Community discussions

MikroTik App
 
User avatar
Larsa
Forum Guru
Forum Guru
Topic Author
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Exposure of the device serial number during export

Fri May 20, 2022 12:53 pm

I'd like follow up on @rextended and other helpful people that warns about hiding the device serial number when posting an export.

There seems to be is a consensus that this is a serious flaw but I'm curious why this hasn't been considered a serious problem at Mikrotik and hasn't already been corrected, especially when using "export hide-sensitive"?

I might be wrong, but it looks like no one has reported this as a major issue to Mikrotik support and also no one seems to bother to push this issue further on the forum.

As I said, just curious.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Exposure of the device serial number during export

Fri May 20, 2022 1:40 pm

Is not the only sensible thing: user/password on ppp, upnp / email / other scripts, knock schema, email on tools, etc.

The reply is extremely simpe: the .rsc is not thinked to be used to ask help on forum...

But that's the only way we have to help someone, to see how the RouterBOARD is configured...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Exposure of the device serial number during export

Fri May 20, 2022 2:25 pm

It's probably not that much serious. Yes, it allows to discover IP address if IP->Cloud DDNS (which is not enabled by default) is in use, which is not ideal. So it would be good idea to not export it for hide-sensitive.

Otherwise it's not possible to filter everything. If I write some super-secret stuff in script, there's no way export could filter it automatically. But where it's possible and it's currently wrong, that should be corrected.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Exposure of the device serial number during export

Fri May 20, 2022 6:12 pm

Less is more, the right attitude is if it serves no purpose for the admin to adjust the config, it should not be visible on a standard export.
Sob your vetting skills are deteriorating with age......... what next, no swimming trunks required for the pool>?
 
User avatar
Larsa
Forum Guru
Forum Guru
Topic Author
Posts: 1041
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Exposure of the device serial number during export

Fri May 20, 2022 6:34 pm

It's probably not that much serious. Yes, it allows to discover IP address if IP->Cloud DDNS (which is not enabled by default) is in use, which is not ideal. So it would be good idea to not export it for hide-sensitive.

Otherwise it's not possible to filter everything. If I write some super-secret stuff in script, there's no way export could filter it automatically. But where it's possible and it's currently wrong, that should be corrected.

Agree, the serial number should be hidden when using "hide-sensitive". Especially considering the times we are living in and to make everyone aware of why this might be a problem maybe a warning should be stated something like this:

"Please hide the serial number of the device before posting an export to a public forum since it may be used to trace you ip address if using the Mikrotik cloud (serialnumber.sn.mynetname.net)."

Since the root cause of the problem is that the serial number is directly mapped to the IP cloud service, imho Mikrotik should in the long run try find another solution where the two are decoupled from each other.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Exposure of the device serial number during export

Fri May 20, 2022 8:00 pm

It's probably not that much serious. Yes, it allows to discover IP address if IP->Cloud DDNS (which is not enabled by default) is in use, which is not ideal. So it would be good idea to not export it for hide-sensitive.

Otherwise it's not possible to filter everything. If I write some super-secret stuff in script, there's no way export could filter it automatically. But where it's possible and it's currently wrong, that should be corrected.

Agree, the serial number should be hidden when using "hide-sensitive". Especially considering the times we are living in and to make everyone aware of why this might be a problem maybe a warning should be stated something like this:

"Please hide the serial number of the device before posting an export to a public forum since it may be used to trace you ip address if using the Mikrotik cloud (serialnumber.sn.mynetname.net)."

Since the root cause of the problem is that the serial number is directly mapped to the IP cloud service, imho Mikrotik should in the long run try find another solution where the two are decoupled from each other.
Good points, now if you can only address this one.....
viewtopic.php?p=934431#p934431
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Exposure of the device serial number during export

Fri May 20, 2022 10:58 pm

"Please hide the serial number of the device before posting an export to a public forum since it may be used to trace you ip address if using the Mikrotik cloud (serialnumber.sn.mynetname.net)."
Well, it's safer to keep the address private. On the other hand, who really cares about someone's address? Botnets are scanning internet day and night and if something is open, they will find it. And if it's not open, then in most cases it's safe whether someone knows the address or not. It is possible that someone could collect info from this forum, but there's not that much of it anyway, so it's probably not worth it. So there is some risk, but not too big. But yes, hide-sensitive should hide serial number.
Since the root cause of the problem is that the serial number is directly mapped to the IP cloud service, imho Mikrotik should in the long run try find another solution where the two are decoupled from each other.
Nice thing about current scheme is that it's simple and foolproof, you don't need any registration, choosing names, or anything, it just works with single checkbox. I don't know how exactly it's implemented, but it can be pretty safe if it depends not only on serial number but also on some secret per-device key that MikroTik knows, but can't be derived from serial number by anyone else, so nobody can just spend an afternoon with disassembler and crack the update protocol. I guess Software ID could be used for this, it's rather short, but even old boards have it.
Sob your vetting skills are deteriorating with age......... what next, no swimming trunks required for the pool>?
Fine by me, as long as they are not banned. I'm a bit shy myself, but if someone else wants to feel more free or whatever, who am I to deny it to them. :)

Who is online

Users browsing this forum: Amazon [Bot], anav, brunoemmels, gigabyte091, htdbnbj, JesusUve, kub1x, menyarito and 105 guests