Wifi Ranger - How to Fix Security

[Suburbazine]

Quote:

Originally Posted by RVWiFiGuru

Cloud Update & Access:
Your statement above regarding telemetry data is correct, in that users can turn that option off in the advanced control panel options. However, one can turn it back on to get the services in the future, so there is no void of support for future updates. Moreover, other posts that have been made regarding remote access and security issues needs further clarification. Nearly every device in todays world uses some form of a remote cloud connection back to a server farm to support updates and patches. These are often MQTT subscribes, or some use encrypted tunnels, etc. WiFiRanger is no different than your smart TV, iPhone, Alexa, Google home, and any other cloud enabled device, in that it has a form of connection back to its home servers to manage updates. These connections can also be very valuable for remote assistance and recovery, and are only used when a customer grants access to a customer service technician to resolve an issue that they have.

Just curious, have you looked at the current WifiRanger GUI recently? You mention the 8.0 alpha version has granular switches, but not only do all end users not have 8.0, but the 7.1 version has no such control. Even Joel Weiss' statement directly conflicts with yours, in that disabling the access is not a toggle solution. Especially being an alpha build, why would WFR keep the toggles if their standpoint is loss of remote access is a permanent decision?



Furthermore, you seem to not realize my complaint is that the WFR implementation of remote support requires no end user permission! Giving them your unit ID is only telling them which unit in a list of several thousand at a time is yours to click on and connect to. A cloud connect for update checking or provisioning services is NOT the same as a remote user having SSH access to the device at will. If you're familiar with the hardware and software, you'd know that at least the base configurations for all these devices support packet capture, packet redirection and DNS forging. There's a LOT of things that can happen under the hood and I don't want to be having to "trust" that Wifiranger or any person illicitly accessing their systems won't abuse it.

You seem to not know about that particularly bad security blunder where they leaked private keys for the local SSH service on their devices. Especially with the severe instability in the recent versions of the firmware, there's almost certainly a few code weaknesses particularly in the various open source libraries interactions being repackaged. WFRControl probably has something that can be exploited given its ability to reprovision connected clients.


WPA3 is a great claim to fame... but how many client devices support WPA3? Certainly not the connected TVs in the OEM coaches. Many devices are still a year away from WPA3 initial support due to how rapidly it was pushed to market, and some may never support it.


PS: Would it be safe to refer to you as the founder of WFR? I'm just guessing here though

[RVWiFiGuru]

Quote:

Originally Posted by redbaron73

I did reach out to them and was not only ignored, but they made it very clear they do not consider the risks a problem. You will see other posts here about how poorly WifiRanger considers its end users.

The end user is not the customer. The OEM's are the customer.

The only solution to the privacy issue is to remove the WFR software, and use an open source product. If you are willing to help with this initiative, I would gladly welcome it.

Reading a lot of your content, I am not certain that you have read the Newmar bulletin. Anyone can gain access to any newmar managment network if they know 2 things: 1) Model of RV 2)Vin Number of rv --or production serial number.

The vin number is easily found outside the RV on a placard.
The serial number is often posted in the window or broadcast on bluetooth as a default ID for other devices. This is NOT theory, but proven.

I think you may have some mis information.

There is a very straight forward way to accomplish this.

Any and all privacy information risk can be mitigated by disabling the services as I mentioned before. Doing so will hamper some of the great features like SafeSurf and conduits, but it's up to the user to do if they want.

Process steps are below:

• Make sure you are on current firmware and online
• Login in to admin page at control panel IP with /admin
• Default password is admin/wfradmin on your private network
• click on SETUP tab
• Turn off "Sync Data"
• Select "Admin" profile dropdown
• Load the "WFR Disable Remote Assistance"

This will immediately display "CLOUD DISCONNECTED" and all cloud features will be unusable until you re enable it with the corresponding "Enable Profile" and turning on Sync Data again. This allows you to check for updates, use SafeSurf, etc. You can turn it on/off at will for whatever level of paranoia one might be experiencing....

Hopefully this is helpful for you and you can share with others the process. No need to uninstall the WiFiRanger firmware if they do not want cloud access features, just turn it off and it will operate in the stand alone mode, albiet a bit less features.

Screens attached to assist. I just verified this process on one of my test units on b11, but I think it works back to 7.0.8 as well.

Cheers!

[RVWiFiGuru]

Quote:

Originally Posted by Suburbazine

Just curious, have you looked at the current WifiRanger GUI recently? You mention the 8.0 alpha version has granular switches, but not only do all end users not have 8.0, but the 7.1 version has no such control. Even Joel Weiss' statement directly conflicts with yours, in that disabling the access is not a toggle solution. Especially being an alpha build, why would WFR keep the toggles if their standpoint is loss of remote access is a permanent decision?



Furthermore, you seem to not realize my complaint is that the WFR implementation of remote support requires no end user permission! Giving them your unit ID is only telling them which unit in a list of several thousand at a time is yours to click on and connect to. A cloud connect for update checking or provisioning services is NOT the same as a remote user having SSH access to the device at will. If you're familiar with the hardware and software, you'd know that at least the base configurations for all these devices support packet capture, packet redirection and DNS forging. There's a LOT of things that can happen under the hood and I don't want to be having to "trust" that Wifiranger or any person illicitly accessing their systems won't abuse it.

You seem to not know about that particularly bad security blunder where they leaked private keys for the local SSH service on their devices. Especially with the severe instability in the recent versions of the firmware, there's almost certainly a few code weaknesses particularly in the various open source libraries interactions being repackaged. WFRControl probably has something that can be exploited given its ability to reprovision connected clients.


WPA3 is a great claim to fame... but how many client devices support WPA3? Certainly not the connected TVs in the OEM coaches. Many devices are still a year away from WPA3 initial support due to how rapidly it was pushed to market, and some may never support it.


PS: Would it be safe to refer to you as the founder of WFR? I'm just guessing here though

You make some good points!

The fix for the WPA2 Crack was probably one of their better responses, but WPA3 is like IPV6, Someday....

I have been asked by support any time they wanted to push a diagnostic request to my units, so maybe some communication improvement is needed there.

I agree, there were some warts on the earlier versions, but I also see exploits by every other software company I use, so it's likely no worse than even my macbook with remote diagnostics on. Security is simply mitigation of risk, and every product has some. The goal is for us to try and help companies minimize them.

I do know my way around a pedestal for sure...

[redbaron73]

Quote:

Originally Posted by RVWiFiGuru

I think you may have some mis information.

There is a very straight forward way to accomplish this.

Any and all privacy information risk can be mitigated by disabling the services as I mentioned before. Doing so will hamper some of the great features like SafeSurf and conduits, but it's up to the user to do if they want.

Process steps are below:

• Make sure you are on current firmware and online
• Login in to admin page at control panel IP with /admin
• Default password is admin/wfradmin on your private network
• click on SETUP tab
• Turn off "Sync Data"
• Select "Admin" profile dropdown
• Load the "WFR Disable Remote Assistance"

This will immediately display "CLOUD DISCONNECTED" and all cloud features will be unusable until you re enable it with the corresponding "Enable Profile" and turning on Sync Data again. This allows you to check for updates, use SafeSurf, etc. You can turn it on/off at will for whatever level of paranoia one might be experiencing....

Hopefully this is helpful for you and you can share with others the process. No need to uninstall the WiFiRanger firmware if they do not want cloud access features, just turn it off and it will operate in the stand alone mode, albiet a bit less features.

Screens attached to assist. I just verified this process on one of my test units on b11, but I think it works back to 7.0.8 as well.

Cheers!

The official word from Wifi Ranger is that it is not possible. I know you claim to have been around for 12 years, but your account is new, and your reputation is unknown.

I think the community has to take the official word from DocJ and the communication that he has published on this forum as the most accurate.

I will however setup a network environment and enable packet logging to see if the settings you claim will in fact disable 100% of all communication that is not initiated by the clients on the network.

Not knowing the interval for the 'phone home' pings and other settings is going to make this difficult to do quickly.

For those that are not technical -- what I will be doing is setting up a logging device that tracks all communication from the WFR to see if there are any messages that did not originate from the clients.

If a client does not exist behind the WFR, then there should be no traffic at all originating from the WFR. Even a single packet is more than enough to broadcast a location and that broadcast could then be used to gain access via undocumented back doors. ( Port Knocking, buffer overloads, etc)

[docj]

Quote:

Originally Posted by redbaron73

The official word from Wifi Ranger is that it is not possible. I know you claim to have been around for 12 years, but your account is new, and your reputation is unknown.

I think the community has to take the official word from DocJ and the communication that he has published on this forum as the most accurate.

I am flattered by the trust that you have in my knowledge , but this is a case where I was caught unawares.

It turns out that the capability for disabling the "tunnel" to the cloud was something that WiFiRanger had implemented but which they were maintaining as "undocumented feature." As a result of the interest in this topic, they have now decided to publicize how to use this feature.

[RVWiFiGuru]

Quote:

Originally Posted by redbaron73

The official word from Wifi Ranger is that it is not possible. I know you claim to have been around for 12 years, but your account is new, and your reputation is unknown.

I think the community has to take the official word from DocJ and the communication that he has published on this forum as the most accurate.

I will however setup a network environment and enable packet logging to see if the settings you claim will in fact disable 100% of all communication that is not initiated by the clients on the network.

Not knowing the interval for the 'phone home' pings and other settings is going to make this difficult to do quickly.

For those that are not technical -- what I will be doing is setting up a logging device that tracks all communication from the WFR to see if there are any messages that did not originate from the clients.

If a client does not exist behind the WFR, then there should be no traffic at all originating from the WFR. Even a single packet is more than enough to broadcast a location and that broadcast could then be used to gain access via undocumented back doors. ( Port Knocking, buffer overloads, etc)

Sounds good. DocJ can certainly confirm my knowledge of the WiFiRanger, WiFi in RV industry, networking experience, etc. The screenshots show you the process, so give it a whirl!

Your tests are fine, but "no traffic" is incorrect. Any router that needs to know if it is online has to issue traffic to discern that status. I've ran a WiFiRanger behind wireshark in this mode, and it's only traffic should be keep-alives to a few sites to know if the Internet is actually available, DNS is working, filtered networks are in the way, so to update it's control panel status, or initiate a failover from one Internet Connector to another should one connector fall down. Those are pretty benign functions, and common on any Internet device including your phones auto swap from WiFi to LTE if the WiFi is not routing. If your concern is remote support and updates, then you won't find anything that should be considered nefarious. Let me know if you have concerns, and I'll run the same pen tests for validation, and we can collaborate with WiFiRanger on plugging the concerns.

Cheers!

[redbaron73]

Quote:

Originally Posted by docj

I am flattered by the trust that you have in my knowledge , but this is a case where I was caught unawares.



It turns out that the capability for disabling the "tunnel" to the cloud was something that WiFiRanger had implemented but which they were maintaining as "undocumented feature." As a result of the interest in this topic, they have now decided to publicize how to use this feature.

Doc: that's good news. Can you post a link to the official wifi ranger statement on how to do this? Getting information from official sources is preferred and leads to less confusion.

I am glad that Wifi Ranger has reversed course on their position.

[docj]

Quote:

Originally Posted by redbaron73

Doc: that's good news. Can you post a link to the official wifi ranger statement on how to do this? Getting information from official sources is preferred and leads to less confusion.

I am glad that Wifi Ranger has reversed course on their position.

As long as you trust me to post accurate WFR information you can follow these directions until they are posted on the WiFiRanger website.

1. Make sure you are on current firmware (version 7.1.0b11) and that your Ranger is online

2. Click on the Check for Updates/Cloud Disconnected link in the upper right corner of every WiFiRanger control panel page until blue bars start to scroll. They will scroll for a couple of minutes; you may have to click twice.

3. Login in to admin page at control panel IP with /admin; Default password is admin/wfradmin (you will need to use the numeric address for the control panel, not mywifiranger.com)

4. click on the SETUP tab

5. Turn off "Sync Data"

6. Select "Admin" profile dropdown; Load the "WFR Disable Remote Assistance"

I fully expect that WiFiRanger will post a technical service bulletin in the next few days to formally document this feature.

I appreciate your assistance in helping to identify and resolve this issue.

However, anyone contemplating using this feature should understand that your Ranger will no long automatically indicate the presence of firmware updates as long as it is in effect. Nor will you be able to download any such updates until you reverse your actions and re-enable Remote Assistance.

Similarly, the WiFiRanger Customer Service team will not be able to perform many diagnostic functions in the event of a problem with your Ranger. If you have a problem with your Ranger, please re-enable Remote Support before contacting Customer Service.

[redbaron73]

Thanks Doc!

It is certainly reasonable to ask users to enable settings for remote support and updates. Giving the user control is the right decision.

Thank you for your assistance in getting this information out there.

[RVWiFiGuru]

Quote:

Originally Posted by redbaron73

Thanks Doc!

It is certainly reasonable to ask users to enable settings for remote support and updates. Giving the user control is the right decision.

Thank you for your assistance in getting this information out there.

It's worth noting, that with these things turned off, the unit will not know about other security updates that might be critically important. When WiFiRanger finds a security issue, they are very fast to respond (i.e. the WPA2 Crack was patched in 2-3 days, before Pepwave, Linksys, and Netgear) and do so by sending the updates to the unit via the control panel. It is handled this way to allow even anonymous users the notice that updates are available without WiFiRanger having to send them an email.

The bottom line is that turning this off creates a security issue, by not getting notified of current updates as they relate to security, promptly. So as it goes, people need to pick their risk profile and run with it. I've always left mine on, and consider myself pretty savvy on what the risks really are and decide I'd rather have firmware system updates quickly, rather than worry about someone getting into my rather boring RV network to do nefarious things.

Cheers!

[Suburbazine]

Quote:

Originally Posted by RVWiFiGuru

It's worth noting, that with these things turned off, the unit will not know about other security updates that might be critically important. When WiFiRanger finds a security issue, they are very fast to respond (i.e. the WPA2 Crack was patched in 2-3 days, before Pepwave, Linksys, and Netgear) and do so by sending the updates to the unit via the control panel. It is handled this way to allow even anonymous users the notice that updates are available without WiFiRanger having to send them an email.

The bottom line is that turning this off creates a security issue, by not getting notified of current updates as they relate to security, promptly. So as it goes, people need to pick their risk profile and run with it. I've always left mine on, and consider myself pretty savvy on what the risks really are and decide I'd rather have firmware system updates quickly, rather than worry about someone getting into my rather boring RV network to do nefarious things.

Cheers!

So let me put this on the official record- You guys pushed out an emergency profile update when I challenged you on this issue. This was NOT an "existing feature". I like how you're spinning this, though, really good PR management.



By the way, about that "custom" Yinuo-Link Denali...


Before "emergency" profile update (with some board images):
https://imgur.com/a/GvjHTQ0



After "emergency" profile update:
https://imgur.com/a/fVed1AE

[RVWiFiGuru]

Actually that profile feature has been there for some time, undocumented to some units. Docj mentioned this. The issue was that turning it off was was not possible, and I knew it was, just requiring some more clarity to make it work, and insuring the profiles were available to all the various clusters of OE versions. I know they opened up its availability as part of the Newmar service announcement so more could run their WiFiRangers in limp mode.

That Denali is an AR41AP version, and a common board. WiFiRanger uses a lot of different boards, and Denali has 4 different versions in the field. Yinuo Link makes both that one, and the custom versions. Mikrotik makes some, and even a third Asian supplier. Creating multiple supply chains is a good idea in todays world of parts and chip shortages, so it makes sense. They do add some better power supply components, band pass filters, and custom radio configuration, so not exactly stock. Can’t really tell from looking at it, but there’s some differences.

Thanks for the detailed photos!!!

Cheers!

[Suburbazine]

Maybe a functionality error with the Sync Data disable option? Why does the device need to continuously ping Blue Mesh Networks AKA WifiRanger? There's more than just some outbound traffic with no network clients, too. Particularly encrypted traffic to an Amazon instance. Again, no clients, all initiated solely by the device.

https://imgur.com/a/inGPkqv

[redbaron73]

Quote:

Originally Posted by Suburbazine

Maybe a functionality error with the Sync Data disable option? Why does the device need to continuously ping Blue Mesh Networks AKA WifiRanger? There's more than just some outbound traffic with no network clients, too. Particularly encrypted traffic to an Amazon instance. Again, no clients, all initiated solely by the device.

https://imgur.com/a/inGPkqv

I have reviewed your PCAP data, and I agree. If your settings are the new "privacy" profile, then this is not functioning as intended.

NO TRAFFIC should be sent to a network that is managed or maintained by Winegard. No data should be collected. Even a single packet is not acceptable when privacy is enabled.

From a single packet, Winegard would be capable of remotely exploiting an undocumented backdoor.

We have seen in this thread how Winegard/Wif Ranger is full of undocumented features. That is their right, as it is a commerical product

They must give the consumer an option to disable all telemetry, including any "keep alive" or other packets sent to networks managed by Winegard.

I assume that the rush job to push out this profile didn't encompass everything.

It must exclude all IPV4/IPV6 traffic to a network managed by winegard.

For keepalive data, or internet testing, their are many public options available including:

Provider DHCP server
Provider DHCP published DNS
Google DNS
1&1 DNS
Cloudflare

of course, giving the user the option of which one to choose would eliminate all concerns.