TL:DR: Peplink engineering can enabled remote assistance on your device and access it without your consent or knowledge and did just that to me. You’d never know it, because remote assistance is not a condition triggered in the event logs.
On January 24, 2023, I submitted a ticket to Peplink engineering reporting a bug within 8.2.1 build 5018 and 8.3.0 RC4 in relation routing while OpenVPN, a license feature I paid for, is enabled. After speaking with Peplink engineering for a few days they requested I enabled remote assistance so they could access my MAX-BR1-PRO-5GH-T-PRM to reproduce the reported bug. I enabled remote assistance on January 26, 2023, around 1419CT and shared with Peplink engineering that I was ready for them to connect. After Peplink engineering had successfully reproduced the reported bug and notified me, I disabled remote assistance.
On January 26, 2023, around 1511ET I disabled remote assistance and asked Peplink engineering to reach out if they needed access again. Sometime between January 26, 2023, and January 30, 2023, Peplink engineering, without my knowledge or consent, accessed my device through IC2, enabled remote assistance and gained access to my MAX-BR1-PRO-5GH-T-PRM. It was only by pure luck I had found remote access was enabled when performing my daily system checks. Once I had found out this had happened, I immediately disabled remote assistance and reached out to Peplink engineering for answers.
Peplink engineering responded 22 hours later with a generic response and ignored my question of, “How did remote access get enabled.” I immediately replied to their response and asked the same question again. After my reply it took Peplink engineering 24 hours to respond just to state, “We have no idea how this was enabled.” I was done beating around the bush and directly accused Peplink engineering of enabling remote assistance and this was their response, 48 hours later.
PEPLINK’S RESPONSE
“Reading through your latest response, we have conducted an internal check to clarify the matter.
I must admit that we have made a mistake, as part of the troubleshooting process, the support personnel was anxious to find out the device condition and unintentionally turned ON the Remote Assistance via IC2, without prior consent from you. Only the Level 2 and above Support Personnel have this access privilege.
We have contacted that particular support personnel and all the support team members to highlight and stress that we shall never repeat the same mistake again in the future. As a standard practice, we should ask the customer/partner to enable Remote Assistance, then only we will access the device for investigation.
One more thing that I would like to share with you, there is an option to allow you, as the IC2 > Organization owner, to prevent Peplink from accessing your IC2, by enabling the “Block Peplink Support” option (as shown below).”
END OF PEPLINK’S RESPONSE
The feature being discussed above states, “Block Peplink Support – Prevent Peplink support from viewing this organization.” Nowhere in that statement does it say, “Prevent Peplink support from making changes.” What Peplink engineering did is unacceptable, and they need to be held accountable. Peplink devices are in use by individual users, commercial users, some with PCI DSS requirements, and Government agencies at all levels. To know that Peplink not only can enable remote assistance, but to enable it without the owner’s consent or knowledge is gravely concerning.
The ability to view customers unsanatized/unsalted configurations, passwords, certificates, etc. without their consent is unacceptable. A malicious employee has full access to the user’s network and could capture traffic if they enabled captures under “cgi-bin/MANGA/support.cgi”. Furthermore, they could offload those captures in real time to a remote host. I’ve been a Senior Network Engineer for 10+ years and I’ve worked with major vendors such as Palo Alto, Cisco, Juniper, Arista and Aruba and I cannot think of one time where an employee had the ability to circumvent a customer and/or their configurations and enable remote access.
I replied sharing my displeasure with Peplink engineering and requested a phone call to further discuss what is technically a security incident but have been 100% ignored. Peplink owes its customers an explanation as to why this was ever allowed in the first place and how/when they intend to do away with this “feature”. Searching online shows other customers have seen their remote access “randomly” enabled, too.
If you think you can block IC2 using the built-in firewall, think again. It appears the traffic for IC2 bypasses the firewall. Even with denying all inbound traffic and denying outbound traffic to ac1.peplink.com, ac2.peplink.com, ra.peplink.com and ra-geo.peplink.com, IC2 still works. I submitted a ticket to Peplink asking why IC2 was bypassing the firewall, but instead of answering the question they wanted to focus on why disabling it within the GUI wasn’t enough.