Feature request: allow user to restrict confidential info from diagnostic report

Hello everyone,
I have a Surf SOHO MK3 and I am being requested to send a diagnostics reports to the support team, but I am a bit concerned about the type of information it might contain, since it is an opaque blob of information. Does anyone know what it contains?
For example, does it include VLAN names, settings and IP ranges, Mac Addresses, WIFI passwords and SSIDs, firewall rules, machine names, DHCP reservations, full configuration, SSL certificates, passwords, etc… ? Or just debug logs?
I understand why Peplink would want to keep this opaque to keep the inner-workings of their system hidden, but in this day and age, I think an official documentation of what private data it might include and what it definitely doesn’t include is critical. Basically you could be sending out the keys to your kingdom and critical bits of information about your network topology along with key elements of your network without even realizing it, all through the internet without even knowing if it is well encrypted or not.

Any official statement on this from Peplink would be welcome,

Thanks.

2 Likes

Hi Peparn

The diagnostic file contains a copy of the config file from the peplink device that it is downloaded from. It contains a snapshot of the CPU processes that are running, and a snapshot of the RAM at the time the diagnostic is taken. There are a number of logs including one which has all of the connected clients (same as you can see in the status, client screen). Along with this there are a number of process specific log/diagnostic files which allow us to see how the device is running. The file is encrypted to keep it secure and can only be opened by peplink engineers who delete the contents after completing the ticket.

Without access to this file, diagnosing an issue would be much harder and in many cases impossible.

Thanks
James

1 Like

Hello James,
Thank you very much for responding. What is included makes a lot of sense and this is what I would have expected to be able to remotely debug properly.
However, could you confirm whether the configuration file that is included, or any of the other logs or diagnostic info you mention, include WIFI passwords, router password or the SSL certificate that is on the router (including the related password?)?
Thank you.

However it works today, may well change in the future. I would suggest changing all your passwords after providing the diagnostic file to Peplink.

2 Likes

I really hope James or someone at Peplink confirms passwords and SSL certificates are not included in the report. This would be an easy thing to make sure of while collecting logs.
If they are included, then changing all passwords is indeed the answer, but it is a lot of work. I have lots of WIFI networks with many devices, some of them embedded. We are talking at least 1h30 of work to change all the passwords and audit everything… And if they ask for another diagnostic, another 1h30… Ugh… And changing SSL certificate too…
Hopefully they thought about this and will confirm there are no concerns :smile:

1 Like

Hi Peparn

The config file will contain all settings to allow us to replicate your exact setup including passwords and certificates so yes it is included in the diagnostic.
In your case (having seen the ticket) if this really concerns you then it may be worth you taking a config backup, reset to factory defaults, replicate the issue, and take a diagnostic, and then restore the config file.

Thanks
James

3 Likes

Thank you very much for the clarification James.
If I may suggest, I think this should be documented in the user manual and there should be a warning displayed in the WebUI, so that people are aware they are sending their passwords, certificates and other potential critical info to a third party.
In the future, I think it would also be great to have a check mark to explicitly include the passwords and certificates in the very rare cases that those are needed for debugging, and otherwise not include those (and anything private that is not critical for debugging) in the diagnostics. Of course, just a suggestion, but in this day and age where security is a growing concern, I think it would make sense.
Cheers!

3 Likes

I’m with Peparn… I’ve not needed to submit anything thankfully. I’d probably reset, backup and then change all passwords - IF I submitted it at all.

A checkbox to exclude certain parts of the config and exact details as to what is exported would be appreciated

1 Like

Hi Peparn and Brill

I have moved this to feature requests to see if there is any interest in this as a feature. Also re titled it accordingly.

thanks
James

5 Likes

Thanks James, I obviously vote for that +1 :wink: