Controllers exposed over the Internet

EBNewbie · Jan 15, 2021

Hi all,
It seems like many people have their Neptune Apex exposed over the Internet. See this Shodan Report: https://www.shodan.io/search?query="Server:+AquaController"

This is a security risk since many services like Shodan and Censys are search engines for "machines" instead of websites. An attacker can trivially get a list of most controllers exposed to the internet. Then a brute force attack can be tried to guess the username/password or another exploit can be discovered to bypass authentication.

driftin · Jan 15, 2021

How would you be able to know or adjust settings from the Apex itself?

[Cameron] · Jan 15, 2021

At the very least port forwarding is a good idea.

SuncrestReef · Jan 15, 2021

If you set up your Apex following Neptune's instructions, then it is not directly accessible for inbound traffic from the Internet. Instead, the Apex initiates communications outbound to the Fusion web server, and Fusion replies to that established TCP connection.

The problem (and all those AquaControllers shown in the report linked above) is the result of people using Port Forwarding which allows outside-initiated access directly to the Apex. This is not recommended, and with the architecture of Fusion (which was not available at the time the old AquaController or early model Apex were released) port forwarding is no longer necessary.

The same is true for most home security web cams or other IOT devices on your home network. Modern devices don't need port forwarding and instead initiate outbound TCP connections to a cloud-hosted service, then the app on your phone or the product's web site allow you to remotely access the device through the already established communications channel.

Bottom line: Don't set up port forwarding on your Internet router for any device inside your home unless you are a network security expert, and even then, flaws in the device software can still allow hackers to exploit the flaws to gain access.