IFTTT - how much do you care about security?

[RMerlin]

So, I've had my first quick glance at Asus's IFTTT new feature... If I read this correctly, it requires you to open your router's webui to the WAN. Uh, no thanks.

* Please click here to enable DDNS and Web Access from WAN for remote control *

If that's really the case (and not just a bad translation from the original Chinese strings), then I'll have to strongly recommend to everyone NOT to enable that feature.

I'll have to think to decide what I want to do about this... I was against the addition of this feature from the start, and with that requirement I am even more against it.

 

[Laserpaddy]

Hasn't that been on the ac88u since day1? Mine has had it. Or am I confused?

Sent from my SM-G955U using Tapatalk

 

[RMerlin]

Hasn't that been on the ac88u since day1? Mine has had it. Or am I confused?

Sent from my SM-G955U using Tapatalk

IFTTT was only added last week with the release of the 18881/18991 firwmares.

 

[Laserpaddy]

Ok sorry..it seemed in my interpretation that the DDNS feature of the usersnamechoice.asus.com was a really bad idea as well, that's what I was confusing..

Sent from my SM-G955U using Tapatalk

 

[SwampKracker]

Wow....unless the security problems with allowing WAN access to webui have been resolved, this is a disaster.

 

[st3v3n]

Uh..NO thanks Asus. Wonder what those guys are smoking or is this more 'nomeland' insecurity?

 

[RMerlin]

Uh..NO thanks Asus. Wonder what those guys are smoking or is this more 'nomeland' insecurity?

It's the market asking for features without understanding their security implications. Asus simply provides their customers what they are asking for, I can't blame them for it...

On the other end of the spectrum, the new IPSec server support seems to be pretty easy to setup. Did a quick test of it last night using my Android smartphone as the client, was effortless to setup. That might be a solid replacement to PPTP for people not willing to deal with OpenVPN (even tho OpenVPN is nowhere as hard to setup as people might think - just export the .ovpn file, and import it on your client and you're about done.)

 

[st3v3n]

Absolutely; I've had no problems with any vendor's opv configs (or filling in the blanks). The way OpenVPN has progressed, I'm looking forward to more goodness from it. There's so much mish-mash coming out of the various labs (and marketing departments) that has to get sorted out and that will probably/hopefully not make the cut. For my 2cents worth, as long as end users have a choice of being able to switching such useless features off, I'll be pleased; as long as RMerlin has the will and wants to fix their work.

 

[cowboy]

IFTTT was only added last week with the release of the 18881/18991 firwmares.

Asus Router and IFTTT sound like a really nice feature [here]. I don't quite get why Web access from WAN is required, but it sure is a security concern, mostly for those which are not aware what they are about to do.

Maybe if choosing a really good password (strong one) for Web Access from WAN is not that of a big security risk, or is it ?

 

[Keenan]

I've been using a couple of Echo Dots and a Harmony Hub(along with several lighting setups) for months now and I find the system to be very handy. As far as linking a router to a system like that, I guess I'm just not that active as far as router "play" goes, I like a router that does its job well and disappears into the background unseen. For a household that has a number of people and guests on a regular basis, I suppose it could be handy though.

 

[RMerlin]

Maybe if choosing a really good password (strong one) for Web Access from WAN is not that of a big security risk, or is it ?

On at least one occasion in the past a security issue was found that allowed to bypass entirely the password authentication.

 

[escape75]

It's the market asking for features without understanding their security implications. Asus simply provides their customers what they are asking for, I can't blame them for it...

On the other end of the spectrum, the new IPSec server support seems to be pretty easy to setup. Did a quick test of it last night using my Android smartphone as the client, was effortless to setup. That might be a solid replacement to PPTP for people not willing to deal with OpenVPN (even tho OpenVPN is nowhere as hard to setup as people might think - just export the .ovpn file, and import it on your client and you're about done.)

IPSec support on Asus router, where?

 

[Zonkd]

I’m opposed to IFTT being included in the firmware. Ifft is insecure all around which is why I quickly stopped using it to sync private messages into slack. If you do build it into Merlin firmware I’ll be disabling it.

 

[Zonkd]

I'll have to think to decide what I want to do about this... I was against the addition of this feature from the start, and with that requirement I am even more against it.

Will they allow you to not include it in the Merlin firmware? Or perhaps just completely hide it in the web UI and then anyone deadset on using it will need to manually unhide it by enabling JFFS and putting in a config adjustment.

 

[RMerlin]

IPSec support on Asus router, where?

VPN -> VPN Server, for models supporting it. The RT-AC68U for instance is not supported, kernel isn't compatible with requirements for IPSEC.

I’m not so concerned on sercurity as some of you. Besides even if someone did get into my home network, what are they going to get from me?

They're going to turn your router into a zombie, and use it to attack everyone else when its new master gets hired by someone to perform a DDoS on some random target.

Security is like vaccination - you're doing it just as much for yourself as for everyone else around you.

Will they allow you to not include it in the Merlin firmware? Or perhaps just completely hide it in the web UI and then anyone deadset on using it will need to manually unhide it by enabling JFFS and putting in a config adjustment.

Just don't enable it. Removing it is not an option, too much code is closed source now, a lot of features can no longer be disabled because the pre-compiled portions expect these features to be enabled for the rest of the firmware.

 

[Jack Yaz]

Either way, getting back to ifttt...

I’m looking forward to ifttt and support for Alexa.

I’m not so concerned on sercurity as some of you. Besides even if someone did get into my home network, what are they going to get from me?

I’m just a simple man.

Don't you have a rather large number of IP cameras on your network? Do you really want that footage stolen and broadcast across the Internet?

https://www.snbforums.com/threads/binding-mac-to-ip-limitations.48722/page-2#post-442271

 

[Zonkd]

Either way, getting back to ifttt...

I’m looking forward to ifttt and support for Alexa.

I’m not so concerned on sercurity as some of you. Besides even if someone did get into my home network, what are they going to get from me?

I’m just a simple man.

Get a foot in the door of a 'simple mans' LAN to take his name, social security numbers, emails, phone numbers and contacts, pets names and family details/photos. A simple man won't mind a stranger putting a little ransom-ware here or there. Because a simple man isn't so sentimental about his family photos, nor does he care to retain his tax files. The boss won't expect him to protect their private business correspondence and sensitive documents. His boss would understand, because hes a simple man too. And a simple man won't mind all these details being sold to the highest bidder on the darkweb -- nor would he care if the stranger opened a few simple lines of credit and took a bank loan in his name, or in his wife's name, perhaps to invest in bitcoin, because the stranger is a sophisticated man, and he deserves the finer things in life, a dream house and car, things a simple man wouldn't want for himself.

Everybody needs to trust the devices they use aren't compromised by strangers who don't have your best interests at heart. Stolen identity causes major irreparable damage to people in my country. Once the money is gone the banks often can't do much. The cops can do very little to reverse things or bring justice, especially if the attacker is overseas. And we're all the custodians of someone elses information, usually our loved ones, dependents like children, and family. If we're compromised then so are they. Your carelessness can end up harming them too.

Edit: and tons of live footage leaked is a great way to get your house robbed.

 

[Zonkd]

Just don't enable it. Removing it is not an option, too much code is closed source now, a lot of features can no longer be disabled because the pre-compiled portions expect these features to be enabled for the rest of the firmware.

You recently relocated the DNS Filter options out of the AiProtect section to have a separation between TrendMicro features. That made it clearer for everyone the same privacy EULA didn't apply. Maybe creating a similar separation between safe and risky features would be good? Could relocate IFTTT and other risky features to a dedicated page, maybe I include some short descriptive text explaining what they do, how they work and the risks they introduce. People would take greater pause before enabling them.

 

[RMerlin]

You recently relocated the DNS Filter options out of the AiProtect section to have a separation between TrendMicro features. That made it clearer for everyone the same privacy EULA didn't apply. Maybe creating a similar separation between safe and risky features would be good? Could relocate IFTTT and other risky features to a dedicated page, maybe I include some short descriptive text explaining what they do, how they work and the risks they introduce. People would take greater pause before enabling them.

IFTTT is already on its own separate page, there's no "other place" to move it.

Beside, configuration settings must be regrouped by logical functions, not by level of risks involved. DNSFilter fit just as well in its new location as in the previous one in terms of logical functions.

 

[escape75]

VPN -> VPN Server, for models supporting it. The RT-AC68U for instance is not supported, kernel isn't compatible with requirements for IPSEC

Hmm, i thought only the BRT-AC828 had support for that ...
Is that on OEM firmware, and you know which models support that feature ?