Securifi Community Forum
Securifi Products => Almond+ => Topic started by: thanthos on August 30, 2015, 10:54:05 pm
-
Folks who used the web administration functionality directly from the unit should take note and take care not access from an unsecured location.
I recently reported to Securifi that the password to the device is visible in clear while using the web console. Given that the web console is LAN based and you are not likely to access it regularly it should mitigate the impact of the issue. The router is your gate to your house in networking context and hence it is a serious issue.
I would like to remind and warn users to:
1) only access the console when needed
2) Over a secured physical lan connection, if possible. Never do it over a open wifi connection.
3) Use VPN where possible.
4) Change password regularly until the issue is fixed.
The password can be lifted using a package sniffer (Wireshark etc) and might be visible within a proxy server if the information does pass through one.
I like to take the opportunity to raise this awareness to the community and also to request for an update of the next firmware release. Perhaps implementation of 2 factor authentication using the google authenticator would be nice. But at a minimum https for web console using self signed cert is required. This is a standard features for all the commercial consumer routers/access points I have used.
Hope we can have a release soon
-
This is not the first time the lack of HTTPS for LuCi has been brought up:
http://forum.securifi.com/index.php?topic=1298.0
http://forum.securifi.com/index.php?topic=1499.0
OpenWRT itself supports SSL for LuCi, but the package required to enable it (luci-ssl) is not installed by default. The Almond+ doesn't seem to have its own OpenWRT package repository, and the official OpenWRT repositories don't seem to support the platform used for the Almond+.