Need extra help installing your Ooma Hub or Telo system? Let us know.
#41823 by indie_dev
Thu Jan 14, 2010 5:04 am
Aveamantium wrote:Lastly, the security risk is there if you create it.


uhm no. The security risk is there, whether you create it or not.

Some of you folks - despite ALL the evidentiary posts supporting this notion - are in denial that ORDINARY folks will KNOW what poses a threat and what doesn't. If they don't know what poses a threat, then there is a very good chance that they are going to accidentally trigger such a threat. This is EXACTLY why things like trojans, worms, all forms of malware etc are propagated - through UNSUSPECTING AND OTHERWISE CLUELESS EVERYDAY FOLKS.

Take ANY router for example, it has built-in security rules which, even if you enable the DMZ, you have some level of protection. With Ooma, NO SUCH THING EXISTS. If you enable it and configure it improperly - as most have seemingly done and many are more than likely to - then ANYONE on the outside world can gain access to your Ooma config page and subsequently your network (or standalone machine) ports.

The Ooma device IS NOT A ROUTER. So there is NO REASON why it should act like one. But in config option 2A, that is exactly what they're suggesting. Which - apart from being horrified that the Ooma interface had no security settings (username+password) - is what led me to write up this thread EXPLAINING the threat.

But some folks here are making light of it and treating this like it was some false alarm. It is not.

So I have filled out a threat report and submitted to three security sites that I work with. So there, you folks in denial will probably put more stock into this once this is propagated across the Net.

And lets not even go into the fact that by promoting 2A, folks are literally telling people to bypass their othewise robust and capable router and router/modem devices - with ALL their built-in security - in exchange for the half-a$$ed crap that Ooma passes off as a router. And UNPROTECTED one at that.

For the record, I am a 30+ year IT veteran with several published products and works and have worked in all fields you can possible think of in technology. So when I see a device such as this providing access to a router and internal network and WITHOUT so much as a SIMPLE security (username+password) interface, alarm bells start ringing. Which is why I decided to probe during installation to see just how serious the threat was.

Listen, I've said this before, if you feel that I'm wrong, fine - I don't care. People who have one iota of common sense will read what I have written and decide for themselves. Those who don't understand it are the ones who will end up making an uninformed decision and most likely end up compromising their system.

The funniest - and most ludicrous thing I've read thus far about this is coming from people who say that if you're worried about security, you should turn off your net access. How can you POSSIBLY take such (or any comment for that matter) people seriously.

The information is there, do what you want with it because it is of no consequence to me. What I take issue to is people trying to pass off what I've written as if it were nonsense or a false alarm.
#41825 by dknyinva
Thu Jan 14, 2010 5:19 am
Bottom line...any network devices (i.e. router, switch, etc...) should have some type of authentication. The fact that ooma setup page does not is a security risk whether you have a stringent router behind it or not
#41829 by indie_dev
Thu Jan 14, 2010 5:27 am
dknyinva wrote:Bottom line...any network devices (i.e. router, switch, etc...) should have some type of authentication. The fact that ooma setup page does not is a security risk whether you have a stringent router behind it or not


Thank You.
#41834 by Groundhound
Thu Jan 14, 2010 6:12 am
indie_dev wrote:So I have filled out a threat report and submitted to three security sites that I work with. So there, you folks in denial will probably put more stock into this once this is propagated across the Net.

Good. Security sites you are not affiliated with would be good too. I would like to see these questions evaluated:

"Joe" has a separate modem and router and his router has all the appropriate security features set, but he is not running any servers nor has any need for port forwarding or use of DMZ. Joe goes out and buys a Telo, and places it between his modem and router as described in 2A with default Telo settings (except maybe QoS), and makes no changes otherwise to his system or to the settings in his router. Is there anything Joe can do in the Telo's setup that will circumvent the security features of his router? With no port forward or DMZ settings added to the Telo's setup, is his Telo setup exposed to the Internet? I believe the answer is no to both questions but I've an open mind and would like to know. I think there is broad agreement that if Joe wants to run services that require opening ports he is better off with option 2B.
#41837 by indie_dev
Thu Jan 14, 2010 6:29 am
Groundhound wrote:
indie_dev wrote:So I have filled out a threat report and submitted to three security sites that I work with. So there, you folks in denial will probably put more stock into this once this is propagated across the Net.
Good. Security sites you are not affiliated with would be good too.


I am not "affiliated" with them. You don't need to be affiliated with security sites to work with them on threat assessment, reporting etc.

I would like to see these questions evaluated:

"Joe" has a separate modem and router and his router has all the appropriate security features set, but he is not running any servers nor has any need for port forwarding or use of DMZ. Joe goes out and buys a Telo, and places it between his modem and router as described in 2A with default Telo settings (except maybe QoS), and makes no changes otherwise to his system or to the settings in his router. Is there anything Joe can do in the Telo's setup that will circumvent the security features of his router? With no port forward or DMZ settings added to the Telo's setup, is his Telo setup exposed to the Internet? I believe the answer is no to both questions but I've an open mind and would like to know. I think there is broad agreement that if Joe wants to run services that require opening ports he is better off with option 2B.


The scenario is no different from Joe setting up any common router. The only difference is that in any router - or device - he has a certain level of protection REGARDLESS of whether or not he screws up knowingly or un-knowingly.

Also, in addition, your scenario is something I already addressed in another post; in that when something goes wrong, the first port of call is for people to "Enable DMZ". Go ahead, run that phrase through Google, Bing, Yahoo! etc and other search sites and see how many hits there are.

Regardless of how robust or good a router or router/modem is, there WILL come a time when not even port-forwarding, virtual servers, NAT etc will allow certain things to work. Which is EXACTLY why the DMZ exists.

So, if Joe has a setup as described above and he can't get things to work, he may have read somewhere that he can use his DMZ and all will be well. Of course thats true. But the dangers of doing so - regardless of how decent your router is - are not immediately obvious to Joe.

WHY else do you think malware is so prevalent on the Net? Contrary to popular belief, its NOT just from opening emails, visiting websites etc. As I type this, there are no less than 500+ blocked intrusions in my DIR-655 log. Visit your router's log one day and you'll be surprised. With DMZ - or any hole open ANYWHERE - you leave your computer or LAN open to risk.

The issue with the Ooma device is that apart from it being absolutely crap at router functionality, they have a DMZ.

So believing that because the threat is there doesn't mean that Joe isn't necessarily going to stumble on it is foolish and irresponsible thinking. Thats like allowing Iran to go ahead with their nuclear program and trust that they stick to using it for energy and not making weapons even though they only have a small quantiy of fuel rods and U-235 deposits.

There is another thread here in which the guy can't get his PS3 to work based on how he setup his device. I can 100% guarantee you that if he enable the Ooma DMZ and change one single setting on his router, it will work. And that will totally expose his entire network to the outside world.

When ALL else fails, Joe is likely to do something utterly stupid. Why? Well because a) he doesn't know any better b) because he read it on some community website, so it MUST be the right thing to do.

It is always kewl to rail on the new guy, especially by "community vested" folks who think they have all the answers and who think that their tenure is subject to compromise by the new guy. But the fact of the matter is that YOU guys are completely WRONG about this and are thus CONTRIBUTING to the problem.

And while you're at it, look at my contributions here in this SHORT time that I've been here, do I come across as a kook to you? In fact, I am ONLY posting here because of what I discovered and not because I don't have better things to do with my time. But don't worry, eventually I will leave - taking all my knowledge and experience with me - and you guys can have your leeettle corner of the Net back.
Last edited by indie_dev on Thu Jan 14, 2010 6:40 am, edited 2 times in total.
#41840 by Aveamantium
Thu Jan 14, 2010 6:36 am
indie_dev, maybe you should be providing this information where it can do some good like to Dennis P. I would PM the 3 security vulnerabilities that you have discovered and make a case for a password protected access page.
#41841 by dknyinva
Thu Jan 14, 2010 6:40 am
The only thing I agree with indie_dev in this post or other that he posted is to bring attention to ooma to implement an authentication on the ooma setup page. Otherwise, there isn't much in security breach unless you make it known to anyone else about your network and public IP addreess. The main point here is the 172.27.x.x is a private network and not routable and cannot be accessed from the Internet.
Last edited by dknyinva on Thu Jan 14, 2010 6:46 am, edited 1 time in total.
#41843 by Groundhound
Thu Jan 14, 2010 6:43 am
indie_dev wrote:Regardless of how robust or good a router or router/modem is, there WILL come a time when not even port-forwarding, virtual servers, NAT etc will allow certain things to work. Which is EXACTLY why the DMZ exists.

OK, trying to keep it simple here. In my scenario above, if Joe puts his router into the Telo's DMZ, does that circumvent the router's security features or expose his Telo setup to the Internet in the absence of additional changes to his router's configuration? Yes/no? Speaking strictly to the security question here - not to how well Telo's DMZ performs otherwise.
#41846 by dknyinva
Thu Jan 14, 2010 6:47 am
Groundhound wrote:
indie_dev wrote:Regardless of how robust or good a router or router/modem is, there WILL come a time when not even port-forwarding, virtual servers, NAT etc will allow certain things to work. Which is EXACTLY why the DMZ exists.

OK, trying to keep it simple here. In my scenario above, if Joe puts his router into the Telo's DMZ, does that circumvent the router's security features or expose his Telo setup to the Internet in the absence of additional changes to his router's configuration? Yes/no? Speaking strictly to the security question here - not to how well Telo's DMZ performs otherwise.
A BIG NO. I have my setup with the Telo between my modem and linux router and cannot access the Telo setup page from the Internet even with my public IP address. I use my secure web portal to access my ooma setup page at 172.27.35.1
Last edited by dknyinva on Thu Jan 14, 2010 7:23 am, edited 1 time in total.

Who is online

Users browsing this forum: No registered users and 10 guests