Hi, some of you guys need to look at your Humax security

graemev

New Member
I'm in the process of re-installing a Humax box and doing a Google search I came across at least two guys who have had the entire contents of the Humax indexed by google.

One of these (at least) has his box completely open , anybody could install or remove software from it (and indeed watch the programmes you recorded)

Now I could share their IP address here, but that would make them even more vulnerable to attack. So what I'll do is publish some screenshots of their recorded programmes. If you recognise these, then you should probably do something about it:

1: Add a password to your humax box
2: Consider changing your mapping of port 80 on modem to port 80 on Humax (e.g. map port 22080 to port 80 [don't use 22080 now I've mentioned it] This is only security through obscurity but I know from experience that it at least reduces the number of BotNets which try to brute force your password
3: Install a VPN

The 1st machine is called Foxsat-HDR and the recorded programmes look like:

Foxsat-HDR_20211111_161013.png




The second machine is called Foxsat-Left , and the contents are indexed (for all time?) by google, but currently port 80 is closed .... I could do a port-scan of his machine (since Google are highlighting it) but that seems a bit aggressive (so I won't) ..I believe, under EU law, you can ask google to "forget me"...not sure if we've also lost this protection.
 

gomezz

Well-Known Member
Simple solution is to just unplug the ethernet cable which on these boxes is as useful as piece of wet string these days.
 

Peso

Member
Good point graemev. I have worried the HDR might the weak spot in my network. But the Remote Scheduling and Pushmail facilities are invaluable. Must confess I have only recently passworded my HDRs. Thankfully your list of recordings aren't mine.

May I ask 3 of questions,
1. Where you add a password in settings is also a tick box called "Enable secure web server (HTTPS)". Should I tick it? Would it improve security?
2. You suggest mapping ports. How exactly would you do that?
3. I read, years ago now, that it was a good idea to have the likes of telenet and dropbear turned off on the HDR so no one can send commands. Only activating them when you need them i.e. to tun fix-disk. Is that advice still sound?
 

Black Hole

May contain traces of nut
But the Remote Scheduling and Pushmail facilities are invaluable.
These do not involve opening your network. It's people who have specifically compromised their own security by opening ports through their router who are at risk (with the intention of gaining WebIF access from a remote location).

You suggest mapping ports.
That is only security by obscurity, and not actual security. See comments here: https://hummy.tv/forum/threads/remote-access-to-foxsat-hdr.10385/
 

Peso

Member
These do not involve opening your network. It's people who have specifically compromised their own security by opening ports through their router who are at risk (with the intention of gaining WebIF access from a remote location).
Thanks for that info. I had assumed having a HDR (not firewalled, unlike a PC) on a network, made it especially vulnerable.
 
OP
graemev

graemev

New Member
May I ask 3 of questions,
1. Where you add a password in settings is also a tick box called "Enable secure web server (HTTPS)". Should I tick it? Would it improve security?
2. You suggest mapping ports. How exactly would you do that?
3. I read, years ago now, that it was a good idea to have the likes of telenet and dropbear turned off on the HDR so no one can send commands. Only activating them when you need them i.e. to tun fix-disk. Is that advice still sound?

Adding HTTPS would mean that the password would not be sent in clear text over the wire ... if you sniff packets while somebody is using telnet (and I assume http) you can see the password in cleartext .... that said, I doubt anybody (other than your ISP) is sniffing your packets ... too much effort , other routes are easier.


Whoever has done this, is already mapping ports .... If your modem is on 82.83.84.85 and I try to connect to port 80 (http) the I'll get port 80 on your modem. If it's REALLY badly setup that'll allow me to reconfigure the modem. More likely it'll be set to simply drop the packet. If your Humax (inside the house) is on e.g. 192.168.1.25 , then you might MAP port 80 in Modem to port 80 on 192.168.1.25 (using the GUI on your modem for example) ...but you don't have to use port 80 ...you could map 22080 on the modem to 80 on 192.168.1.25. Now this doesn't provide any more security but the botnet attacks spend more time trying ports 1-1023 , so it cuts down on attempts (which waste bandwidth on you internet connection)

Telnet uses port 23 and ssh (dropbear) port 22 so unless you map them (as above) they won't be accessible outside your home.


So BEST , don't map anything incoming . If you feel you need to , take more care than case#1 & case#2 above
 
Last edited:
Top