using SSH to connect to the b2 .. security and other potential issues

[Anthony]

One very nice feature of the b2 is the ability to access it via ssh.  I've used that feature quite a bit to cleanup files and directories that did not end up where I intended them.

However, ssh access is only available "out of the box" as the root user.  Long time Linux users will shudder at this point.

So, to quote the original Spiderman movie, "with great power comes great responsibility".  And having said that, here are the two issues I can see :

1. The "root" password for your b2 is available from the Brennan Web Site.  Which makes your device a great target vector for any hacker that might get through your router - via either wifi or the internet. This is not a huge risk quite frankly, but it's the kind of thing IT Security people have nightmares about.
2. All access to the b2 is as the root user. It's amazing how much damage you can do to your system with a simple typo when you're "root".  Like accidentally deleting all of your music files.

So, what to do?  

First of all - CHANGE THE ROOT PASSWORD AS QUICKLY AS YOU CAN.   (Hint : login via ssh as root and use the passwd command).

Secondly, add a user account (hint : adduser ) and login that way.  It would be nice if Martin would add sudo capability to his distro but you can work around that.

When I get a minute, I will see if ssh on the b2 can be configured not to accept root logins.  That's a pretty common capability on most Linux boxes.

[mcg]

I must add, as a long-time Unix/Linux guy, that this is good advice.

On the surface, it would seem that a music device on your network was not much of a worry, bear in mind that it is a node on your private network, and someone with bad intent could use it to inflitrate your network with ease. A firewall, a local address provided by your router, and other counter-measures might suffice, but an open IoT device (like this) is an obvious vector into your home network.  Beware.

[Brennan Support]

Hi All

Martin here - there are a couple of things I would like to say here

1) I don't see that B2 is a vector into your home network - if bad guys can see the B2 they are already on your home network

2) B2 is not a security device - just because its a linux based computer doesn't mean it has to be burdened with a whole load of security. Its like your fridge - it has a door and you keep stuff in it - but that doesn't mean it needs a lock or has to be secured. That's because you keep your fridge in your house behind closed doors and adding security to the fridge would make it a less useful product. 

Martin

[Anthony]

Martin 

Not to drag this out  - my suggestion that people change their root password is hardly a "whole lot of security" or something that would make it a less useful product.

However, there are attack vectors that the b2 is open to.  Here's one example - someone in your LAN unknowingly clicks on a malicious web page link (happens all the time) that in turn scans your LAN for open devices.  If everything on your LAN is locked down properly it's not an issue.  But if there is a b2 with a default password on the LAN, the attack could then install itself on your b2 and now you have a serious problem that you may never know is there until it's too late.  

Long shot given the size of the installed base of b2's? Certainly. But I don't have a comprehensive list of attack vectors - who knows what else is out there ?

Tony

[Mark Fishman]

Martin:

I also don't like the idea of using a default (known) password for a root account, on any computer or device. Quite apart from whether the B2 can be used to attack other things on my network, it could be modified or wiped by sommeone who just wants t o have some malicious "fun".

But if I change the root password, will that interfere with any other functions of the B2? For example, when you do an upgrade of the software, does that function need to know the root password? Does anything use the root password aside from ssh?

Thanks -- Mark F.

[Tony]

Mark

As per my original post in this thread, I changed my root password as soon as I realized what a train wreck the current setup is.  I also added an additional normal user with its own password. But I admit to not yet removing the ability to login via ssh as root with the modified password - my bad.

After eight months of daily use, I have not had any issues with the changed root password.  Software updates work fine. Access to the NAS functionality via my non-root user / password works too.  You can get NAS access via root with the brennan password (happy hacking) if you haven't changed it or with your changed, very secure, 24 random character/numeric/punctuation mark password.  ;)

Tony

[Roger Dunant]

For all us dummies, would someone please explain.
Roger

[Tony]

Roger :

I'll try to keep this simple (links are provided to more complete background information).

Short Version :  

The user name and password of every B2 is root and brennan by default. There is no easy way to change that and anyone with a bit of tech savy can utilize that to cause mischief or real damage if they get access to your LAN.

Longer Version :

1. The Brennan B2 has a small computer inside that does all the work of ripping music from CD to an internal hard drive, and then playing it back.  
2. The computer is a commercially available Raspberry Pi running a small version of the Linux operating system.
3. The computer connects to your home network (LAN) via either WiFi or the RJ-11 jack on the rear panel.
4. The computer provides the Brennan B2 Web UI that allows you to control the B2 from your home PC or mobile phone over your LAN
5. There are a couple of other ways of communicating with the B2's computer electronically over your LAN - methods supported by the underlying Linux operating system - and know as SSH and NAS
   
6. It's not really important to know what SSH or NAS do or how they work.  You really just need to know that it's possible to use them to connect to the internals of your B2 if it is connected to your local LAN.
   
7. The internal computer is also connected (via your LAN) to the big bad untamed internet - albeit hopefully safely firewalled by your router.
8. There are  ways a hacker can get through your router firewall and get access to your LAN.  Although it's not common, it does happen.
9. Once on your LAN, all the hacker needs is the user name and password of your B2 to access it.
10. Guess what?  The user name is root and the password is brennan on every B2 ever shipped. Including yours.  
11. The SSH servers on your B2 is running every time you have the power on.  If you use the B2 menus to enable the NAS server so that you can acess files from your PC it's always running too.
12. The B2 software does not provide a way to change the root password.   That's the real problem here.
13. If you have the tech skill you can log in via the B2's SSH server and change the root password.

Does that help explain it a bit?

[Tony]

tl;dr  : the B2 is vulnerable to hacking because it's default user name and password are public information and can't easily be changed.

[Paul Marwick]

I have to say, this really does seem like an overreaction. Yes, the access name and password for the B2 are public knowledge. However, in order to ssh to the B2 from outside of your home network, a number of unlikely things would be needed. Your router would have to have the ssh port (22 by default) open and forwarded to a known IP address within the local network. I know of no normal commercial router that would satisfy the first condition, let alone the second (since the second is one that has to be set deliberately in the router).

The NAS setup on the B2 might be slightly more vulnerable, though only slightly, since I've never encountered a commercial router that has the SMB ports (can't remember what they are, off-hand) open, let alone forwarded).

My situation makes my B2 somewhat more vulnerable than most. I have a small server (file storage, DHCP and DNS) on my local network, and I have SSH enabled and forwarded to it. From it, any other machine running an SSH server can be accessed. However, my server, which is the only open gateway to my network, is protected by paired keys, so it is very difficult for anyone but me to gain access. 

So I really think this is a serious overreaction. Unless you have someone within your local network with malicious intent, the B2 really isn't very vulnerable at all...

[Roger Dunant]

Many thanks Tony. That makes things a lot clearer.

Roger.

[Tony]

While the average "script kiddie" may not  be much of a threat, the scenarios you list are not the only attack vectors possible.  

And even your examples become quite possible if your router is compromised.

links >  

Your Router's Security Stinks: Here's How to Fix It 

Router Bugs Flaws Hacks and Vulnerabilities

Millions of Home Fiber Routers Vulnerable to Complete Takeover

I'm just pointing out the possible issue and the need for a fix.  A random root password available on the B2's maintenance menu would solve the problem.

[Jason Ward]

Your router doesn't even need to be compromised.

Once any device on your network is compromised, even partially, then everything on your network becomes a potential target.

Smart TV's can be compromised https://securelist.com/malware-on-the-smart-tv/73229/

PC BIOS software can be compromised https://arstechnica.com/information-technology/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/

And your computers and smartphones can certainly be compromised and many are

The upshot is that the B2 is extremely vulnerable.