Hi,
I am running x86 Openwrt and I have IPTV Android box provided by my ISP hooked at my OpenWrt device. Public IP, etc..
I had a problem with the Android box and I called my provider to fix it - "Chromecast was no working". They fixed it by remotely installed something and than my A box was restarted.
I thought they do not have access to my network ( probably they do not have), but how come they can control equipment in my house?
Tomorrow Xiaomi may decide to take control of my/ theirs devices?
My question is , if I should worry about that fact. I can paste configs, but probably I may be just paranoic.
Thanks
K
I have no first-hand information about your box. Even if you had provided us with specific device information, I don't own such a thing. So I can't tell for sure about any device you might have on your network.
There are two questions to be asked here. How is this possible, and how dangerous is this?
If you don't set up port forwarding on your router, your ISP will not be able to actively initiate an incoming connection of his own.
However, as long as you use any network device that runs software you didn't audit yourself, this device can do initiate an outgoing network connection to its vendor. Which, in turn, would allow that vendor to interact with all other devices on your network.
Your ISP has demonstrated this with your TV box, but the same is true for any cloud-enabled printer, security camera or whatever devices you might have.
That's nothing to specifically worry about, but something to be aware of.
There's a couple of things you can do on your side to reduce impact, to various degrees of difficulty and inconvenience.
You could find out, which connections your TV box should establish and forbid everything else. You might be able to strip that down to only actual IP TV traffic, for instance, but you might forget how your device wants to scan for software updates, or TV guide information and change of channels. The same goes for prints: If you don't use cloud printing, make it so that your printer cannot access the internet at all. But don't expect any kind of software update that might fix issues in the future.
It all comes down to brand reputation of such devices and how you personally value their products. If it's a cloud printer from HP, maybe develop a healthy aversion towards vendors pushing everything in the cloud, but realistically, that's not such a big deal. As for things that are made to exclusively communicate with remote services, maybe accept it as part of what they are supposed to do. If you're running a cheap IP camera from wish.com you cannot even pronounce the vendor, maybe burn it with fire and bury the ashes.
As a middle ground for security features, create a dedicated vlan for untrusted devices. Allow those devices to talk to the internet, but not to your LAN. Allow your LAN to talk to that untrusted vlan. This will not prevent your untrusted devices from potentially endangering each other, but it might prevent them from attacking, e.g. your smartphone or laptop.
I run separate vlans for personal and work-related stuff and prevent those device groups from ever talking to each other. That way, I at least should never have to explain to my company how me tinkering around with software of potentially dubious origin had them lose customer information from a company laptop.
1 Like
It's not at all clear how you have connected said IPTV box.
There are basically two strategies:
- more or less a bridged VLAN, which would make this box directly accessible by the ISP, from the outside (bridging implies that there is no firewalling, it's connected directly to the IPTV VLAN of your ISP)
- as a normal client inside your network, behind the router, getting an IP via DHCP from your router. While the ISP has not direct means to connect to the device from the outside, nothing prevents the device itself -running their firmware- to connect from the inside out, to their command & control servers and simply wait for commands from them)
As golialive already mentioned, you need to audit the situation and your network. For many users convenience (but I want to stream from my network) trumps security, while it shouldn't.
1 Like
Thanks @slh @golialive - it is the second 2nd strategy: "as a normal client inside your network, behind the router".
@golialive - thanks, I have separated the untrusted devices into a guest network ( anyway, I do not consider A-box untrusted), however I am just curious how, my ISP did that? But it is maybe explained by @slh
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.