I think the problem you were addressing is that a lot of folks open ports and enable protocols without having any understanding of what the implications are. I made an informed decision by weighing relative risks vs features and convenience. The bulk of the consuming public does not know enough to do that and simply trusts that it is all good. The problem companies like Tablo has it to make features available to people who are not very skilled and that often requires security compromises. The reason it does not pose a real-world problem for most people is basically security by obscurity. People are protected by the fact that it takes a targeted attack to exploit this type of vulnerability and the average residential network just isn’t worth the trouble.
I am an enterprise data architect and haven’t done any meaningful development in at least 8 years, so I basically know just enough about port configuration, firewalls and such to be dangerous.
You hit on the problem exactly. I disagree that it takes a targeted attack; there are bots running around the web looking for vulnerabilities to exploit. Sure, a criminal won’t get much from most home users but it doesn’t cost much to do, and if they can get a few dozen then it would pay for itself. I’ve read that about 40% of home routers are configured as Internet Gateway Device (IGD). If an IGD is using UPnP, then it will accept a request to open a firewall hole from an unauthenticated Internet user. At that point it is pretty easy to install ransom-ware or do a DNS redirection and create a water-hole to get CC data. All it would take is a couple of day’s work and maybe a thousand dollars to set up. The take would easily be 10 times that.
You illustrated that UPnP can be used (relatively) safely by implementing other security controls. You are doing just that by segmenting your storage and removing the sensitive data from the Internet connected devices. Just as you say that most users are not able to configure sophisticated network setups, I propose that they aren’t capable of designing a security architecture as you did.
In a perfect world the vendor (such as Nuvyyo) would take all this into consideration and design a system that is both automatic (from the user’s perspective) and secure. As you stated before, this is all about balancing security against functionality. I don’t know how to do this with UPnP without also requiring a pretty good handle on networking technology–and if the users had the know-how to secure UPnP, then they could also manually setup port forwarding.
There are ways to do this securely. I mentioned one in an earlier post–use SSL certificates to both authenticate and encrypt the data stream. Unfortunately that means creating a PKI infrastructure just for remote viewers, or to use a commercially available structure. Both would increase cost. Perhaps there is a better, cheaper way. I haven’t thought much about it, and Nuvyyo hasn’t hired me to research it.
I appreciate the back and forth conversation on this. I’m glad to see that others want this company to do well. I really love the product and wish to see it succeed.
There are aspects of this that I do not understand. I gave my Tablo a static IP address and mapped specific external ports to a set of specific internal ports on that IP. I assume what you are saying is that because Tablo uses UPnP internally within my network, someone could use the fact that I opened those external ports and mapped them to the Tablo to piggyback on the UPnP protocol to access the rest of my network. I am trying to figure out what that would give them access to. Can they use UPnP as a gateway to hit Windows File and Print Sharing?
Not exactly. As you said, you made a risk based decision on what ports to open and that in turn allows access. Access to Windows file and printer sharing is CIFS and requires authentication. I think you are good, especially since you are cognizant of what data is important and you keep that data in a safe location. Your port forwarding, manually configured, means that only the interface to the Tablo is exposed.
The issue is that if your router is setup as an IGD, then anyone on the Internet can ask for a UPnP access, and it will be granted. At that point the external user is now inside your firewall. From that point an attacker can do many things. They can scan your network for unpatched vulnerabilities and in turn exploit them. They could attack your router as well. Almost no-one patches their home routers, and many have vulnerabilities that allow DNS redirection. DNS redirection allows the attacker to change where your browser gets DNS; that means that when you type a URL it could be redirected to a phishing or spoofed site. Imagine if the attacker builds a site that looks like your bank, only controlled by them. Poof–they have your username and password. The same could hold true for a shopping site such as Amazon. Man in the Middle attacks are possible as well.
Essentially, running UPnP on a router that is improperly configured abrogates the firewall. I would never recommend any device to be on the Internet without a firewall. Would you?
Please read the linked thread below, this is exactly why the UPnP feature exists. It has been 4 days of help from multiple forum members, multiple attempts by the OP and the OP cannot forward 3 ports properly. Yes forwarding a port on a router may seem easy to you or me but it’s obviously not that simple to all.
Another thread where UPnP came to the rescue:
I’m not weighing on the UPnP vs. no UPnP debate - except to note that in general I prefer more choices to fewer.
I wanted to share one other aspect of Tablo Remote that I have experienced. My Tablo Remote works flawlessly. However, I have noticed that the firewalls on some networks prevent a Tablo Connect connection (i.e. “Connecting . .” forever)? For example, at my place of employment, there is a network for employees and one for guests. I cannot connect to Tablo Connect on the employee network, but I can on the guest network. I think this has to to do with the firewall blocking P2P connections. Same on my daughter’s xfinity network. When I first tried to connect, I was unsuccessful. When I looked at her firewall and unticked the box that blocked P2P, Tablo Connect worked.
Anyway, maybe others have run into this? I guess a lesson here is that if Tablo Connect doesn’t work, it is not necessarily a port forwarding issue.
At my library, it just gets stuck at connecting as well. But when I went to renew my license plate, I could watch my Tablo. Both used the same Metro network, but the library must have some ports blocked.
I’ll +1 this request.
Logging in to our account should satisfy security needs. Our account login should be https and that should suffice for the web app connection.
After we login, a link on our account page beside each device to open it in the web app would be handy.
I have worked as a security consultant. Most “security” people are too “absolute” on enforcement, and most developers want to “zero rate” security.
The reality for security is a balance. You cannot ADD or INCREASE security without DECREASING or WORSENING “ease of use” or “productivity”.
Security has to be balanced. It has to defeat 80-90% of any real threats, but not destroy productivity or ease of use.
If you need to implement security that makes using your system or service really hard or difficult you have actually defeated the purpose of whatever service you have.
Now, while my home network does not have anything of value on it. I take a dim view of the spam-ware company in Europe that HACKED my DNS server setting in my modem!
And NOBODY can tell me how they did it. Was it uPNP? From outside? Inside? Maybe the ISP-loved remote management system has a flaw?
Nobody can tell me. This is why I turned OFF uPNP. Its does not seem possible to turn off the remote management protocol in my modem.
I turned uPNP back on temporarily to shake down my new Tablo. But as soon as its stable and I understand its needs, uPNP gets switched OFF. I’ll add the port forwards manually. Unless the uPNP created ones stick…
@rcooke Well said. I don’t think that an absolute number value can be applied as you suggest (80-90%), but rather a full analysis of the risks and benefits should be made to determine where the correct level of security lies.
It is important to remember that availability is one of the three legs of security.
I mentioned previously it did not work at Taco Cabana but did work at Starbucks, so it is port blocking.
Remote access is a great idea instead of pairing it. I hope TabloTV gets it up very soon. People could for example set it up at a friend’s or family member’s house (with permission) to watch out of market local channels. That would be neat!
Any updates? It’s well past “later this year”.
There have been updates to Tablo Connect to make it survive IP changes so now when you pair a device, it almost never comes unpaired. Making the need for username and password remote access even less.
I’d still like a way to access it from devices that will never visit the home network.
@TabloTV is there any development on this? Is this on the road map? I’d love to be able to access my Tablo app from our cabin which doesn’t have any antenna access.
@faganm24 - Still on the ‘would be nice’ list but we haven’t made much progress on it. We’ll be doing another customer survey soon to flesh out priorities for the rest of 2016 (aside from Android & Apple TV) and early 2017.
Beware of referendums
Haha… Indeed. Thankfully we have our own ‘article 50’ (i.e. the CEO!)
This “feature” really is a requirement. Please add it Tablo!