Welcome to the new FlexRadio Community! Please review the new Community Rules and other important new Community information on the Message Board.
If you are having a problem, please refer to the product documentation or check the Help Center for known solutions.
Need technical support from FlexRadio? It's as simple as Creating a HelpDesk ticket.

Deprecation of SmartLink Social Media Sign-On

Tim - W4TME
Tim - W4TME Administrator, FlexRadio Employee admin
edited June 2020 in New Ideas
This document describes the upcoming depreciation of using social media SmartLink account types. Specifically what you need to do if you are currently using Facebook or Google accounts to log in to your SmartLink account. If you are using an email address directly entered into the SmartLink login screen or do not use SmartLink, then this notification is not directly applicable, but you are welcome to review it.

Deprecation of SmartLink Social Media Sign-On
0 votes

Open for Comments · Last Updated

0 votes

Active · Last Updated

Comments

  • Jim Gilliam
    Jim Gilliam Member ✭✭
    edited April 2020

    Deprecation is really a strange word to use, in my opinion. To me deprecate is to disapprove of something. I think it would be more accurate to say the social media sign-0n is eliminated.
  • Ken Wells
    Ken Wells Community Manager admin
    edited April 2020
    In the software world, it has evolved into a different meaning.

    https://techterms.com/definition/deprecated

  • Logan KE7AZ
    Logan KE7AZ Member ✭✭
    edited April 2020
    Your “spell wrecker” is using “depreciate”when you mean deprecate” in all of its various forms. Logan, KE7AZ
  • Joe N3HEE
    Joe N3HEE Member ✭✭
    edited April 2020
    I think this is a hint the next release is coming soon !
  • K1UO Larry
    K1UO Larry Member ✭✭✭
    edited April 2020
    LOL..  I'm with you Joe!
  • KD0RC
    KD0RC Member, Super Elmer Moderator
    edited April 2020
    It has, and I can't stand it.  On project meetings, anytime anyone used the term I would come back with "You are the worst piece of lousy, stinking software ever...".  Team members got tired of that and went back to saying something was retired.

    73,
    Len, KD0RC (I am retired, not deprecated...)
  • Val  DM1TX
    Val DM1TX Member ✭✭
    edited June 2020
    Thanks Tim for all the hard work. Since I have no social accounts (life) :-) it is easy for me. Stay safe and healthy. 73
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited April 2020
    :-)
  • John Langdon
    John Langdon Member ✭✭
    edited April 2020
    Hoping for multiple user logins w/ privileges, and adaptive predistortion.
  • N8SDR
    N8SDR Member ✭✭
    edited May 2020
    What concerns me about the Smart link feature is the fact there is no type of security authentication, no 2FA or other form, just based on a simple password. In fact I brought this up with Matt little over a year ago when I suspected an attempted login from unknown address.

    In a world were hacking is the norm, and any type of remote with no real form of authentication token 2 factor as an example isn't a good ideal. As an MSP and a SAS supplier none of my accounts and services over the past year or so have just a simple username/password login. Luckily I watch my network very close eyed and saw the attempt.

    Until there is some form of 2FA or the like no remote for me. You can claim all you want about how secure that remote function is on the sever, but truth is all it takes is someone not updating a patch or applying a security fix and net sniffing and hacking find an opening. At least with some form of 2FA there is at least another barrier that needs to be gone through. That remote server service you use inst owned by Flex is it, So you only have there word and hope they keep things updated and secure.

    I could point out a lot of companies who thought there remote services were secure. only to find a security patch or fix wasn't applied and left open for back doorring. You have probably read about some of them Deloitte Consulting, Yahoo , ADOBE, Equifax.

    Please implement some form of 2FA into the remote connection, sure it might seem cumbersome to have to enter a token when you remote but at least it makes it a bit more secure and offers another barrier that needs to be broken in an attempt to gain access, and I'm not talking just about access to the remote connection, once a hackers is a that point they have access to your system and most likely other devices on your network as well.
  • Bill -VA3WTB
    Bill -VA3WTB Member ✭✭✭
    edited May 2020
    This is a reply from Eric on this matter that may help.

     Eric - KE5DTO, Official Rep

    • 948 Posts
    •  
    •  359 Reply Likes

    Official Response





    Thanks for bringing this issue to our attention.  First, I want to say up front how seriously we take security at FlexRadio.  The SmartLink system was designed with security in mind, so when we get reports like this, it is important for us to figure out what is going on.  We use the latest industry standards to secure your SmartLink account including public key infrastructure (pki) encryption alongside TLS (successor to SSL) -- the same technology used for your online banking needs.  To cut to the chase, what we found was that the SmartLink system is working as intended and the “connections” in the message are benign. We found no evidence of compromised systems (radio or SmartLink).


    We observed several instances of what was reported here in this thread both with employees and other customers yesterday around the same time.  Essentially, multiple messages pop up that say that “Client connected from IP (IP shown here).” We understand this can be disconcerting when the IP is not one that you recognize and you quickly come to the conclusion that someone else is using your radio.


    In our analysis, we found that the radio will display the message whenever an initial connection is made to the SmartLink TCP port.  However, the connection is severed if the TLS authentication is not validated. As such, it is ultimately unsuccessful in being fully connected to the radio as a valid client.  This is kind of like someone trying your car door handle when it is locked. Yes, they are pulling the handle, but since it is locked, they still can’t get in.


    As some of you in the IT industry can attest, this kind of thing happens on firewalls all the time.  There are IP and port scans done routinely across the entire IPv4 space. On a firewall, you wouldn’t typically see this unless you went looking in the logs for it as this is exactly the kind of activity that the firewall is designed to keep out and despite the attempts, the firewall is working when it blocks those connections.  This most likely boils down to a port scan where the scanner has gone a step further to attempt a TLS connection to the open port. Without the appropriate credentials, that’s where the road ends. The SmartLink system does its job to prevent access to the radio.


    But not before displaying the confusing message about the connection to the user.  This was a mistake and we understand the alarm this may have caused for you. For this reason, we will be changing the logic to only display the connection message upon successful validation of the client for SmartLink connections in a maintenance release at some point in the near future.  This will suppress these messages.


    tl;dr Your radio is secure.  The messaging is confusing. We’ll improve the messaging.




  • Bill -VA3WTB
    Bill -VA3WTB Member ✭✭✭
    edited May 2020
    Also:

     Tim - W4TME, Customer Experience Manager

    • 9478 Posts
    •  
    •  3665 Reply Likes






    To all,

    We are aware of this issue that affected several users yesterday.  We worked on the issue last evening and it would appear that this was a result of a specific type of port scan in an attempt to **** your network. These types of scans (probes) happen all the time (my firewall log is full of them every day) so this is not a unique situation.



    We'll have more to communicate on this a little later, but in every case we investigated, the security mechanisms we put into place to protect your radio from intrusion worked as designed and a successful connection to your radio did not actually occur.  And No SmartLink credentials were compromised either.
  • N8SDR
    N8SDR Member ✭✭
    edited May 2020
    Look - Bill I'm not going to get started with arguments

    Tim and Matt responded 10 months ago to my concern regarding this, I was told NOTHING HAPPENED I opened Request #32315 at that time,  I spoke with Matt regarding this he specifically told me then verbally on the PHONE Nothing happened no one else has said anything later they put out that statement months after, the beginning of the IP address which tried to attached itself to my system at that time was a 72.X.x.x  Which is no where close to my local LAN or my outbound WAN so it was indeed from outside my network.

    Point is ONCE any client see's an outside IP address they were not expecting a BREECH has occurred end of story! it takes nothing at that point to drop a payload or do a quick port scan period. The answer above is not satisfying.

    And again a very similar response was taken on us us who were told Nothing is wrong with the SD cards its a user error or improper shut down early on when we reported that problem. I know what I saw I reported about it right away.

    I constantly monitor things like this as its part of my business as a owner of a I/T MSP/SAS company.  Whats going on isn't right.
  • Dan-N7HQ
    Dan-N7HQ FlexRadio Employee, Community Manager admin
    edited May 2020

    "Point is ONCE any client see's an outside IP address they were not expecting a BREECH has occurred end of story! it takes nothing at that point to drop a payload or do a quick port scan period. The answer above is not satisfying."


    I was on the investigation team for these incidents. 

    The term BREECH implies circumventing security in some way.  No client, or radio for that matter, was ever breached in any way.  Additionally, no part of the set of cloud services that comprise SmartLink* was ever involved.  Each connection attempt originated from an external scan (for open ports).  Gibson Research (grc.com) has a popular web-based tool, called Shields Up!, that scans external ports.  It is an excellent tool to use if you are concerned about how your Internet connection presents itself to the world.

    We protect Internet network communications (to and from the radio) using certificate-based, Transport Layer Security (TLS) version 1.3.  There is no possible way for an external actor to "drop a payload" to your radio without first, circumventing security.  Our clients do not listen to UDP/TCP ports, so they are invisible/invulnerable to a port scan.

    The client connected message you and a handful of others received, was generated by a bug in the radio firmware that displayed the originating IP address, even though the connection attempt failed authentication.  This bug is fixed and released.

    *SmartLink requires access to two ports on the radios which listen on (4994/TCP, 4993/UDP). These rules are (typically) defined then automatically created on your edge router when you register a radio to the SmartLink service using the Universal Plug and Play (UPnP**) protocol. In some cases, the external ports get numbered differently, but they all "point" at the same ports (4994 and 4993) on the internal IP addresses used by radios. Some customers must manually define and enable these rules if UPnP is disabled or unavailable on their edge router. 

    I just scanned (using grc.com) the two SmartLink ports I have forwarded to my 6700.  Here are the results of that scan:

    ----------------------------------------------------------------------

    GRC Port Authority Report created on UTC: 2020-05-28 at 12:57:39

    Results from scan of ports: 4993, 4994

        0 Ports Open

        0 Ports Closed

        2 Ports Stealth

    ---------------------

        2 Ports Tested

    ALL PORTS tested were found to be: STEALTH***.

    TruStealth: PASSED - ALL tested ports were STEALTH,

    - NO unsolicited packets were received,

    - NO Ping reply (ICMP Echo) was received.

     ----------------------------------------------------------------------

    **UPnP is a popular network protocol that allows compliant devices to set port-forwarding rules for themselves automatically. Other devices that use this protocol are personal computers, printers, security cameras, game consoles, or mobile devices that communicate with each other and share data over a network.

    ***STEALTH - Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. 


  • N8SDR
    N8SDR Member ✭✭
    edited May 2020

    "No client, or radio for that matter, was ever breached in any way"- "The client connected message you and a handful of others received, was generated by a bug in the radio firmware that displayed the originating IP address, even though the connection attempt failed authentication" . then you post as copied from above

    "Results from scan of ports: 4993, 4994

        0 Ports Open

        0 Ports Closed

        2 Ports Stealth"

    2 Ports TestedALL PORTS tested were found to be: STEALTH***

    But you also state the radio showed the IP address- and that is what myself and others saw popup when it happened connection from IP 72.X.X.X- so again if the software showed that connection in a windows pop up notification message they were on the SYSTEM


    Also when I talked to Matt he verbally told me nothing happened, now you and others come forth and make the statement "you and a handful of others received"  I would have felt and appreciated being told at that time or a little later after further investigation,  that indeed there was some form of incident, via a phone call or email or some notice, but to leave blind and no communication back to those of us who saw it happen, is not a good feeling, very similar to the SD card/code issue and esp. in this day and age of all the hacking attempts and such.

    Dan answer this - so the radio showed the IP address of the attempted connection to the smart link software, if your using software of any type, smart-link, a web browser, or other application, and someone gains access to that application, it is possible at that point that, they can also gain access to other applications the operating system and perform malicious code execution maybe not to the radio but other applications correct?. Or even if they had time port scan your network and attempt connections or find backdoor into another device since they now have an address.

    My thought is they were in the software, regardless if smart link denied access to the physical radio, being in the software which is loaded on the individuals system, leads to being able to possibly gain access to other applications

    As an example  ADOBE and the Angler exploit Kit, can be used in a PDF and attack other software on the system not just the adobe product. I am not going to get in a back and forth he said I said, if the radio saw an external IP address attempted connection, they were in the software. I turned off the option of smart link. at that point as I do not trust it.

    The blind eye and head turning -non communication back to users who experienced and reported the above, blaming users of improper shut downs over the past years with SD card and bad code incident, etc. has made me rethink,

    While Dan I appreciate you helping with the recent PA issue I experienced, and the shorted capacitor a few months before that, when my unit arrives back later today I'll do some rethinking of Flex and their handling of issues with a large number of users and more than likely get rid of it.







  • Dan-N7HQ
    Dan-N7HQ FlexRadio Employee, Community Manager admin
    edited May 2020
    [I] would have felt and appreciated being told at that time or a little later after further investigation,  that indeed there was some form of incident, via a phone call or email or some notice, but to leave blind and no communication back to those of us who saw it happen, is not a good feeling, very similar to the SD card/code issue and esp. in this day and age of all the hacking attempts and such.

    A: We did respond and Eric posted our findings publically (pasted in above).  There was no breach or incident that involved our SmartLink service whatsoever. For customers that have reported this using our helpdesk system, we respond to them individually. 

    Dan answer this - so the radio showed the IP address of the attempted connection to the smart link software, if your using software of any type, smart-link, a web browser, or other application, and someone gains access to that application, it is possible at that point that, they can also gain access to other applications the operating system and perform malicious code execution maybe not to the radio but other applications correct?.


    A: Because the connection attempt triggered the notice to your attached clients (SSDR on Windows, Maestro, etc.) it does not mean the connection was made or the scan revealed that a device or IP endpoint exists by a denial.  When I scanned my system today, my router logged the connect attempt yet the scan was unaware of that action. The same mechanism is employed in the radio. 

    Or even if they had time port scan your network and attempt connections or find backdoor into another device since they now have an address.

    This assumes the scanner received a response (denial) of some kind. This is not the case. 

    My thought is they were in the software, regardless if smart link denied access to the physical radio, being in the software which is loaded on the individuals system, leads to being able to possibly gain access to other applications.

    A: The SmartLink service is not involved in these cases - this was a drive-by scan of an Internet connection (external IP address) which can be obtained by bad actors in many ways. "They" were not "in" the software/firmware - the radio didn't respond at all.

    ADOBE and the Angler exploit Kit, can be used in a PDF and attack other software on the system not just the adobe product. I am not going to get in a back and forth he said I said, if the radio saw an external IP address attempted connection, they were in the software.

    A: Because we take security seriously at FlexRadio, it is important that I respond to make sure our customers have accurate information.  A device that "sees" and reports on a connection attempt from the Internet, doesn't mean an attacker is aware the endpoint exists or has access to any ability to exploit the system and inject malicious code.  Routers do this all the time.

    I turned off the option of smart link. at that point as I do not trust it.

    A: You are certainly free to form your own conclusions and choose to trust SmartLink or no. I am very serious about my personal Internet security and trust SmartLink. 

    73,
    Dan
  • N8SDR
    N8SDR Member ✭✭
    edited May 2020
    Item 1 respond to them directly Dan: care to show me were in the following Request #32315 SmartLink Security concern were I was responded to directly and made aware of any following information after i reported on it: and Tim closed it after the conversation i had with Matt.

  • Ted  VE3TRQ
    Ted VE3TRQ Member ✭✭✭
    edited May 2020
    I almost wrote a response twice, and deleted them before submitting. But I just can't resist.

    N8SDR had one good idea/comment: perhaps the SmartLink login should be somewhat more protected. His other arguments appear to be a result of not understanding some fundamental tenets of TCP/IP networking, and certificate-based secure logins. (Although I will admit that perhaps he has some insight that escapes me.)

    There are always exploits out there that we do not yet know of, but certificate-based TLS logins are about as secure as you can get, as long as you protect the certificate. And if you do have the certificate to access a service, you will only get the access that the service allows, nothing more nothing less, unless it is badly designed and written. In this case, the service is operating the radio.

    The radio's operating system is not exposed, and the network on which the radio finds itself is not exposed when random port scans are initiated - if the gateway router has no port forward, the probe is silently dropped. If there is a port forward, the destination network stack will exchange syn/ack in the case of a TCP connection attempt (a "probe"), but it exposes nothing other than the target system did not outright refuse the connection (a TCP reset response). The next stage, a successful TLS exchange, is required for further access of any kind.

    No software subsystem is compromised, nor is generic operating system or local network access available to the outside "invader".

    My 2 cents (I guess it has to be a nickel, as we have no pennies in Canada).

    Ted VE3TRQ
  • N8SDR
    N8SDR Member ✭✭
    edited May 2020
    LOL okay guys if you think Im full of it explain this: I was about to delete my accounts with flex but saw this which was just posted a little while ago in another thread now Im going to grab some POP corn and what the the show.. https://community.flexradio.com/flexradio/topics/strange-security-alert-from-xfinity-on-my-flex6400m...

  • Ted  VE3TRQ
    Ted VE3TRQ Member ✭✭✭
    edited May 2020
    Unless you compomise the router, or forward traffic to a vulnerable port/service combination, that warning from the Xfinity is likely quite bogus. I saw it but decided it was not worth commenting on. I have been watching port scans since 1990 :-) It's all about the exposed, insecure services visible to the outside, or by an inadequate router/gateway.
  • k3Tim
    k3Tim Member ✭✭✭
    edited May 2020
    Agree with Ted.  'SDR can safely delete your flex accounts now.

    Have a Nice Day.
    Tim / k3Tim/7

  • Dan-N7HQ
    Dan-N7HQ FlexRadio Employee, Community Manager admin
    edited May 2020
    Rick, 

    I'm following up on your concern about our direct response to HD32315. 

    The notes on that ticket document an 8/8/2019 phone call between you,  Eric (VP of Engineering), and Ed the senior engineer that designed SmartLink. They listened to your concerns, assured you we take security seriously and their investigation showed no security issue. 

    You mentioned that you planned a test on a second machine (not your business machine), on a separate network  "to see if it happened again". They agreed to work with you. 

    That offer still stands. I will be happy to directly discuss any concerns you may have. 

    73,
    Dan


  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited June 2020
    ATTENTION: The changes described in this Community post where the use of social media logins for SmartLink accounts will be discontinued is scheduled to take place on Thursday, June 18th, 2020. 

    If you have not converted your SmartLink login to the email-based Auth0 type of login, you need to make this change ASAP to ensure continued access to your radio that is accessed using SmartLink.

    For additional information on how to change your SmartLink login, please see the following document.  Deprecation of SmartLink Social Media Sign-On
  • Logan KE7AZ
    Logan KE7AZ Member ✭✭
    edited June 2020
    June 17th is Wednesday.  Thursday is June 18th. Something is wrong in the announcement.
    Logan, KE7AZ
  • Tim - W4TME
    Tim - W4TME Administrator, FlexRadio Employee admin
    edited June 2020
    It was a typo.  The change is happening today.

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.