Diversion Diversion - the Router Ad-Blocker

[Zonkd]

I just tested it, the iOS Shortcuts app works as expected with Diversion. I should probably throw a set of commands together and make that available for download/install on iOS. Will get to it as soon as I find the time.

Great! Use the share sheet, Copy iCloud Link and post that for us to download/import to own gallery. See screenshot.

 

[cmkelley]

I’d be bothered that I’d be driving along the motorway and suddenly find it closed with a 10 mile detour. Saying “damned diversion” little do I realise Siri has just fiddled with the router and turned off Diversion.

I'd be far more concerned someone found a vulnerability in the app and has now turned my router into a zombie in a botnet, or erased every shared folder on my network. How is giving some external app or service access inside your firewall ever considered a good idea? https://seclists.org/oss-sec/2019/q1/119 leaps to mind here ...

 

[thelonelycoder]

I'd be far more concerned someone found a vulnerability in the app and has now turned my router into a zombie in a botnet, or erased every shared folder on my network. How is giving some external app or service access inside your firewall ever considered a good idea? https://seclists.org/oss-sec/2019/q1/119 leaps to mind here ...

The commands are very limited in Shortcuts. AFAIK there are no direct commands like rm -rf / or such devastating things.
I just use the Diversion commands available with 'diversion help', and maybe extend it for the iOS app use.

 

[Zonkd]

I’d be bothered that I’d be driving along the motorway and suddenly find it closed with a 10 mile detour. Saying “damned diversion” little do I realise Siri has just fiddled with the router and turned off Diversion.

M: “Hey Siri...”
“Yes Martin?”
M: “damned diversion”
“I couldn’t find dam die version in your music, Martin.”

M: “damned Diversion”
“You were saying...”

M: “damn Diversion”
“Did you accidentally summon me?”

Unless you start every sentence with Hey Siri, and until Siri gets better listening ears, I think you’re safe Martin. Safe journey!

 

[thelonelycoder]

M: “Hey Siri...”
“Yes Martin?”
M: “damned diversion”
“I couldn’t find dam die version in your music, Martin.”

I believe where Martin lives, the pronunciation of diversion is different.

 

[Zonkd]

I'd be far more concerned someone found a vulnerability in the app and has now turned my router into a zombie in a botnet, or erased every shared folder on my network. How is giving some external app or service access inside your firewall ever considered a good idea? https://seclists.org/oss-sec/2019/q1/119 leaps to mind here ...

I see no big risk using the Shortcuts iOS app (made by Apple) to control basic router functions. It’s definitely no riskier than using any other Ssh app on the App Store.

One thing to note though, you will need to allow router ssh login with username/password because Shortcuts doesn’t support passwordless login with key pairs. That’s the biggest downside I can see.

 

[Zastoff]

Time to move away from Apple/Android and not be the product.. https://e.foundation/
Sorry for off topic post
Love Diversion ! Thank you thelonelycoder for your awesome work

 

[cmkelley]

I believe where Martin lives, the pronunciation of diversion is different.

It's pronounced "detour" here.

 

[cmkelley]

I see no big risk using the Shortcuts iOS app (made by Apple) to control basic router functions. It’s definitely no riskier than using any other Ssh app on the App Store.

One thing to note though, you will need to allow router ssh login with username/password because Shortcuts doesn’t support passwordless login with key pairs. That’s the biggest downside I can see.

IIRC, RMerlin has specifically warned against opening ssh up to the wan numerous times. Sure, not as dangerous as opening the webGUI up to the wan, but more dangerous than having an OpenVPN server.

 

[L&LD]

Time to move away from Apple/Android and not be the product.. https://e.foundation/

While 'e' looks great right now, all fresh-faced and sweet-smelling, I don't see it ending up any differently when it eventually has the pull that Apple, Google, and MS have now...

Same like politicians with the noblest visions at the start of their careers...

 

[cmkelley]

The commands are very limited in Shortcuts. AFAIK there are no direct commands like rm -rf / or such devastating things.
I just use the Diversion commands available with 'diversion help', and maybe extend it for the iOS app use.

I'm not a security expert by any stretch, but ... https://www.intego.com/mac-security-blog/are-ios-shortcuts-safe-reports-of-risks-surface/. So while that's patched, the risks are real. Also, as Zonkd noted, you have to open up ssh to the wan with username/password, which brings on its own vulnerabilities.

 

[RMerlin]

Dropbear ain't bad security-wise. Just make sure you move SSH to a non-standard port to avoid your router getting flooded with connection attempts, and use key-based authentication.

 

[cmkelley]

Dropbear ain't bad security-wise. Just make sure you move SSH to a non-standard port to avoid your router getting flooded with connection attempts, and use key-based authentication.

As noted above, Shortcuts doesn't allow key-based authentication. Does Shortcuts allow moving the SSH port?

 

[Zonkd]

IIRC, RMerlin has specifically warned against opening ssh up to the wan numerous times. Sure, not as dangerous as opening the webGUI up to the wan, but more dangerous than having an OpenVPN server.

Yes, don’t expose anything to WAN except VPN server. Keep all ports closed.

I'm not a security expert by any stretch, but ... https://www.intego.com/mac-security-blog/are-ios-shortcuts-safe-reports-of-risks-surface/. So while that's patched, the risks are real. Also, as Zonkd noted, you have to open up ssh to the wan with username/password, which brings on its own vulnerabilities.

1. As I understood it, users were mostly just at risk if they import and run random shortcuts created by strangers, like those shared on reddit. After importing it doesn’t even run, you have a chance to inspect the whole shortcut step-by-step automation before running it. You’re safe if you make your shortcuts yourself. Yes it is bad to hear Apple gave shortcuts app systemwide access.

2. Not at all, you don’t have to and shouldn’t expose ssh directly to WAN. I certainly don’t. The best way to ssh remotest is to run a VPN server to tunnel in, then once inside your LAN open a shell as normal. All I was saying in previous post was that the Shortcuts app does not let you import key files for the ssh automation, so key-based authentication is obviously not possible, it only has fields for username and password. If you have an iOS device take a look and you’ll see it’s very basic. Personally I have my router set to only allow ssh login by key authentication. Username and password gets rejected. Therefore I’m not able to use Shortcuts app for ssh. Again, i don’t have my ssh exposed to WAN. Always LAN only.

 

[cmkelley]

Yes, don’t expose anything to WAN except VPN server. Keep all ports closed.



1. As I understood it, users were mostly just at risk if they import and run random shortcuts created by strangers, like those shared on reddit. After importing it doesn’t even run, you have a chance to inspect the whole shortcut step-by-step automation before running it. You’re safe if you make your shortcuts yourself. Yes it is bad to hear Apple gave shortcuts app systemwide access.

2. Not at all, you don’t have to and shouldn’t expose ssh directly to WAN. I certainly don’t. The best way to ssh remotest is to run a VPN server to tunnel in, then once inside your LAN open a shell as normal. All I was saying in previous post was that the Shortcuts app does not let you import key files for the ssh automation, so key-based authentication is obviously not possible, it only has fields for username and password. If you have an iOS device take a look and you’ll see it’s very basic. Personally I have my router set to only allow ssh login by key authentication. Username and password gets rejected. Therefore I’m not able to use Shortcuts app for ssh. Again, i don’t have my ssh exposed to WAN. Always LAN only.

Ahh, I misunderstood you then. I'm the same, only OpenVPN server exposed to wan, and once inside SSH only via keys. But the last is merely to avoid typing passwords, once inside the VPN, the router's httpd is exposed, and it's notoriously crap for security. But doing that would imply keeping a VPN tunnel open between your iDevice and your router. Sucks if you don't have unlimited data.

And yeah, I have no interest in Shortcuts or IoT, I was just pointing out security issues.

 

[thelonelycoder]

As noted above, Shortcuts doesn't allow key-based authentication. Does Shortcuts allow moving the SSH port?

It sure does.

 

[thelonelycoder]

Time to move away from Apple/Android and not be the product.. https://e.foundation/
Sorry for off topic post
Love Diversion ! Thank you thelonelycoder for your awesome work

Go ask what people want. It's simplicity, compatibility and readily available. See any Windows user on Desktop. Linux would have the upper hand in many regards but none of the distros is as easy to use as Windows and the apps one's been using ever since.

The other day I had to reinstall Windows and wanted to move Sonarr, Radarr, Jacket and Transmission over to the native environment: Centos 7. I gave up after four hours of dependencies and whatever error hell.
I had all of them up and running flawless in about an hour on Windows.

I like simplicity too. Diversion is my answer for your router(s).

 

[thelonelycoder]

I see no big risk using the Shortcuts iOS app (made by Apple) to control basic router functions. It’s definitely no riskier than using any other Ssh app on the App Store.

One thing to note though, you will need to allow router ssh login with username/password because Shortcuts doesn’t support passwordless login with key pairs. That’s the biggest downside I can see.

I have SSH permanently on, on a non-standard port and only accessible from LAN.
The Shortcuts app works over VPN. I don't see the big problem if password login is enabled on your own LAN.
Do you use password-less login on your Workstation too?

 

[Jack Yaz]

Go ask what people want. It's simplicity, compatibility and readily available. See any Windows user on Desktop. Linux would have the upper hand in many regards but none of the distros is as easy to use as Windows and the apps one's been using ever since.

The other day I had to reinstall Windows and wanted to move Sonarr, Radarr, Jacket and Transmission over to the native environment: Centos 7. I gave up after four hours of dependencies and whatever error hell.
I had all of them up and running flawless in about an hour on Windows.

I like simplicity too. Diversion is my answer for your router(s).

(potential vulnerabilities aside)Linuxserver.io provide docker images for all of those, I'm currently running Docker on a Lubuntu 18.04.2 VM.

 

[Zonkd]

I have SSH permanently on, on a non-standard port and only accessible from LAN.
The Shortcuts app works over VPN. I don't see the big problem if password login is enabled on your own LAN.
Do you use password-less login on your Workstation too?

Yes I’m same as you, I also wouldn’t be worried to allow password authentication for ssh connections inside my trusted LAN especially since webui already allows it anyway. On my workstation I do use key authentication for ssh but I set that up only because I could, to learn how, and I turned off password authentication for ssh simply because I didn’t need it. If there was a compelling use for Siri shortcuts with the router I would allow it.

Honestly key based authentication isn’t any more convenient nor passwordless when you follow the best practice of creating an encrypted key that requires a password to use. That way if .ssh directory gets copied nobody could use it anyway. It was just a learning experience.