CoreElec seems to be vector of ransomware attack

Just a heads up, and reminder to keep your coreelec boxes COMPLETELY off the Internet. Don’t even pass ports to them. I don’t know how these jerks got in, but it’s not fun. I’m sure it was partly my fault for allowing remote access to my box, and not restricting it to one or two IPs, but I still live in this fantasy world where people are good. sigh

Guys please let’s not make fun of it.
I want to take it serious.

Can you please elaborate what you did and what happened in your network or your other clients.

I want to understand how it happened.

TV Headend can be a vector - as it allows scripts to be run. If you open a TV Headend port to the outside world and they get your admin password (or worse - you have a password-less account with no restrictions in the web console) - they’ve got an ability to do a lot of not good things. Found a friend’s installation that had been hacked that way.

Their ISP temporarily suspended their broadband access because they were detecting lots of spamming mail stuff coming from my friend’s connection.

Just like with all other communications devices (personal computer, cell phone, tablet, OTTV set top box, etc.), I believe it to be comon sense to secure any accounts allowing access to the system.

CoreELEC and its bundled software condone the use of unsactioned software and provide clear warnings against the practice of using unsecured accounts and networks in various places:

Unfortunately, sometimes end-users decide to ignore those warnings, or install unsanctioned software, causing a multitude of issues.

Software:

image

Wiki:

In case of a security breach, Team CoreELEC recommends reaching out to Ransomware Help & Tech Support.

100% - it’s why I don’t use default passwords and only use a VPN for access to devices when away from home. (I know people use TV Headend with open ports to let them watch TV when away from home on platforms that don’t support VPNs…)

I use a WireGuard tunnel to access devices at home when away. Hopefully that’s secure enough long term. I haven’t had any issues thus far.

Wise choice.

1 Like

Always have a backup to restore from and create a new one whenever you make changes.

Sorry to hear that. Hope that your internal network damages are not disasterous.

Its good to open just VPN port to public, even so, that you can run both wireguard or OpenVPN from 24/7 CoreElec box itself, without virtualization and little to none overhead.