Security vulnerability with Firewalla

Comments

4 comments

  • Avatar
    Firewalla

    Wade

    Thanks for the notes.  These are good points.   

    The SSH interface is not a back door.  We do not have the password.  The password is generated automatically and not send to us.   That password will reset itself during updates or reboots.  (So it won't be the same + extra randomness)  The reason we left SSH there was due to requests from our crowdfunding supporters, they want to know what's going on with the box inside, and curious on how we work.

    You point is taken, we will do the following:

    1. Make the button to turn off SSH work. So you can turn off SSH.

    2. We will make the default generated password more complex. 

    I'll let @melvin reply to the rest, he owe you a github issue so you can track our commitment.   We will invite you to test it out if you want. 

    Again, appreciate your feedback.

    -Jerry

  • Avatar
    Melvin Tu

    I have created two github issues respectively for "password length" and "turn off ssh".

     

    https://github.com/firewalla/firewalla/issues/601

    https://github.com/firewalla/firewalla/issues/602

     

    Thanks for the feedback.

     

  • Avatar
    Wade Stadig

    Thanks for the quick responses/action! I'm loving my firewalla and appreciate the work you guys have put into this. Looking back I apologize that my comments came off strong. In hindsight I wish I would have worded it differently. 

    Also, more importantly, I TOTALLY misunderstood how SSH was configured/working. I thought SSH was turned on to the external facing network. This basically renders all of my concerns totally moot. So yea... heh, apologies!

    A quick note regarding password strength: If I'm not mistaken as of 2012 it has been considered fairly trivial to crack an 8 character password (https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/). Granted the hardware required for this isn't exactly cheap but for today's standards it's definitely within reach. That said, we are probably approaching tinfoil hat territory here. The risk is probably pretty low that a targeted attack would take place. Again all this is moot since SSH isn't turned on to the external facing network.

    Thanks for making a great product and again, apologies for my misunderstanding!

  • Avatar
    Firewalla

    Thanks Wade.  Great feedback.   We already took your advice to increase the password to 10 characters.  Hopefully, that piece of code will be released soon. 

    If you have any other concerns or suggestions, please post them.   Teach us what you need and we will make it happen.  We think this is path to our success :)

Please sign in to leave a comment.

Powered by Zendesk