma is insecure. I am reasonably certain that you have short-circuited your setup somehow which allows access to the interface from the outside.

focus on the DMZ setup specifically, as an earlier post suggests. I have a feeling that you have something in there that doesn't belong.
#41521 by Groundhound
Tue Jan 12, 2010 3:07 pm
Aveamantium wrote:
Groundhound wrote:OK, so it's not Option 2B that is the problem - it's that, as Murphy pointed out much more concisely, you can defeat security by the method he outlined. This is not something that the average user is going to stumble into.

But in murphy's case he was using Option 2B (modem>Router>Telo/Hub&LAN) and I think the OP is talking about Option 2A!?

Don't feel alone if you're confused by the original post, I am too. Since the OP cited murphy's earlier post I think he must have been talking about 2B (or not 2B :?, that is the question ). Bottom line is you have to take one of the setup access shortcuts and put the Ooma's IP into the router's DMZ (instead of forwarding just the necessary ports) to have this occur.
#41524 by Aveamantium
Tue Jan 12, 2010 3:15 pm
Groundhound wrote:Don't feel alone if you're confused by the original post, I am too. Since the OP cited murphy's earlier post I think he must have been talking about 2B (or not 2B :?, that is the question ). Bottom line is you have to take one of the setup access shortcuts and put the Ooma's IP into the router's DMZ (instead of forwarding just the necessary ports) to have this occur.

That is why I asked him about having anything in his Telo's DMZ or forwarding ports to the home port IP of the Telo? By the way thanks for the chuckle (2B or not 2B...) :D
#41529 by caseybea
Tue Jan 12, 2010 3:20 pm
As an aside, here's another post, by someone else, who also discovered the so-called loophole.

viewtopic.php?f=8&t=5774&p=40914&hilit=warning#p40910

The lesson-- do NOT put the ooma device in the DMZ, if your ooma device is the first device after your internet connection. if you do this, you are basically totally short-circuiting the security of the device.

The DMZ option is *only* to be used when you have the ooma device behind the router (internet > router > ooma). And then then, only if you don't also have funky port-forwarding that could accidently expose your setup page to the outside.

Who is online

Users browsing this forum: No registered users and 9 guests