gregg098's profile

New Poster


1 Message

Tue, Feb 25, 2020 5:00 PM

Security Issue? Xfi Router Defaults to Remote Management ON when Bridge Mode Enabled

TLDR: Remote management turns on automatically on the Xfi modem for both http (port 80) and https (port 443) whenever I turn on bridge mode.


I have Xfi advantage (XB6 modem) and noticed in the last day that I can access my modem's management page from outside my home network by going to the modem's public IP.


As a little background, since I received the modem, I installed it, turned on bridge mode, changed the password, and that was about it.


In bridge mode, there are essentially two public IPs. One is the IP associated with the router I have plugged into it (24.x.x.x). Likely tied to the mac address of the router itself.  I CANNOT connect to anything via this IP from outside my network except ports I have explicitly opened up in the firewall of my actual router. These ports are NOT 80 or 443.


The second IP is found when logging into the modem's management address of http://10.0.01. It's a 73.x.x.x IP. As a test, I tried connecting to open ports of my normal router and I was unable to do so via this IP, so it is isolated (I think?). I assume this is the IP I would have if I was not in bridge mode and used the Xfi as my router.


I also have Shodan monitor setup for both IP addresses. In the last few days, I have received alerts that, on the 73.x.x.x IP, port 80 and port 443 were accessible. Sure enough, visiting the IP on my phone yesterday by either http or https got to my modem's management page. I verified it was mine by logging in with my existing password. Also tried from work and got the same result. As a temporary hold over, I increased the password to the max of 20 characters, but still feel this is unsafe.  Another side note, Shodan also reports UDP port 123 open as well. I tried looking into this and I think its related to a tim service, but not sure.


I have not changed any settings on my modem. Also, in bridge mode, none of the normal settings, like turning remote management on or off, is available.


Today when I got home, I factory reset the mode via the pinhole on the back. Held for 30 seconds, waited for the white light. I plugged in my laptop, went to the management page, and changed my password. I verified under Advanced that remote management was OFF. I also noticed that the default ports are 8080 for http and 8081 for https. I even tested from my phone and was unable to connect.  Then I turned on bridge mode. After the light turned white again, I tried the same 73.x.x.x ip from my phone (not on wifi) and was again able to get the management page of my modem via http and https.

Next test, turned OFF bridge mode. Went back to the way it was right after the factory reset. Remote admin off and unavailable outside my network.  Turned bridge mode back ON, white light, power cycled just because, and again, even before plugging my router back in, that I could again reach the modem management page.


So, is this a security risk? I think it is. Why would remote management default to on for both port 80 and 443 with bridge mode on?


Just for information, my normal setup is Xfi (bridge mode on) -> EdgeRouter4 -> Switch -> Home network. My home network is locked down, but I am concerned there is a risk with the management page on this alternate IP open to the public all the time.


Anyone have any ideas?



No Responses!

New to the Community?

Start Here