Posts in category security

SSL and https

We in Telldus take Security very seriously. As soon as information about the Drown and Poodle attacks on SSL was published, we started to examine the affects and the resolution to these issues.

With this message we would like to assure you, that apart from Security, user satisfaction is one key foundation defining how we work. This is also one of the reasons, we are delayed with the resolution. To deal with these vulnerabilities, we had the option to close down TelldusCenter and support you to instead setting up Telldus Live! via our new TellStick Gateways. That would mean swapping the old TellStick with Version 2 of our Gateway. This is in our opinion the best option for you who are using TelldusCenter, and in the process also get to the optimum security and feature set that we today have. In short, we want you to not be left behind but walk with us towards a safer, more secured Smart Home Solution as compared to the old version.

But we haven’t closed down Telldus Live!-access for TelldusCenter because we want to affect your running setups as little as possible, and keep your options open, therefore we chose to upgrade TelldusCenter. This is taking more time than expected due to the complexity and we are working hard to finalize these changes which we believe should happen shortly. Once done, these vulnerabilities will be removed.

In addition to this, we have also decided on a few other Security updates and restructuring, that would allows us to better separate servers that needs to remain open for TelldusCenter from the others. These upgrades will also allow us to turn on https as default for the Telldus Live!-web.

Update 2018-02-28:
As some of you have noticed, there is a difference between servers regarding what SSL versions they accept. We are only using api.telldus.com for TelldusCenter and that URL is now considered legacy. If you are connecting to our API using SSL, you should use pa-api.telldus.com instead.

ASUS™ AiProtection reports suspicious networking behavior from TellStick

Some users have been reporting their (ASUS™) routers reports suspicious networking behavior from TellStick. The router alerts that TellStick tries to connect to a suspicious server on the internet.

The alert looks similar to this:

Alert type : Infected Device Prevention and Blocking Source : (AC:CA:54:XX:YY:ZZ) Destination : 193.11.114.43

RT-AC87U’s AiProtection detected suspicious networking behavior and prevented your device making a connection to a malicious website

These types of reports should always be treated seriously. It could be a sign that one of your devices on your network is infected with a malware.

tl;dr

If you aren't interested in the technical description below you can safely ignore this warning. The warning is a false positive.

The technical…

Upon inspection of the captured packets, the IP address reported (193.11.114.43) was not found in the communication of the gateway and the Internet, suggesting the infected source was not on the gateway.

Upon further inspection on the frequent traffic, it was found that NTP accounted for most of the traffic when the gateway is in idle mode. Cross checking with the search results on Google on this IP address indicated it once belonged to the pool of NTP servers under pool.ntp.org.

Querying the IP address via NTP Statistics confirms this IP address was indeed part of the ntp pool machines.

However, a reverse DNS lookup on the same IP yielded a different domain name: tor1.msfnet.se.

root@mangocrap:/var/lib/misc# nslookup 193.11.114.43
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
43.114.11.193.in-addr.arpa	name = tor1.mdfnet.se.

Authoritative answers can be found from:

A DNS lookup in tor1.msfnet.se however revealed no associated IP address,:

root@mangocrap:/var/lib/misc# nslookup tor1.mdfnet.se
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find tor1.mdfnet.se: NXDOMAIN

suggesting this is a stale record of the reverse DNS lookup.

The ASUS AiProtection works by querying a third party service (WRS database provided by Trend Micro™) on a suspicious IP address to determine if it is a malicious host.

Looking from this case, it is reasonable to believe either ASUS or Trend Micro uses reverse DNS lookup for the domain name and match it with the list of malicious hosts. In practice, since domain names can be binded to different IP addresses at different time intervals, the IPS mechanism shall not only rely on domain names but also verify using the IP address for malicious host detection in order to reduce false positives.

In conclusion, the IP address that was associated with a malicious web site was being reused as one of the NTP machines in pool.ntp.org for serving network time, the reverse DNS lookup still shows that IP address is being associate with the malicious web site, thus triggering a false positive in the AiProtection mechanism, resulting in the security alert given from the ASUS router. To mitigate, suggest user to report to ASUS on this false positive, and if the router have a whitelist function, add this IP address to the whitelist so that the router will stop generating alerts for this IP address.