Network Security Alert - Man in the middle attack - Fing BOX

StefanSStefanS Member Posts: 3
First Comment
edited September 24 in Fingbox

After receiving a network security alert about the network gateway changing we started investigating. The mac address in the alert is a WIFI ap on the network. We experienced having some problem reaching the internet after this alert. After some analyses we found that all the mac int the ARP table on the firewall was the fing BOX  and connected devices on the network had the Fing BOX mac as gateway. Some internet activities was stil working.

To get it working the Fing BOX had taken the "man in the middle" role and forward the traffic to the firewall.

Q:
Does the Fing BOX do a "man in the middle" for all devices after they are accepted into the network?

What does Fing.com do whith the data, and what is logged and send out to your services? 

Now - This concerns us and we have unplugged the Fing BOX until these questions are answered. I is also strange that we are not able to report this as a support ticket rather than being "forced" to use the community.


Quoi

Comments

  • StefanSStefanS Member Posts: 3
    First Comment

    After receiving a network security alert about the network gateway changing we started investigating. The mac address in the alert is a WIFI ap on the network. We experienced having some problem reaching the internet after this alert. After some analyses we found that all the mac int the ARP table on the firewall was the fing BOX  and connected devices on the network had the Fing BOX mac as gateway. Some internet activities was stil working.

    To get it working the Fing BOX had taken the "man in the middle" role and forward the traffic to the firewall.

    Q:
    Does the Fing BOX do a "man in the middle" for all devices after they are accepted into the network?

    What does Fing.com do whith the data, and what is logged and send out to your services? 

    Now - This concerns us and we have unplugged the Fing BOX until these questions are answered. I is also strange that we are not able to report this as a support ticket rather than being "forced" to use the community.


  • RobinRobin Administrator Posts: 2,828
    2500 Comments 100 Answers 250 Likes 100 Awesomes
    admin
    Hi @StefanS
    I can see you have a support ticket with us so I will address your query there. Please reply with any further queries or information. Thanks
    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides("Helping Hand"). HAPPY POSTING!!!
  • QuoiQuoi Member Posts: 2
    First Comment Photogenic
    Can the outcome of this query be made public rather than concealed within the internal support infrastructure? I feel it is important for awareness and transparency. I am particularly interested in this due to the nature of my work where working from home is a requirement in the current climate.
    StefanS
  • RobinRobin Administrator Posts: 2,828
    2500 Comments 100 Answers 250 Likes 100 Awesomes
    admin
    Quoi said:
    Can the outcome of this query be made public rather than concealed within the internal support infrastructure? I feel it is important for awareness and transparency. I am particularly interested in this due to the nature of my work where working from home is a requirement in the current climate.
    Here is the info I have share with Stefan

    The way the Fingbox works is through ARP poisoning and DNS Spoofing.  So what is happening is that when you block a single device, the computer DHCP address and DNS entries gets changed and pointed to the Fingbox.  So this device is blocked from getting to the internet or internal resources. 
     
    For more information on ARP poisoning and DNS Spoofing see the following links: 
    Blocking is done by DNS/Blocking Spoofing. 
    https://en.wikipedia.org/wiki/DNS_blocking 
     
    The Fingbox/App work to pause things by a process called ARP poisoning/Blocking. 
    https://en.wikipedia.org/wiki/IP_address_spoofing 
     
    Things that need to be done to make sure that it is going to work are as follows: 
    1. Enable UPnP on your router 
    2. Disable IPv6 on your router (This is required to make sure that Internet Pause and Blocking works) 
    3. Best Practice - Reserve the IP address of the Fingbox 
    4. Create the following TCP rules and point them to the IP address of the Fingbox 
     

    • 80 (Internet Speed Test) 

    • 443 (Fing Service and Software Updates) 

    • 3001, 3002, 3003 (Internet Speed Test) 

    • 4443 (Fing Service) 

    • 5671 (Fing Diagnostics) 

     
    One other thing you may want to consider is using Auto-Block as well.  Because Windows 10 and other devices can use MAC randomization.  Which means that the MAC address of the computer can change.  Here is a good article on it: 
    https://www.tenforums.com/tutorials/39022-turn-off-random-hardware-mac-addresses-wi-fi-windows-10-a.html 
     
    Make sure to turn this off, because if you block a device, it will simply change MAC address and get a new IP address.   
     

    Robin (Admin at Fing)
    Getting Started? Please refer to Community guidelines & Community User Guides("Helping Hand"). HAPPY POSTING!!!
    QuoiStefanS
  • QuoiQuoi Member Posts: 2
    First Comment Photogenic

    Great update, thanks.

    A point to note is along with the relatively recent practice of MAC addressing randomisation on Android devices with the release of iOS14 randomisation is now the norm. Disabling this feature on devices to ensure effective Fing operation somewhat defeats the purpose of randomising in the first place, that of deploying another tool to minimise attacks on the users device and data.

  • StefanSStefanS Member Posts: 3
    First Comment
    Yes I agree. Thank you for a good update Robin.
    Ciaran
Sign In or Register to comment.