Peplink Security Breach

I do appreciate your response and your advice. In this case I do not have a distributor as I only have this device and it was purchased through Amazon.com.

I spoke with Travis and Keith from Peplink management by telephone. They both agreed that this is very concerning, were very apologetic and believe they both have a path forward. They stated Peplink will release a statement, but they did not say when. To be clear, the concern isn’t Peplink engineering utilizing remote assistance to access a device. The concern is Peplink engineering being able to enable remote access without a customers knowledge or consent thus allowing unauthorized access. Remote access is not a triggered event in the event log either.

You can disable the function that Peplink can access your inControl, it’s a setting set on the Organization Settings. This feature was already present to comply to certain regulations. You can disable this function when you need Support.

image.png1030×88 6.05 KB

No one can override this but an Administrator in your inControl2 organization.

That feature will soon be enabled by default after my conversation with Travis and Keith yesterday.

Our team is actively working on a plan. We will respond with details in the next few days.

Thanks for your patience while we are working on it.

Kudos to Peplink for not killing this forum thread and for (hopefully) addressing the problem.
Thank you!

Had they killed this thread it would have only made things worse. Anyways, what’s done is done and I only hope Peplink can move forward in the positive direction we discussed and roll out their planned fix.

Logging logging logging. The use of remote access by Peplink tech support should be noted in the Event Log. When it starts, when it ends and the source IP address.

As for blocking access to InControl2 via domain based firewall rules: are you sure those are all the domains? If so, maybe use DNS to assign them an invalid IP address.

Taking a step back, it is easy to see times when things are really fouled up that allowing Peplink into the router would be a godsend, and for cases like that, their use of hard coded IPs to avoid any DNS issues, could be a life saver. On the other hand, this thread.

Its much like truly secure end-to-end cloud based file storage. If you want the highest possible level of security, it means that losing your password loses all access to your files. Some people want/need that, others do not. The price for a get-out-of-jail card is that the cloud file storage company can read your files.

As long as it is made VERY clear that blocking Peplink tech support means you are on your own when things go bad, all good. Some customers will want this, others not. I see this as a documentation problem. That choice was not front and center and clearly communicated. One checkbox out of dozens is easily missed.

I agree 100% on your logging comment. I did open a ticket regarding not being able to block IC2 using the firewall. The work around provided by Peplink was to deny DNS resolution for ac1.peplink.com and ac2.peplink.com. That’s a good start, but if the IP addresses were to ever become hardcoded within their software, the firewall rule wouldn’t be matched anymore and traffic would be allowed. I shared that comment with Peplink support and they stated the IP addresses are not hardcoded and only use ac1.peplink.com and ac2.peplink.com

I can confirm that IC2 and remote assistance does not work even if enabled when blocking ac1.peplink.com, ac2.peplink.com and ra.peplink.com using outbound policies.

I am going to jump in on this one, as someone who has been involved in computer security since 1977 when I got in trouble for hacking ARPANET, worked on a bank wire transfer system moving a billion Dollars a day, and have written point of sale systems, AR/AP systems etc for large companies.

First - we all agree Peplink should not have accessed a device without consent.
BUT - reality check time: Any cloud managed device CAN be accessed remotely by staff at the company running the cloud management, unless there is a hard control to disallow it. If you disagree, you are a fool. And many non “cloud managed” devices have some form of remote access. That is why the “internet of things” is a hackers delight. Every web TV, IP camera, music player…all live connection to the cloud.

And, even if there IS a control, you are still trusting that the company will not have a backdoor to override it - just as you trust EVERY software and hardware (which is software) manufacturer to not have a back door sending them login credentials etc.
My point being that although most people on this thread are showing a proper amount of common sense in what they are requesting, one or two are asking for the impossible - to make it NOT POSSIBLE for the device to be accessed remotely. Only way to do that is not connect it to the Internet, which somewhat reduces the usefulness of a router. Sonicwall, mikrotik, cradlepoint - you name it, it is physically possible for them to write firmware to allow remote access. You just trust that it is not happening.

So, what is practical?

• A clear statement that peplink will ever access a device or certain IC2 data without prior consent.
• Logging of and real time reporting of access. i.e. email saying “tech xxx from IP yyy is accessing device zzz via RA”. Perhaps most recent RA event shows on dashboard, not just in log.
• control in GUI to block RA being turned on remotely (did I get that correct, issue here is RA was “off” but was turned on, then accessed remotely?)
• control in GUI plus perhaps finer control in IC2 to tell device to not display login creds in IC2. (may need those creds for IC2 to function at all, not sure of that)

Bottom line - Add a few more controls, add some logging, get clear statements of policy and just move on. At the end of the day, you just have to have faith.
We have about 2,000 peplink devices, some in place for six+ years now and have never had an actual security issue involving the peplink. And over the years they have responded well to enhancement requests involving security.

That’s true, but that’s also what backing up the configuration file is for. Worst case scenario, if I somehow mess up the configuration of my Peplink router and lock myself out, I can do a hard reset and then restore from my configuration backup file.

I want:

1. a promise by Peplink that they will NEVER access my router without my express authorization,
2. a promise by Peplink that any remote access is logged and an event notification is sent to my account e-mail address, and
3. a setting configurable in the GUI that disables remote access by Peplink, that can’t be changed remotely, and that technologically prevents Peplink from remotely accessing my device (or changing that setting) without a change in the firmware. (And, of course, that setting should prevent Peplink from pushing out a firmware update too.)

Agreed.

Note 1: Clarification on the firmware version. (9/29/2023)
Per reply #32 below, the team was able to make the fix in the RC6 of 8.3.0.
In other words, any units running firmware 8.3.0 GA or later has this fix.

Hi all, after taking into account your feedback, we have developed the following action plan:

1. Reminder: The current feature “Block Peplink Support” effectively blocks unauthorized access to customer devices or Remote Assistance (RA). We will work on a proactive approach to encourage every organization to review the “Block Peplink Support” option. For example, this can be done by presenting a prompt the next time they log in.
   1. When creating a new organization, a checkbox labeled “Block Peplink Support” will be added, enabling customers to review and activate the feature right away. (Next release of IC2).
2. We will introduce a timer function for RA. This will allow a user to set the length of time that RA will be active before automatically turning off after expiration, thereby providing users with greater control/security over this feature. (Target: 8.3.1)
3. The device firewall has a section to control the traffic of system processes. However, we have observed that it is not effective in blocking some functions or traffic, or else that could have disabled the RA tool. To address this, our team has derived a workaround config to block this traffic on the current firmware. Furthermore, we will enhance the firewall section in an upcoming release, either 8.3.1 or 9.0, to provide greater control over this type of system-level traffic including RA.
4. We plan to enhance InControl by updating the event log to display RA events. Both enable and disable events will be available at the event log and also sent as email notifications. (Target: 8.3.1)
5. We also want to highlight this: Due to the limitations inherent in a hosted system, to accommodate customers who require the highest level of privacy, such as public safety and military organizations, Peplink offers an on-premises version of IC2 that customers can host themselves.
6. Customers can report security-related issues to [email protected]. The emails will be directly sent to the team leads in engineering, support and business.

These are the measures to ensure that Peplink will never access a customer device without their prior consent and authorization. Your comments are appreciated.

Thank you.

The latest post should have addressed (1) and (2). Please review if (3) is addressed, if not, can you elaborate more? Thanks.

Thank you Keith - that should satisfy everyone.

And for anyone interested in private IC2 - we do run that as well as using public. It is in some ways more secure, but a bit of a pain in the ass. Not something I would recommend for anyone with fewer than “hundreds” of devices. Not a trivial setup!
But it works great and allows you to totally secure your data.

I don’t use InControl2. I want a setting in the local admin GUI (like a checkbox) that will disable all remote access by InControl2/Peplink to my device. Checking the box should configure the local device (including by turning on firewall rules, as needed) to block InControl2/Peplink remote access.

I don’t really want to have to mess around with creating firewall rules manually. Ideally, however, any firewall rules created by the check-the-box approach would be displayed in the firewall rules and either those rule would not be editable without unchecking the box or editing those rules would cause the box to be unchecked.

Can you post what the appropriate firewall rules are (including the workaround config)?

Thanks!

Good response, thanks

We will evaluate this and @WeiMing will follow up with a response (with a new thread).

@WeiMingwill post an FAQ article on the details.

Created the KB article to illustrate the workaround option.

Do share your thought with us.