On 03/02/2019 11.44, Dave Howorth wrote:
On Sun, 3 Feb 2019 01:08:32 +0100 (CET) "Carlos E. R." <> wrote:
El 2019-02-02 a las 22:51 -0000, Dave Howorth escribió:
On Sat, 2 Feb 2019 23:25:27 +0100 Peter Suetterlin <> wrote:
Dave Howorth wrote:
...
Thanks for answering my questions, Peter, and giving me some more to think about. Apologies for all for mnemonic confusion; I meant WLAN rather than WAN, of course. It's the phones and IoT devices on the network that cause me most concern; I'm not so much worried about the state of my Linux boxes.
The IoT gadgets probably "phone home" to register on some external site. The apps on phones typically connect to this external site, who then tells the gadgets how to react. It is this last aspect which I do not have clear: maybe the gadgets just keep an outgoing connection to the internet server, so they are not affected by any firewall you may setup. If the connection is incoming, then I'm unsure. There are protocols "that just work" but pose a security risk. That's how the latest's attack on the Chromecasts were done.
Connections have to be outgoing. They can't be incoming because of NAT and no open ports on the router; not to mention dynamic IP assignment by my ISP. So there are never any 'designed' incoming connections. And I see no evidence of 'naughty' connections in my router's logs, but then I wouldn't expect to if it were compromised.
That's not exact, because there are modern protocols that can be used from inside machines to tell to router to open a port for incoming connection. <https://en.wikipedia.org/wiki/Universal_Plug_and_Play> «One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.» Exploit: <https://gizmodo.com/dual-upnp-chromecast-exploit-allows-hacker-to-hijack-de-1831446345> Hackers Take Over Chromecast Device to Warn Users, Plug YouTuber PewDiePie Then, if you are using VoIP solutions, it is very possibly there is some NAT traversal solution in place. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)