Flic hub network security



  • I have just run a scan on the flic hub wifi interface and find quite a few ports open. Some are straight forward (DHCP client) but not sure why these are available on a client device:

    • domain 53/udp 53/tcp
    • ntp 123/udp

    and not sure what these all do:

    • ssh 22/udp (yes, udp...)
    • 1234/udp
    • Other UDP ports: 1101, 1885, 16697, 19625, 19632, 20425, 21780, 23780, 23781, 25541, 28465, 30697, 34079, 34433, 36458, 49167, 49190, 50708, 62287, 63420, 63555

    UDP is often used for reflection / amplification attacks should someone get access to the device.

    Can you provide an explanation of the purpose / services behind these ports and guidance as to how they should be protected.

    Many thanks,

    Stuart.



  • @anton said in Flic hub network security:

    Hello, I am one of the developers of the hub.

    Thanks for your time to look at his.

    First of all I would like to ask what kind of technique you are using to decide if a UDP port is open or closed?

    nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" flic
    

    UDP is connectionless so by design they don’t really behave like TCP when doing port scans. With TCP you often either get a Connection Reset response or no response at all if you try to connect to a closed port, at which point you can assume that the port is actually closed. With UDP it does not work like that since you are not guaranteed to get a response in either scenario. And even if a port is temporarily open it does not mean that you actually have a service on the other side listening.

    I seem to remember that tools like NMAP use ICMP responses to decide if a UDP port is open (correct me if I’m wrong). But this generates a lot of false positives since a lot of ports are not really bound to a permanent service, but rather temporary ports used by both the Linux OS (DNS requests, NTP requests, etc..) and our host application for different features (like action executions etc). This is normal UDP behavior and not an indication of a security flaw.

    Hence the question. It is hard to determine why a UDP port is open so I was interested to find out what should be listening and why.

    I am not suggesting that I have found a flaw, just the potential to discover one and without some background on what the hub does, it is is guesswork at this point. I usually only work with Open Source and in that case, I can work it out for myself but as far as I know, the flic hub code is hidden so only people on your team can investigate.

    The note about amplification attacks relates to services where a small request can be sent which creates a large response (see https://www.us-cert.gov/ncas/alerts/TA14-017A).

    The assumption is that most flic hub users are not security experts therefore it is the responsibility of the device supplier to make sure that the user cannot be exploited. Many IoT vendors are also not thinking about security and the overall outcome is an unsafe and unreliable internet and this is what is behind my question.


  • FlicTeam

    Hello, I am one of the developers of the hub.

    First of all I would like to ask what kind of technique you are using to decide if a UDP port is open or closed? UDP is connectionless so by design they don’t really behave like TCP when doing port scans. With TCP you often either get a Connection Reset response or no response at all if you try to connect to a closed port, at which point you can assume that the port is actually closed. With UDP it does not work like that since you are not guaranteed to get a response in either scenario. And even if a port is temporarily open it does not mean that you actually have a service on the other side listening.

    I seem to remember that tools like NMAP use ICMP responses to decide if a UDP port is open (correct me if I’m wrong). But this generates a lot of false positives since a lot of ports are not really bound to a permanent service, but rather temporary ports used by both the Linux OS (DNS requests, NTP requests, etc..) and our host application for different features (like action executions etc). This is normal UDP behavior and not an indication of a security flaw.

    But again, I don’t fully trust the results of this scan. UDP port 22 (SSH) for example I know for sure is not bound to anything.

    If you have any further questions then I will try to answer but you need to be more specific with what kind of tools you use and what kind of amplification attacks you are referring to.

    /Anton


  • FlicTeam

    Let me check with my colleague as I am not really qualified to answer this.



  • @oskar - do you have any thoughts on this?


Log in to reply
 

Looks like your connection to Community was lost, please wait while we try to reconnect.