REMOTE ACCESS SECURITY VULNERABILITIES: TOP REMOTE ACCESS SECURITY MYTHS BUSTED

Remote Access Security Vulnerabilities

Top remote access security and vulnerability myths busted

For any smart home technology, security is a big topic. Thanks to the rise of cybercrime and hackers, security is a major concern for many. In fact, our team predicts that security features and cyber insurance will become growing trends in 2017.

Given the many mixed messages that are floating around about security, I wanted to take the time to compare how Domotz PRO’s remote connection features compare with our competitors and other mechanisms on the market. Especially those competitors which leverage a UPnP mechanism or web link for remote connection.

Remote Access Connection (the Domotz way)

When you use Domotz PRO’s Remote Connection (either it is HTTP or HTTPS, SSH, Telnet or RDP), we establish a secure channel (Encrypted Overlay Network) between the network and our cloud and an HTTPS channel between the App (either Mobile App or WebApp). This means that the entire communication from the App to the Agent is encrypted – and nobody can sniff the content of it. Of course, if the communication between the Agent (in your home) and the end-device (e.g. a WebCam), is over a non-secure channel (e.g. http), it is not encrypted. But that connection is only internal to the local network. I assume you trust the network configuration you are using and you wouldn’t have services that are not encrypted.

To compare our remote connection with other mechanisms of connection; if you open an external port of your Router to reach your local WebCam over an HTTP channel (believe me, there are a HUGE number of people out there doing this), your entire communication between the client (Web Browser for example) and the WebCam is exposed. This means that anybody in the middle can sniff the traffic and look at your WebCam.

I won’t even get into the local services not even protected by a password, that are exposed over the internet through the same mechanism (NAT on the Router: have a look at this article).

With Domotz’s remote access mechanism, you simply can’t sniff the traffic. This is because no port on the Home Router is opened to remotely access home devices.

In fact, opening ports on the Router (which usually do not offer any trusted security features) increases the risk of being attacked. This is because most of the malicious attacks start from a scan of the potential attack surface.

Our Remote Access Security vs. Unsecured UPnP connection method

Some remote management systems allow  Remote Connection to a specific internal device by the means of a UPnP (Universal Plug and Play) request to the home Router. This mechanism, again, is not safe at all. Let me illustrate how this mechanism works and why it is not safe.

Many home routers usually come with UPnP enabled to allow NAT traversal using the IGD Protocol. It means that the remote management agent can ask the router, “Hey, could you please let an external system access this device on port xxxx.”

Then the router creates a port map for the requested port, and notifies the agent of the external port which can be used. At that point, the agent will notify the remote app/webapp of the external IP and Port which they can use to reach the internal device. Unfortunately, while this remote connection is being established, anyone can scan the opened ports on the external Router interface and access that internal device.

In fact, UPnP has a variety of security problems, the main one is that it doesn’t have any built-in authentication. One example is PoC by Petko D. Petkov where he demonstrated how Flash can be used to send UPnP commands to a local router when visiting a malicious page. UPnP also makes it much easier for malware on your computer to open ports and listen for commands from a “botnet” server.

To sum things up, UPnP has a long list of security issues which mainly result from poor implementation. Back in 2013, researchers at Rapid7 have showed that nearly 81-million IP addresses have responded to their UPnP requests (requests coming from external networks), and that many of the devices had vulnerabilities that can lead to complete takeover. That’s why recently Routers started being sold with UPnP support disabled by default, to ensure that the UPnP remote connectivity method was unusable.

Our Remote Access Security vs. Unsecured URL Connection method

If you look at the URL when opening a Remote Connection through the Domotz PRO WebApp, you will notice that you are not connecting directly to the home network. You are establishing a secure (HTTPS) connection to the Domotz cloud infrastructure.

Other remote management systems create the same sort of secure channel to their cloud infrastructure, but then they go ahead and provide the end user with a direct URL link. This URL link provides a remote connection to the internal device on any general TCP port (therefore, it can also be used by a PC application to access the end device using their own specific protocol). However, that same URL can be sniffed and used by anyone on the same remote network as the user to access the internal device. This, again, creates a critical security vulnerability.

On the other hand, if you copy and paste the URL provided by Domotz PRO on a different PC/Client, even if in the same remote network, you won’t be able to reach the end-device.

Our Remote Access Security wins when used on unsecured Wi-Fi networks

We designed Domtoz PRO in a way that allows people to use the Domotz App even in a non-secure location. As a matter of fact, if you are in an Internet Cafe’, over a non-secure Wi-Fi, anybody with a few IT skills can identify the URL you are connecting to (even if it is over HTTPS). But with only that URL using Domotz PRO, a hacker can’t reach the remote device.

To sum things up, the Domotz solution for Remote Connection guarantees an additional level of security, because all the supported protocols are encrypted when the data is exposed on a public network.

This means that Domotz PRO secures even the data on a public network for both Telnet and Http Remote Connections (which, by default, are not encrypted), through its encrypted channels.

Our Remote Access Security = Security Approved

To conclude, the team here at Domotz take security very seriously. We are delivering security features much above our competitors too! And, hopefully you believe us now after reading this comparison.

Should you have any further questions about Domotz PRO security or anything else, don’t hesitate to reach me and the support team on support@domotz.com.

About Domotz 

Domotz develops disruptive remote network monitoring software for service providers, integration companies, manufacturers, and retailers. Learn more about our remote network monitoring features, low cost installation options and disruptive remote network management pricing.

For larger companies, Domotz also develops customized and white-label enterprise remote network management tools and smart home solutions for insurance companies.

Want to learn how our solutions can save you money and time and help generate recurring monthly revenue? Check out our Think Tank of remote network management resources.