Ortur WiFi Security (or lack thereof)
I have an Ortur Laser Master 3 (OLM3). In this blog I’m going to demonstrate that enabling an Ortur wifi connection raises potential GIGANTIC security risks to your home network.
TELNET And FTP Servers
Once you set up a WiFi connection on your OLM3 you will also have enabled both a TELNET Server and an FTP server.
- TELNET is a command line interface that allows for connection and control of a remote device. TELNET is on Port 23.
- FTP is File Transfer Protocol. FTP is on Port 21.
Both Protocols are open and unsecured.
If your home router is not configured with Ports 21 and 23 closed you have a MASSIVE network security problem. The only way to know if these ports are accessible to the internet is to test them. GRC Shields Up has been the de facto standard for port testing for many years. Also, it is simple to use. Ideally, not only should your port indicate being closed, it should also indicate being STEALTH, which means it can’t be seen at all.
If Ports 21 and 23 are open, as is the case in many off the shelf wifi routers ………then I don’t know what to tell you. You are in trouble.
Test The Servers
In my case I was able to to connect to the TELNET server without a user name or a password. Running a terminal command of “telnet [ipaddress]” lets you in.
I connected within my own network, however if my router port 23 is open then ANYONE from ANYWHERE in the world can easily be connected TO YOUR ENTIRE NETWORK.
Let’s test the FTP connection.
Yep, using an FTP client such as CyberDuck I was able to connect directly to the SD card in the laser. How cool is that? Actually, not cool at all.
Your Router Matters
Go to the big box store and pick up a router off the shelf. Look at the box. It will say it is FAST! Nowhere on the box will it say it is secure. Or if it does claim that it is likely a lie. The goal of that router manufacturer is for the stupidest person in Walmart to be able to plug the router in, and get on the internet without spending an hour with their Tech Support phone personnel.
To achieve that goal security is often compromised. So many routers have open ports exposed to the internet.
Also, without getting too deep most routers for sale have known security vulnerabilities. Even if Ports 21 and 23 are closed, if some script kiddie breaks into your box they’ll start looking for ways to control things.
Basic Rule: A server that doesn’t need to be running should not be running.
ESP8266 and ESP32
These are both Internet of Things (IoT) chips. They typically do Wifi and Bluetooth. When you connect the OLM3 to your network it identifies itself as Espressif Inc.
That is not uncommon. I have around 15-20 devices on my network that also ID themselves with that designation. Absolutely NONE OF THEM have an open TELNET or FTP server.
Don’t use Ortur WiFi. It’s that simple. Disable your WiFi connection and connect to your computer via the USB cable. There is absolutely no concern for your network security by Ortur regarding the OLM3. They simply don’t give a shit. The servers are on standard ports (21, 23), and don’t even have a user name, much less a password.
Protect yourself and your network. Turn off your Ortur WiFi.