Configuration Option 2A Security/Privacy Risk. PLEASE READ!

Need extra help installing your Ooma Hub or Telo system? Let us know.
indie_dev
Posts: 32
Joined: Tue Jan 12, 2010 10:25 am

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by indie_dev » Tue Jan 12, 2010 2:42 pm

Aveamantium wrote:No attacks here, just curious... So you have nothing in the Telo's DMZ and nothing forwarded to the Home Port IP (172.27.35.1)?
Well thats good because I'd rather have a meaningful dialog than a food fight.

As indicated, I had the router's IP address (assigned by the Telo) in the DMZ in order to get access to my LAN from the Internet. Of course thats where/when the breach occurs. There would be no breach if the Telo interface was password protected.

Apart from that, if Telo was handling port forwarding correctly, there would never be a need for the DMZ.

I invite any one to tell me what tests to run and I'll go through them and post the results as accurately as I possibly can. But the fact remains that the Telo/Hub interface needs to be password protected and certainly the device's handling of router specific tasks is spotty - at best.

EDIT: I've just now seen this recent post as well: viewtopic.php?f=8&t=5774

User avatar
Aveamantium
Posts: 1352
Joined: Sat Jun 20, 2009 2:28 pm
Location: Loveland, Colorado

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Aveamantium » Tue Jan 12, 2010 2:51 pm

Interesting! By the way can you do the forum a favor and please go back and change all your 2B's to 2A's? I think this is a great point but the title/first post is a little confusing since we're talking about 2A (modem>Telo>Router>LAN) being an issue not 2B (modem>Router>Telo & LAN). Thanks and Welcome to Ooma! :D
Go AVS!

Groundhound
Posts: 2711
Joined: Sat May 23, 2009 9:28 am
Location: Atlanta, GA

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Groundhound » Tue Jan 12, 2010 2:52 pm

OK, so it's not Option 2B that is the problem - it's that, as Murphy pointed out much more concisely, you can defeat security by the method he outlined. This is not something that the average user is going to stumble into.

User avatar
Aveamantium
Posts: 1352
Joined: Sat Jun 20, 2009 2:28 pm
Location: Loveland, Colorado

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Aveamantium » Tue Jan 12, 2010 2:58 pm

Groundhound wrote:OK, so it's not Option 2B that is the problem - it's that, as Murphy pointed out much more concisely, you can defeat security by the method he outlined. This is not something that the average user is going to stumble into.
But in murphy's case he was using Option 2B (modem>Router>Telo/Hub&LAN) and I think the OP is talking about Option 2A!?
Go AVS!


User avatar
Aveamantium
Posts: 1352
Joined: Sat Jun 20, 2009 2:28 pm
Location: Loveland, Colorado

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Aveamantium » Tue Jan 12, 2010 3:00 pm

I'm right there with you (both my Telo and Hub are behind my Router) but if there is a security flaw with the "recommended" setup (typically 2A) then I think it should be looked at...
Go AVS!

User avatar
caseybea
Posts: 196
Joined: Wed Jan 06, 2010 9:52 am

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by caseybea » Tue Jan 12, 2010 3:03 pm

The ooma interface indeed does not have a password. For that matter, neither does my cable modem. Neither is designed to, nor are they set up to, be accessed from the outside.

My main point was, your post basically screams 'danger danger, will robinson' - ooma is insecure. I am reasonably certain that you have short-circuited your setup somehow which allows access to the interface from the outside.

focus on the DMZ setup specifically, as an earlier post suggests. I have a feeling that you have something in there that doesn't belong.
Ooma Hub customer since January 2010
Telo2 upgrade (hub retired) October 2016
Service Level: Core

Groundhound
Posts: 2711
Joined: Sat May 23, 2009 9:28 am
Location: Atlanta, GA

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Groundhound » Tue Jan 12, 2010 3:07 pm

Aveamantium wrote:
Groundhound wrote:OK, so it's not Option 2B that is the problem - it's that, as Murphy pointed out much more concisely, you can defeat security by the method he outlined. This is not something that the average user is going to stumble into.
But in murphy's case he was using Option 2B (modem>Router>Telo/Hub&LAN) and I think the OP is talking about Option 2A!?
Don't feel alone if you're confused by the original post, I am too. Since the OP cited murphy's earlier post I think he must have been talking about 2B (or not 2B :?, that is the question ). Bottom line is you have to take one of the setup access shortcuts and put the Ooma's IP into the router's DMZ (instead of forwarding just the necessary ports) to have this occur.

User avatar
Aveamantium
Posts: 1352
Joined: Sat Jun 20, 2009 2:28 pm
Location: Loveland, Colorado

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by Aveamantium » Tue Jan 12, 2010 3:15 pm

Groundhound wrote:Don't feel alone if you're confused by the original post, I am too. Since the OP cited murphy's earlier post I think he must have been talking about 2B (or not 2B :?, that is the question ). Bottom line is you have to take one of the setup access shortcuts and put the Ooma's IP into the router's DMZ (instead of forwarding just the necessary ports) to have this occur.
That is why I asked him about having anything in his Telo's DMZ or forwarding ports to the home port IP of the Telo? By the way thanks for the chuckle (2B or not 2B...) :D
Go AVS!

User avatar
caseybea
Posts: 196
Joined: Wed Jan 06, 2010 9:52 am

Re: Configuration Option 2B Security/Privacy Risk. PLEASE READ!

Post by caseybea » Tue Jan 12, 2010 3:20 pm

As an aside, here's another post, by someone else, who also discovered the so-called loophole.

viewtopic.php?f=8&t=5774&p=40914&hilit=warning#p40910

The lesson-- do NOT put the ooma device in the DMZ, if your ooma device is the first device after your internet connection. if you do this, you are basically totally short-circuiting the security of the device.

The DMZ option is *only* to be used when you have the ooma device behind the router (internet > router > ooma). And then then, only if you don't also have funky port-forwarding that could accidently expose your setup page to the outside.
Ooma Hub customer since January 2010
Telo2 upgrade (hub retired) October 2016
Service Level: Core

Post Reply