Peplink Security Breach

Note 1: Clarification on the firmware version. (9/29/2023)
Per reply #32 below, the team was able to make the fix in the RC6 of 8.3.0.
In other words, any units running firmware 8.3.0 GA or later has this fix.


Hi all, after taking into account your feedback, we have developed the following action plan:

  1. Reminder: The current feature “Block Peplink Support” effectively blocks unauthorized access to customer devices or Remote Assistance (RA). We will work on a proactive approach to encourage every organization to review the “Block Peplink Support” option. For example, this can be done by presenting a prompt the next time they log in.
    1. When creating a new organization, a checkbox labeled “Block Peplink Support” will be added, enabling customers to review and activate the feature right away. (Next release of IC2).
  2. We will introduce a timer function for RA. This will allow a user to set the length of time that RA will be active before automatically turning off after expiration, thereby providing users with greater control/security over this feature. (Target: 8.3.1)
  3. The device firewall has a section to control the traffic of system processes. However, we have observed that it is not effective in blocking some functions or traffic, or else that could have disabled the RA tool. To address this, our team has derived a workaround config to block this traffic on the current firmware. Furthermore, we will enhance the firewall section in an upcoming release, either 8.3.1 or 9.0, to provide greater control over this type of system-level traffic including RA.
  4. We plan to enhance InControl by updating the event log to display RA events. Both enable and disable events will be available at the event log and also sent as email notifications. (Target: 8.3.1)
  5. We also want to highlight this: Due to the limitations inherent in a hosted system, to accommodate customers who require the highest level of privacy, such as public safety and military organizations, Peplink offers an on-premises version of IC2 that customers can host themselves.
  6. Customers can report security-related issues to [email protected]. The emails will be directly sent to the team leads in engineering, support and business.

These are the measures to ensure that Peplink will never access a customer device without their prior consent and authorization. Your comments are appreciated.

Thank you.

14 Likes

The latest post should have addressed (1) and (2). Please review if (3) is addressed, if not, can you elaborate more? Thanks.

1 Like

Thank you Keith - that should satisfy everyone.

And for anyone interested in private IC2 - we do run that as well as using public. It is in some ways more secure, but a bit of a pain in the ass. Not something I would recommend for anyone with fewer than “hundreds” of devices. Not a trivial setup!
But it works great and allows you to totally secure your data.

4 Likes

I don’t use InControl2. I want a setting in the local admin GUI (like a checkbox) that will disable all remote access by InControl2/Peplink to my device. Checking the box should configure the local device (including by turning on firewall rules, as needed) to block InControl2/Peplink remote access.

I don’t really want to have to mess around with creating firewall rules manually. Ideally, however, any firewall rules created by the check-the-box approach would be displayed in the firewall rules and either those rule would not be editable without unchecking the box or editing those rules would cause the box to be unchecked.

Can you post what the appropriate firewall rules are (including the workaround config)?

Thanks!

Good response, thanks

2 Likes

We will evaluate this and @WeiMing will follow up with a response (with a new thread).

@WeiMingwill post an FAQ article on the details.

2 Likes

Created the KB article to illustrate the workaround option.

Do share your thought with us.

4 Likes

Thank you @WeiMing.

2 Likes

Sounds good Keith! Thankyou.

2 Likes

Hey folks,

Small good news. Our engineering team has managed to squeeze some enhancements to 8.3.0 RC6 (released yesterday).

Captured from the release notes:

[RC 6] [Firewall] Added an expert option to block the system traffic. (Separate FAQ will be created.)
[RC 6] [System] Added: Start/Stop Remote Assistance actions are now logged into the Event Log.
[RC 6] [Web UI] Added: Remote Assistance Duration Setting and Status, Remote Assistance session will be turned off after expiration. In addition, Remote Assistance will be turned off after this firmware upgrade even if it was set to on previously.

8 Likes

Thanks Keith & Team!

Hello, Peplink… Nice job adding firewall rules for outgoing traffic. BUT still not perfect. Look at my pictures. There is a GRE tunnel working, but there is no firewall rule allowing this tunnel or GRE tunnel. Thank you.



Thank you and that’s why we need an RC release :sweat_smile:.

Our engineering will look into this. @WeiMing @sitloongs

2 Likes

This is a GRE BUG… I turn the other side OFF, but still showing connect.

@MarceloBarros, thanks for highlighting this to us, we are looking into it and will come back with more details.

[Update]

@MarceloBarros, we have verified and confirmed it is indeed a UI bug that shows the GRE is connected even though it is not. We have filed a bug record to fix it.

1 Like

What is a ic2?

Hi Gregory,

ic2 == InControl 2 >>> link

1 Like

@JO3 thank you for posting this. I, too, have worked with the palo, Cisco, juniper, etc devices in the security field and hearing of this is a shocker that it was not only allowed but initially handled in the way you mentioned.

I was about to start crossing peplink off my future device list, but have been pleasantly surprised by how they turned their response around and started to openly acknowledge and begin mitigating the issue through quick firmware updates. It still doesn’t discount the fact they initially blew you off until you went public - it will take time for them to regain our trust back but it does show light at the end of tunnel that they’re actively working on mitigations.

Look forward to better transparency from peplink especially given their marketing positioning as a “router for security systems” and their stance on “defense-in-depth”.

1 Like

I am hoping the Peplink team can review my recent post at: Peplink | Pepwave - Forum

Ubiquiti just had a major issue and some very scary things came to light.

It would be great if the peplink team can please review and opine:

https://www.reddit.com/r/Ubiquiti/comments/18v1ycb/im_continually_messaging_ui_for_answers_after_the/10

Hopefully Peplink is on their game and thinking 1-2 steps ahead

Anyone from Peplink read this: Synology QuickConnect White Paper ??

How is Peplink configured in comparison? Any room for improvement?

1 Like

I’m late to reply, but @mystery you can disable the ability for InControl connectivity.