security issues with networked tivo ?

Discussion in 'TiVo Series 1 - UK' started by b166er, Jan 11, 2006.

  1. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...

    Advertisements

    Hi,

    I'm wondering what issues may arise of having my Tivo networked now. It's connected to a router that keeps my DSL connection permanently alive, so it's always connected to the internet. Naturally the router has a firewall, so there's some protection there, but they're not 100% secure. There are open ports. Not any that I've specifically additionally opened, but there are open ones.

    Does anyone have scare stories of hackers getting into their tivo and back out into their local network ? Or just generally causing havoc within the tivo ? I know there's no trojan's running on the tivo that enable hacker tunnels but still have some concern.

    I just tried connecting to it from a remote PC and was pleased to see the following (ip address altered to 1.2.3.4 for posting here):

    C:\WINDOWS>ping 1.2.3.4

    Pinging 1.2.3.4 with 32 bytes of data:

    Request timed out.

    Ping statistics for 1.2.3.4:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),

    C:\WINDOWS>telnet 1.2.3.4
    Connecting To 1.2.3.4...Could not open connection to the host, on port 23:
    Connect failed

    C:\WINDOWS>ftp 1.2.3.4
    Connected to 1.2.3.4.
    Connection closed by remote host.

    I also couldn't see the tivoweb page via http://1.2.3.4 which is also good (for now)...

    Once I open up tivoweb page to the net am I opening up myself to a much increased risk? Is there any way to password protect the tivoweb page, or at least obfuscate the URL sufficiently that nobody would guess it? e.g. http://1.2.3.4/ofiehfhg882834832
     
  2. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    I would say in order of security, LEAST secure first:

    1. Port forward on router 80 to 80; password on Tivoweb.
    2. Port forward on router wxyz to 80; password on Tivoweb.
    3. Orenosp on PC (secure proxy to Tivoweb), running on non-standard port; port forwarded on router. No need for password on Tivoweb.
    4a. Dropbear SSH server running on Tivo, running on non-standard port; port forwarded on router. No need for password on Tivoweb.
    4b. SSH server running on router running on non-standard port; port forwarded on router. No need for password on Tivoweb.

    Security of 4a & 4b will be the same, it's just a question of which box is doing all the SSH work. I've used 3, then 4a then 4b and all have worked fine. There's plenty of exisiting threads describing how to do all the above, if you have a quick search.

    To answer one of your questions, I've not read on here about anyone being succesfully hacked via Tivo; but then if the hacker is any good, you wouldn't know anyway!
     
  3. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    Thanks Fozzie. Will need to search for Orenosp and Dropbear to see which seems best for me. For now I'm happy that without opening a port yet for tivo to become visible I'm secure :D
     
  4. sanderton

    sanderton TiVoer since 11/2000

    6,341
    0
    Jan 4, 2002
    First off, if you haven't opened any ports on your router's firewall, and you don't want to access your TiVo from outside of your LAN, then you need do nothing and you are perfectly safe. Despite what you say, there should be no open ports unless you have configured them. That's what the firewall's for.

    Further, unless you've configured NAT & port forwarding, any hacker has no way of knowing your TiVo is even there.

    I have heard no stories at all of anyone actually hacking a TiVo, although if left unprotected the TiVo can supposedly be crashed by lots of incoming packets it doesn't understand.

    I operate at security level 1 on Fozzies list and have had no problems. You password protect the TiVo by editing it's config file.
     
  5. RichardJH

    RichardJH New Member

    1,195
    0
    Oct 7, 2002
    Hanworth....

    Advertisements

    Stuart is there a simpletons explanation to how I can get access to my 2 Tivos from outside my home network. At present I have 2 Tivos and I PC wired to a Linksys WRT54G and a laptop that accesses via wireless. I have read through several threads about security and various other aspects of Tivo access but have only ended up confused.

    All I want to do is access Tivoweb when away to check or change what Tivo is to record.

    Any help would be appreciated

    Richard
     
  6. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    Here's how I understand things (as a fellow simpleton).

    Your router will be maintaining your internet connection for you and you'll probably be getting a different IP address each time it's forced to renew. If you're keeping the same IP address each time (which my Mum does via NTL cable) it makes things easier.

    Two things need to happen for you to be able to see your Tivo from outside your network. You need to know the IP address, and the relevant port (80) needs to be open. If your ip address is 1.2.3.4 and you open port 80 in your routers config, then http://1.2.3.4:80 from any PC anywhere will get you into your tivoweb login page. You can open port 12345 and map it to port 80 in your router for a little obfuscation, then you'd access http://1.2.3.4:12345 instead.

    If you get a different IP address each time your connection is remade then you'll need a dynamic DNS service. There are free ones and someone will post a link to the best (I forget the URL right now). There you maintain some unique name for yourself and use that to access your tivo instead of the hard-coded IP address. Your tivo needs to keep the server at your dynamic DNS provider regularly updated with what it's IP address by some kind of regular ping I imagine. So if there was a site called myfreedns.com and you chose the name scooby then you'd use http://scooby.myfreedns.com:12345 to access your tivo.

    Adding a userid/password to tivoweb would seem a wise thing to do, especially if the hackman module is installed.

    That's the info I've gathered from these threads and filled in the holes myself. I haven't done this yet but I hope to before the end of the month when I need to travel to NYC for a while.
     
  7. sanderton

    sanderton TiVoer since 11/2000

    6,341
    0
    Jan 4, 2002
    You missed one part out - your router need to be set up to send packets intended for the Tivo to each machine. This is usually done using port forwarding and NAT. You set up your router so that any data it receives on port 1234 is sent to the TiVo on port 80. If you have two tivos then you make port 1235 forward to the other one.
     
  8. RichardJH

    RichardJH New Member

    1,195
    0
    Oct 7, 2002
    Hanworth....
    Thanks for that info but still not sure.
    I will have a fixed IP I guess because I am on cable broadband (Telewest)
    is the IP that one or the one allocated to Tivo and how do I sort it out so that I can access either of my Tivo's
     
  9. AMc

    AMc Active Member

    2,623
    0
    Mar 22, 2002
    East of England
    Visit http://www.whatismyip.com/ from a machine on your home network and it will give you the IP of you cable modem.
    You then need to set up port forwarding on your router so that a port i.e. 1234 is forwarded to the 1st Tivo's local IP address on port 80 and port 1235 is forwarded to the second Tivo's IP local address.

    Just because you generally have the same IP on Telewest doesn't mean it's actually fixed. A power cut or loss of service in your area could change your cable modem's IP address though it's more common on ADSL connections as I understand it.
     
  10. Fred Smith

    Fred Smith Still learning

    779
    0
    Oct 5, 2002
    Reading,...
    In my experiance cable modem dynamic IP address's are almost static (on NTL). But just in case I run Dynamic IP on my server PC.
     
  11. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    No need to run an external application to update DynDNS; with a bit of jiggery pokery, TiVo can do it itself :)

    I've attached two zips with the necessary components:

    1. Edit 'dnsupd' and 'dnsupd_forced' with your DynDNS username, password and domain. Put the 2 scripts in to /var/hack and chmod 755 them.
    2. Put 'wget' in /var/hack/bin and chmod 755 it.
    3. Edit 'resolv.conf' to reflect your ISP's DNS (the included file has my two NTL ones). Make a backup copy of /etc/resolv.conf and then copy over the new one. (You'll probably need to make the partition read/write first and then change it back to read-only afterwards.)
    4. Put 'libresolv.so' in to /var/hack/lib. Chmod 755 it then type:
    'ln -s /var/hack/lib/libresolv.so /var/hack/lib/libresolv.so.2'
    5. Finally, add the following 2 entries in to crontab:

    05 02,14 * * * /var/hack/dnsupd > /var/log/dnsupd.log 2>&1
    15 02 1 * * /var/hack/dnsupd_forced > /var/log/dnsupd_forced.log 2>&1

    With a bit of luck, Bob's your uncle, DynDNS will be updated twice daily if your IP changes (edit the crontab if you wish to check more frequently) and a forced update will take place on the first of each month (to prevent your DynDNS account from being deleted for inactivity).

    Inspiration for the scripts came from here: http://www.nslu2-linux.org/wiki/HowTo/DynDNSupdate

    Resolver files came from the ozTivo website here: http://minnie.tuhs.org/TiVo/files/libresolv/

    All usual disclaimers: most of this has come from other sources and if you break your TiVo, it's your own fault!
     

    Attached Files:

  12. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    Did you forget the attached zip or am I being a drongo and not seeing it? :confused:
     
  13. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    Doh! I was doing it remotely and hadn't noticed that the single zip was too big to upload. Apologies.
     
  14. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    I managed to do it even easier than that :) My cheapo cheapo 20 quid router has a dynamic DNS section. It knows of the top 3 dyndns providers. You enter your user id/password/hostname and each time it has to acquire a new IP address (once a day usually with my DSL) it logs into the dyndns account and updates the IP address. I've been testing it by manually disconnecting it and it's working great. I can access my tivo remotely :)

    QUESTION : I'm sure I read somewhere (but can't find it with search) that if you don't do something or other once a month with dyndns.org then they close (or freeze) your account. Does anyone know what it is that needs doing?

    woah look at the time, where does it go? I must be having fun :D
     
  15. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    I know, mine does the same. I was responding to Fred Smith whose router doesn't have that functionality and so was running an external application on his PC. I was merely suggesting that he didn't need to as it can all be done from TiVo ;)

    It's on the DynDNS website. If your account hasn't been updated after 35 days, they assume it is dormant and so will delete it. One solution is to just manually log in to your DynDNS account and refresh the IP information. Also, some of the external apps (e.g. DirectUpdate) detect if you haven't updated after a certain period of time and force an update.

    I'm not sure if any of the routers are clever enough to do this yet; I'm pretty sure that the Linksys ones DON'T (even running third-party firmware like dd-wrt). Therefore, you run the real risk of losing your DynDNS account.

    Prior to upgrading my router I was using both the scripts above to automatically detect if my IP had changed and to also force an update on the 1st of each month. Now my router does the automatic detection, I have stopped running that script on TiVo but left the forced update one to run, so that I don't lose my DynDNS account.
     
  16. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    I got the impression that my router is doing the right thing.

    Each time it has to get a new IP, it logs into dyndns and updates the IP. Do you think that's not enough? Do I need to manually go to their www.dyndns.com page and login that way? Here's what my dyndns router page looks like (note I changed the hostname and login account to demo values (but didn't click apply) just to take the screenshot. Notice how it uses the members.dyndns.org so it can login.
     

    Attached Files:

  17. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    NO. Like I said, if your account hasn't been updated for 35 days i.e. your IP address hasn't changed and so your router will not have not automatically updated DynDNS, your account will be DELETED and you may well lose your domain name (as well as the hassle of not being able to remotely get in to TiVo, if you are away!)

    Only if you want to:
    a. Check the status of your account e.g. date of last update.
    b. Manually refresh the IP address to prevent the account from being seen as dormant and getting deleted.

    You don't need to do b. if you upgrade (i.e. pay $10 per year) for your DynDNS account, or your router/external PC application detects if no updates have taken place after a certain time period or, if you run my script on TiVo to manually force an update (or, if you're 100% certain that your external IP address changes at least every 35 days).
     
  18. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    Ok, confusion over. I got the feeling that what my router was doing, when the IP address *DOES* change might not be enough to keep the account alive. As my DSL provider require a new IP once a day I'm all good :) Thanks for the clarification.
     
  19. Fozzie

    Fozzie New Member

    837
    0
    Sep 3, 2001
    Alton,...
    No problem - you should be fine :) I just raise the issue because I don't think many people are aware of the 35 day limit and that generally peoples IP addresses do change within that time period, for one reason or another. I presume that re-booting the router would also send an update to DynDNS but then you have to be careful of not getting blocked for an abusive update (defined as one where the IP address hasn't changed); I think they allow the odd one or two though, thank goodness!

    There was someone on another thread whose remote access suddenly stopped, even though everything was running fine. However, trying to ping his DynDNS hostname resulted in an unknown host reply; probably due to his account being deleted.

    Enjoy the rest of your TiVo hacking; I notice you popping up all over the place. Just waiting for you to appear in the HAckman and Dailymail threads... :)
     
  20. b166er

    b166er New Member

    1,324
    1
    Oct 24, 2003
    Brit in...
    Coolness :cool:

    Don't like the idea of Hackman. I looked at it (the screenshot) and don't think I need it. As I'm now publicly networked it's one more risk.

    Dailymail intrigues me, just need to look into that more. That might be my next hack :)
     

Share This Page

spam firewall

Advertisements