Author Topic: Wi-Fi inspector, router is not secure with ethernet, secure with Wi-Fi  (Read 5262 times)

0 Members and 1 Guest are viewing this topic.

Offline ddabrahim

  • Jr. Member
  • **
  • Posts: 66
Hi.

I'm using Avast Premium Security on my Mac, Windows PC and iPhone.
My Mac is connected with Ethernet, the Windows PC and iPhone is connected with Wi-Fi to the same router.

When I scan the network using Avast Wi-Fi inspector, on my Mac (with Ethernet) I get a warning my router is not secure because port 7547 is open.
If I scan the network on my Windows PC and iPhone connecting to the same network with Wi-Fi, Avast report that the network and my router is secure.

Tried to scan port 7547 from my Mac but I get "connection refused" message or no response.
I have also installed a 3rd party port scanner on my iPhone and scanned my router and it didn't report anything on port 7547. I have also scanned port 7547 from my iPhone and it is reported to be closed.

So, over Wi-Fi all scans come back green, port is closed, no problems, network is secure. Over Ethernet I get mixed results, Avast tells me my router is not secure because port 7547 is open but if I scan the port, I get no response or 'connection refuse'.

I did look up and port 7547 is used by my ISP and it is supposed to be hidden and not reachable by other than my ISP which I believe the scans from Wi-Fi do confirm.

But I have no idea what am I doing to be honest. Could anyone please share some ideas, suggestions what to do about this?
Is it safe to ignore the warning regarding port 7547 is open in the light over Wi-Fi it is report to be closed?

Using Avast Premium Security version 14.10 (ddd643fc9a1d)
macOS 11.4

Thanks.


« Last Edit: July 24, 2021, 09:40:01 AM by ddabrahim »

Offline ddabrahim

  • Jr. Member
  • **
  • Posts: 66
Re: Wi-Fi inspector, port 7547 is open with ethernet, closed with Wi-Fi
« Reply #1 on: July 24, 2021, 09:23:40 AM »
Since I did get an official reply from my ISP confirming the port is open but protected in code, nobody can access and use the port, it is safe. They told they have no idea why Avast consider it a security threat.

Wondering if it could be that my Mac is connected with Ethernet and the port can be accessed 'internally' through ethernet and so Avast consider it a security threat, but over Wi-Fi and internet the port is locked, can not be accesses and so when I scan over Wi-Fi, Avast find it secure.
If that is the case, who supposed to fix this? Avast should take in to account if the device the scan is running from is connected with ethernet or my ISP should protect the port also from ethernet? Or I should maybe just ignore it then...

Thanks. 
« Last Edit: July 24, 2021, 09:26:23 AM by ddabrahim »

Offline Radek Brich

  • Developer (Linux AV, Mac AV)
  • Moderator
  • Jr. Member
  • *
  • Posts: 53
Hi, I guess this is the "outside scanner", which scans your router from the Internet (not from LAN). If it has open port 7547 visible from the Internet (not only LAN or not only the ISP network), then it sounds like security issue and that's what Wi-Fi Inspector reports.
 
That is just a guess. If you post a screenshot of the warning, and/or send us a support package [1], I can check it further.

The difference between the scan from Wi-Fi vs. scan from the Ethernet could be caused by different configuration, e.g. Wi-Fi network may be more "isolated", so Avast can't tell if the router it sees from outside Internet is the same one as the router providing your local Wi-Fi network. In that case, it doesn't report the issue.

[1]: https://support.avast.com/en-us/article/Submit-Mac-Security-support-file/

Offline ddabrahim

  • Jr. Member
  • **
  • Posts: 66
Hi Radek.
Thank you for the reply. I have submitted a support package and also here is a screenshot:



Very likely the problem is that what you mentioned, the port is visible from the internet. My router is provided by my ISP and they claim that the port is secured in code and there is no proof it was ever used in a successful attack and for 'operational reasons' they keep it open. I believe they use this port to update firmware and run checks, diagnostics. There is a debate about this between customers and my ISP going back 2016 but I have never received this warning from Avast before last Tuesday. My ISP claim the port was always open so they have no idea why Avast report it to be a security threat now and not before.

I did also run some online router tests and all of them come back with the message my router is secure and all the tests I was running on the local network. Only Avast on my Mac through ethernet report that it is not secure.
In case there is any more tests I can do to be certain if the port is secured as my ISP claim to be, please let me know.

Thank you.
« Last Edit: July 26, 2021, 08:27:35 PM by ddabrahim »

Offline ddabrahim

  • Jr. Member
  • **
  • Posts: 66
So I Just tried the ShieldsUp! router tester by Gibson Research. https://www.grc.com/x/ne.dll?bh0bkyd2
My router did pass the test and it was considered to be secure, the test did not discovered port 7547.
However, if I did scan port 7547 specifically, the test has confirmed that the port is open and failed 1 out of 3 tests.

1. FAILED - The port is not Stealth, the port did respond to attempts to establish connections
2. PASSED - No Internet packets of any sort was received
3. PASSED - Ignored and Refused to reply to repeated pings.

Protocol - UNKNOWN

This is remind me of when I tried to scan the port locally, it was returned 'connection refused' or did not respond. So guess I was getting the same result locally and maybe the 1. test in ShieldsUp failed simply because the port responded 'connection refused'? it is not too bad is it? I mean when you scan the network port 7547 does not show up and even if you scan port 7547 specifically it is refuse any connection and do not respond.

So despite the fact, it is open to the internet, does it mean it is secure as my ISP claim it to be?

Thanks.

« Last Edit: July 26, 2021, 09:05:30 PM by ddabrahim »

Offline Radek Brich

  • Developer (Linux AV, Mac AV)
  • Moderator
  • Jr. Member
  • *
  • Posts: 53
Hi, thanks for the support package.

In the logs, I see that Avast's scanning backend successfully connected to the port 7547 on your Internet-facing IPv4 address. It received an actual response:

Code: [Select]
"data" : "",
"headers" :
[
        "Server: gSOAP/2.7",
        "Content-Length: 0",
        "Connection: close"
],
"port" : 7547

This is not a good sign, because attackers may try to exploit some vulnerability in the software running on the port. Avast's backend doesn't try any exploit, it just checks if the service on the port communicates, which it does.

My router is provided by my ISP and they claim that the port is secured in code and there is no proof it was ever used in a successful attack and for 'operational reasons' they keep it open.

They might be right that it's actually secured in code. The question is how much do you trust your ISP. If they have bug in their code, it might not be as secure as they think. It would be better if they didn't take the risk and filtered the port from public Internet access on their firewall. Avast reports this issue because it's a potential vulnerability.

... but I have never received this warning from Avast before last Tuesday. My ISP claim the port was always open so they have no idea why Avast report it to be a security threat now and not before.

This is because we had a bug in our Mac implementation, which caused the outside scan not working. It was fixed in a recent update (Avast 14.10 ddd643fc9a1d).

This is remind me of when I tried to scan the port locally, it was returned 'connection refused' or did not respond. So guess I was getting the same result locally and maybe the 1. test in ShieldsUp failed simply because the port responded 'connection refused'? it is not too bad is it? I mean when you scan the network port 7547 does not show up and even if you scan port 7547 specifically it is refuse any connection and do not respond.

The port seems to be closed to your internal network, it's accessible only from ouside. That's why you see "connection refused" when scanning it locally.

So despite the fact, it is open to the internet, does it mean it is secure as my ISP claim it to be?

It may be or it may not. The basic security rule is to make the attack surface as small as possible. This open port is part of the potential attack surface.

A randomly googled article regarding this port:
https://www.ispreview.co.uk/index.php/2020/11/isp-virgin-media-uk-closes-port-7547-after-leaving-it-open.html

Offline ddabrahim

  • Jr. Member
  • **
  • Posts: 66
Hi Radek!

Thank you for looking in to this for me. I did pass this information you shared over to my ISP for them to consider. But I have the feeling they are going to say that no data was included in the response. They also claim that their routers don't have the same vulnerability as the ones from Virgin Media and others. they have this debate with the community for many years. I don't know if I can trust them, probably not but I've been using their routers since forever, this particular router in the past 4 years. So if they tell the truth and this port was always open in the past 4 years then I hope I was more than just lucky for not being ever hacked and their protection is actually working.
At least I do know about this vulnerability going forward.

Thanks a lot, really appreciate it.
« Last Edit: July 31, 2021, 08:06:49 PM by ddabrahim »