Digging through the settings of this new router I’ve bought, I saw a section for Amazon Alexa and clicked on it. It gave a link saying, “Please click here to enable DDNS and Web Access from WAN for remote control”, which appears to go against everything Steve Gibson tells us, but since I remember @Leo saying he set things up so he could pause his sons internet, I just wondered if this is safe?
1 Like
Seems to violate the Trust No One principle as well. Trust Amazon? Hmmmm, magic eight ball says “unlikely”.
1 Like
I suppose it depends on your definition of “safe.” I’m not familiar with this router setting, but it seems to me you’re configuring two things with this setting:
a) You’re sending your public IP to a DNS provider (I’m guessing it’s Amazon but it could be a free one like DynDNS) and they’re creating a DNS record that will point to it and update it any time your public IP address changes. This isn’t a security risk in itself, and is pretty common among hobbyists and DIYers.
b) You’re poking a hole in your router’s firewall and allowing traffic on certain ports to flow through to your Echo’s internal IP address. This is where things can get a little hairy as you’re essentially allowing people through your front door uninvited.
Do you trust Amazon to come inside when they please? Do you trust that Amazon will control themselves and not invite their raucous friends in too? Do you trust them to “lock the door” when done and not accidentally allow strangers in as well?
What model router is it? I’m curious if this is a configuration Amazon is making, or if it’s something conjured up by the router manufacturer. The latter being a bit more sketchy in my mind.
2 Likes
I am using the Asus RT-AX59U, Not that I plan on using the Amazon stuff
In their defence, you are already running a device of theirs inside your network, they are already calling from inside the house.
I’m sort of surprised that they don’t just have all the echos call home and keep a control channel open so that they can push commands down it. Why leave an open port when a normal stateful firewall can handle this via an outgoing connection?
It is worse than that, it is enabling access to the administration interface from the WAN side of the router… Or is it written poorly and they mean passthru access to an Alexa device? It seems to me, if it was an Alexa device on the network, it would phone-home and initiate the connection itself.
I assumed it was a passthru to the Alex device configured to only accept connections from Amazon’s Alexa service IP addresses. If it’s opening a connection to the management interface of the router then I agree, it’s an egregious security risk. And terrible UX design.
1 Like
Where are you seeing the reference to Alexa?
Just searched the Asus user manual, can’t see anything in there. There’s a section on enabling Asus’ DDNS service though.