Nmap Development mailing list archives
Re: Ubiquiti routers now run nmap automatically causing an interesting situation
From: "Dario Ciccarone \(dciccaro\) via dev" <dev () nmap org>
Date: Thu, 26 Aug 2021 03:43:49 +0000
Well . . . DISCLAIMER: the following is my *own personal opinion* and should in no way be interpreted as my employer's position or opinion. My statements here are my own. I recently bought a NETGEAR Orbi kit, to update my home network replacing both an Ubiquiti AP and an Ubiquiti "router/firewall". If for no other reason than the Ubiquiti gear was just not able to keep up to my 1Gbps ATT Fiber connection to the Internet. I like the Orbi - easy to configure, they force you to change passwords, nice looking devices. It comes with that "Armor" stuff, which is enabled by default. As soon as I set them up, it started "finding devices" and "reporting on devices' security posture". And yes, many of my home devices were now complaining about login attempts - some of them louder than others. I went ahead and disabled it, filed it under "good idea, not so good execution" and chuckled when I thought "if they start crashing devices . . . " So Ubiquiti is not the only company doing this. Who started it ? And who is following on that someone's steps, for "Feature Parity" ? I don't know. I do think someone thought "hey, this is relatively innocuous, and looks good on the GUI and on the datasheet, and after all, these are home users, for which networking is 1 step away from magic, so they won't even wonder what's going on under the hood". All possibly true. And "enabling by default" means "providing value out of the box". But yes, I 110% agree - nobody should be doing this by default. It should be presented maybe as an option during initial setup, "would you like to enable Armor?" and maybe with a "NOTE: enabling Armor may result in false positives about network intrusion in other devices, due to the way Armor works. For more information, see <URL>". Of course, the day you normalize port scans within your network, is the day you open a big door for attackers to fly under the radar . . . DISCLAIMER: all of the above comes from my professional experience, what I have seen across the years and what ended being a good idea - and not such a good one. However, some of the "lessons learned" are either not transferable/transmissible . . . And companies will need to learn by themselves. On 8/25/21, 11:31 PM, "James M. Scardelis, CISA, CIPP, CIPP/IT, MCT, MCSE, CTT+" <jim () jceltd com> wrote: Running port scanners without permission from the user is, um, problematic. Strongly recommend reporting this "bug" to Ubiquiti. On 8/25/21, 8:09 PM, "dev on behalf of Dario Ciccarone (dciccaro) via dev" <dev-bounces () nmap org on behalf of dev () nmap org> wrote: Hey, Nick: One other option missing here is - contacting Ubiquiti and talk to them ? About the issues their default behavior is creating ? And I assume they're not only scanning *your devices*, but probably the whole L3 subnet, so others may also experience similar issues. Or worse - if the device doesn't react properly to the scan . . . So I would contact Ubiquiti, explain the situation, see what they say. Also, while the "contact Ubiquiti Support" is not a bad idea, I think you go with "Do you have an Ubiquiti router in your network? If yes, please go to www.silicondust.com/security/ubiquiti" or something like that - and on the page, you can explain (in simple terms) to your customers what the issue seems to be, and provide a link to the Ubiquiti documentation explaining how to enable/disable this feature. Might also want to add "We don't recommend keeping this feature enabled, nor we recommend it to be disabled - as it has no negative impact on our device, leaving it enabled or disable it is up to each customers' particular setup and environment", or, again, something along those lines. Thanks, Dario On 8/25/21, 8:53 PM, "dev on behalf of Nick Kelsey" <dev-bounces () nmap org on behalf of nickk () silicondust com> wrote: Interesting situation... At my day job (Silicondust) we have started getting support questions/complaints from customers who have Ubiquiti routers at home - it seems that Ubiquiti routers now run Nmap automatically, not sure if daily. When Nmap probes a Silicondust HDHomeRun tuner it works well - Nmap finds port 80 (device webpages) and port 5004 (http for video) and correctly identifies it as a HDHomeRun device. Likewise the HDHomeRun does fine being probed by Nmap. Nmap generates 31 TCP requests to port 5004 and the HDHomeRun simply logs these 31 failed requests. Both Nmap and HDHomeRun are doing their jobs correctly. You get some log messages but you just ran a probe so they are expected. The problem - Ubiquiti routers are doing this without the user being aware it is happening. The user sees hundreds of failed attempts to access the HDHomeRun in the HDHomeRun logs and they are reporting it to us thinking something is wrong. Further complicating things - the source IP is logged as being from the router so at first glance it could (incorrectly) look like an attacker has figured out how to reach a LAN device via the Internet. Could disable these log messages but that would hinder normal diagnostics where the user is trying to figure out why a tune request wasn't accepted. Could detect that it is a Nmap probe but I object to this on principle. Could firewall all Ubiquiti MAC address ranges so it can't probe. Could manage the problem by having support reassure customers that these errors are normal because of their router. That has a ongoing cost associated with it. I quite like the idea of appending "please contact Ubiquiti support" to the end of every failed log message when a Ubiquiti router is detected :-) Interested in thoughts on the subject. Should probably just manage the support problem but it annoys me to have to manage a problem created by someone else. Thoughts? Nick _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Ubiquiti routers now run nmap automatically causing an interesting situation Nick Kelsey (Aug 25)
- Re: Ubiquiti routers now run nmap automatically causing an interesting situation Dario Ciccarone (dciccaro) via dev (Aug 25)
- Re: Ubiquiti routers now run nmap automatically causing an interesting situation James M. Scardelis, CISA, CIPP, CIPP/IT, MCT, MCSE, CTT+ (Aug 25)
- Re: Ubiquiti routers now run nmap automatically causing an interesting situation Dario Ciccarone (dciccaro) via dev (Aug 25)
- Re: Ubiquiti routers now run nmap automatically causing an interesting situation James M. Scardelis, CISA, CIPP, CIPP/IT, MCT, MCSE, CTT+ (Aug 25)
- Re: Ubiquiti routers now run nmap automatically causing an interesting situation Dario Ciccarone (dciccaro) via dev (Aug 25)