Hub 2 -- Lax Admin Security?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Hub 2 -- Lax Admin Security?
Hub 2 -- Lax Admin Security?
22-12-2022 10:55 PM - edited 22-12-2022 10:56 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I've been pretty used to visiting my routers internal IP address on my home network and being dumped right into the admin section.
Today I activated 'Static IP' add-on for my broadband package and visited my router via its static IP address on my phone [which has never connected to my router before]. I was pretty shocked to find that the router admin section is partially open for anyone to snoop around, who chances upon my IP. Now, I'm not saying it's completely wide open. If I try to dive into any of the sections to change a setting, I'm asked for the admin password --thank god! However, there's still a lot of potentially private info that's freely visible on the router admin screen, without entering the admin password:
* The 'Hub Status' page, which gives, amongst other things; connection status, upload and download speed, uptime, router serial number, router firmware version.
* Basic WiFi page, which gives; which channel frequencies [2,4GHz and/or 5GHz] are active, which channel each is using, whether I have WPS enabled, network name, security type, wireless mode.
* My devices page, which gives a list of every device connected to my router, with their individual IP addresses. This is a shocking security hole. So, now I'm not only at risk from anyone with an exploit for my router, but for anyone with an exploit for anyone of the dozen or so devices connected to it!
Am I missing something here? Or is there some pretty atrocious security on this router? With my last broadband router, if I visited its public IP address, I couldn't see anything at all without logging in. This one seems to give any potential hackers a wealth of useful information to help them along.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 7:49 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Are you sure your phone was connected via the mobioe network and not via your home wifi ?
AFAIK thev router is not accesible remotely by default. Howevervif you were connected to your home network, then NAT loopback would allow access internally without going out to the internet and back
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 8:26 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
In support of the above post you can check the open ports on your router
https://www.yougetsignal.com/tools/open-ports/
Select "Scan all Common Ports" found at the bottom of the command ports list on the right.
I have been unable to connect to my router from the internet using my public static IP address but I can on my local LAN.
HTH
Re: Hub 2 -- Lax Admin Security?
23-12-2022 8:58 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
This topic has been moved from Full Fibre to My Router
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: Hub 2 -- Lax Admin Security?
23-12-2022 10:47 AM - edited 23-12-2022 10:47 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
>Are you sure your phone was connected via the mobioe network and not via your home wifi ?
Ah. that's a point. I was checking in the house, so my mobile would have been going through my house WiFi. I'll have to test again when I'm out and about.
That said, I'd never connected to my router via my phone. So, even if [as seems likely] my phone was using my home WiFi network, I was still seeing a lot of info 'for free' about my router config and setup, without being logged in in any way, but just by dint of being on the same local network.
It still seems very lax from a security point of view. I'm thinking if this was a small office setting or somewhere like a cafe / pub where they allow guest access to their network, or a shared student house. It's surely not good practice to give so much potential 'ammo' to anyone who happens to be on the same network. Guests or non-admin users shouldn't be able to 'peek behind the curtain' at the router's admin controls at all, without logging in.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 10:48 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I'm sure that when I have had cause to contact Plusnet with an issue, they have been able to see in to my Hub2 to check for issues?
Is there a hidden "Admin" login that they use to do this?
Re: Hub 2 -- Lax Admin Security?
23-12-2022 10:50 AM - edited 23-12-2022 10:53 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Guests or non-admin users shouldn't be able to 'peek behind the curtain' at the router's admin controls at all, without loggi
you might be able to look at some basic information but you can't 'do' anything without logging in
Is there a hidden "Admin" login that they use to do this?
no, they use TR069 which is a secure protocol which only allows access from the Plusnet server
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 2:15 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@madra wrote:
....It still seems very lax from a security point of view.
Seeing as BT hubs plus I suspect many others the same there are literally millions of devices across the country with your definition of lax security.
Fortunately if this bothers you there is no restriction to you getting your own third party hub.
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: Hub 2 -- Lax Admin Security?
23-12-2022 4:06 PM - edited 23-12-2022 4:09 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
@MisterW wrote:
you might be able to look at some basic information but you can't 'do' anything without logging in
Without logging in I can see what model router I'm using and what its firmware version is. I can also see a list of every device connected to my network along with their internal IP number.
Both of those are security risks. There are plenty of sites [both well- and ill-intentioned] out there which publish lists of exploits for various software / firmware on various devices. Usually a ne'er-do-well would have to probe the system, looking for open ports and trying to deduce what devices were behind them on which IPs and then try a range of exploits. This hub basically removes one of those obstacles by openly listing everything attached to the network and giving its IP. So now the miscreant has a nice list of devices to check aginast his stash of exploits.
@Baldrick1 wrote:
Fortunately if this bothers you there is no restriction to you getting your own third party hub.
Oh dear. Someone always has to play the 'If you don't like it. Make your own' card. The non-thinker's response to any criticism of anything.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 4:19 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
No, just being realistic.
Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'
Re: Hub 2 -- Lax Admin Security?
23-12-2022 4:20 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Without logging in I can see what model router I'm using and what its firmware version is. I can also see a list of every device connected to my network along with their internal IP number.
ut you have to be connected to the local network to access the router at all . So someone trying to obtain that information must be physically connected to a lan port or have used the wireless password to connect
Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.
Re: Hub 2 -- Lax Admin Security?
23-12-2022 5:36 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
The thing is there are plenty of free tools available which can display the data you are worried about hiding without the need to have access to the Hubs home page
Once connected to your LAN I can use:-
https://whatismyipaddress.com/ - displays your public IP address
Android app "Network Analyser Pro"
Using "LAN scan" I can list all the active devices IP Addresses and hostname connected to your LAN .
Android "WiFi Analyzer"
I can list all the local wireless network and list security used and if WPS is enabled without the need to be connected to your LAN.
The connection speed could be determined using a speed test.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Help with my Plusnet services
- :
- My Router
- :
- Hub 2 -- Lax Admin Security?