Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

Unknown IP address trying to connect to Flex 6600M

Geoff_W8GNM
Geoff_W8GNM Member ✭✭
Unknown IP address trying to connect to Flex 6600M.  I had IPv4 address 134.122.106.19 show up on a pop-up message on my 6600M front panel while I was having an FT8 QSO on 20m.

Supposedly this IP address belongs to DigitalOcean, LLC and located in London, United Kingdom.

Has anyone else had something link this happen to them?  Could this be a software glitch or was someone actually trying to hack into my radio?
73,
Geoff - W8GNM


Answers

  • Paul_Mills
    Paul_Mills Member ✭✭
    edited March 2020
    Google search shows lots of complaints on these guys. One of the services they supply are VPN's. If it was me, I would probably block in my router.
  • Larry _ NY8T
    Larry _ NY8T Member ✭✭✭
    edited March 2020
    I seen the same thing today.
  • jay con
    jay con Member ✭✭
    edited March 2020
    also seen same thing
  • KI4P
    KI4P Member ✭✭
    edited May 2020
    also had my xfinity show me that it blocked a "malicious ip" not sure what it means though
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited March 2020
    To all,

    We are aware of this issue that affected several users yesterday.  We worked on the issue last evening and it would appear that this was a result of a specific type of port scan in an attempt to **** your network. These types of scans (probes) happen all the time (my firewall log is full of them every day) so this is not a unique situation.

    We'll have more to communicate on this a little later, but in every case we investigated, the security mechanisms we put into place to protect your radio from intrusion worked as designed and a successful connection to your radio did not actually occur.  And No SmartLink credentials were compromised either.
  • Geoff_W8GNM
    Geoff_W8GNM Member ✭✭
    edited May 2020
    I haven't found an easy way to block this IP address or a range of IP addresses around it on my TP-Link C8 wireless router,
  • Geoff_W8GNM
    Geoff_W8GNM Member ✭✭
    edited March 2020
    Tim,
    Is there anything I can disable on my 6600M if I am not using remote access?
    I just need local connectivity to me PC with CAT and FT8 apps.

  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited March 2020
    Ant actual risk is essentially nil, so there really isn't anything you need to do. 

    However, if you have configured SmartLink and do not need use, unregister your radio from your SmartLink account and remove any port forwarding rules that you may have entered into your router for SmartLink if you used manual port forwarding.  Also, turn off UPnP in your router too (although this may break other things that relay on it.) 
  • Geoff_W8GNM
    Geoff_W8GNM Member ✭✭
    edited March 2020
    Thanks for the suggestions Tim.  I'll be interested in seeing the rest of the information on this issue when it is available.
  • k3Tim
    k3Tim Member ✭✭✭
    edited March 2020
    Chapter 10 of the C8 manual
    https://static.tp-link.com/Archer%20C8_V4_User%20Guide.pdf

    sub chapter 10.4

    GL // k3Tim/7
  • Eric-KE5DTO
    Eric-KE5DTO Administrator, FlexRadio Employee admin
    edited April 2020

    Thanks for bringing this issue to our attention.  First, I want to say up front how seriously we take security at FlexRadio.  The SmartLink system was designed with security in mind, so when we get reports like this, it is important for us to figure out what is going on.  We use the latest industry standards to secure your SmartLink account including public key infrastructure (pki) encryption alongside TLS (successor to SSL) -- the same technology used for your online banking needs.  To cut to the chase, what we found was that the SmartLink system is working as intended and the “connections” in the message are benign. We found no evidence of compromised systems (radio or SmartLink).


    We observed several instances of what was reported here in this thread both with employees and other customers yesterday around the same time.  Essentially, multiple messages pop up that say that “Client connected from IP (IP shown here).” We understand this can be disconcerting when the IP is not one that you recognize and you quickly come to the conclusion that someone else is using your radio.


    In our analysis, we found that the radio will display the message whenever an initial connection is made to the SmartLink TCP port.  However, the connection is severed if the TLS authentication is not validated. As such, it is ultimately unsuccessful in being fully connected to the radio as a valid client.  This is kind of like someone trying your car door handle when it is locked. Yes, they are pulling the handle, but since it is locked, they still can’t get in.


    As some of you in the IT industry can attest, this kind of thing happens on firewalls all the time.  There are IP and port scans done routinely across the entire IPv4 space. On a firewall, you wouldn’t typically see this unless you went looking in the logs for it as this is exactly the kind of activity that the firewall is designed to keep out and despite the attempts, the firewall is working when it blocks those connections.  This most likely boils down to a port scan where the scanner has gone a step further to attempt a TLS connection to the open port. Without the appropriate credentials, that’s where the road ends. The SmartLink system does its job to prevent access to the radio.


    But not before displaying the confusing message about the connection to the user.  This was a mistake and we understand the alarm this may have caused for you. For this reason, we will be changing the logic to only display the connection message upon successful validation of the client for SmartLink connections in a maintenance release at some point in the near future.  This will suppress these messages.


    tl;dr Your radio is secure.  The messaging is confusing. We’ll improve the messaging.


  • Bill -VA3WTB
    Bill -VA3WTB Member ✭✭✭
    edited April 2020
    This is Interesting, I have a question. Other radio companies allow remote using some sort of app for remote use, but they go direct without the use of a setup like Smart Link. How are they protected against attacks over the wide network?
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited April 2020
    It would not be prudent for FlexRadio to comment on other types of radio remote access.  I recommend if you have a question, ask them directly.
  • Geoff_W8GNM
    Geoff_W8GNM Member ✭✭
    edited April 2020
    Eric, Thanks for the details.   I checked my SmartLInk status and found that I was not registered in SmartLink at the time I was seeing IP address 134.122.106.19 trying to connect to my 6600M.   I don't understand why I was seeing this if I wasn't registered in SmartLInk.  Everyone else is reporting the same IP address.
    Geoff
  • Eric-KE5DTO
    Eric-KE5DTO Administrator, FlexRadio Employee admin
    edited April 2020
    We actually saw a number of different IP addresses show up in the reports that we saw.  They weren't all the same.  To prevent this kind of connection, you'll need to ensure that external connections (WAN) cannot access your radio.  To do this, make sure that you don't have any port forwarding to your radio and services like UPnP are disabled.  ***Just to be clear (for others), SmartLink will not function if you configure your network to refuse all WAN traffic to the radio.***
  • Geoff_W8GNM
    Geoff_W8GNM Member ✭✭
    edited April 2020
    Hi Tim, Thanks for the link to V4 of the Archer C8 manual.  I could not find sub chapter 10.4.  My version of the manual only goes to 10.3.  In the various security settings, I could not find a way to block a specific IP address from the WAN.  The only blocking tool I found was MAC address blocking.  I am running the latest version of C8 firmware.  Do you have any other suggestions?  Thanks, Geoff
  • k3Tim
    k3Tim Member ✭✭✭
    edited April 2020
    Hi Geoff
    The link posted shows an updated manual that has chapter 10, subsection 4.  If trhe router firmware does not support blocking the attack your seeing, I would personally replace it.  Using a Netgear commercial router here at the WAN interface and it seems very secure. 

    Perhaps a port scan to see what ports are open?
    Someone in IT security here on the community may have a suggestion...

    k3Tim/7

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.