Hi,

 

Difficult to know exactly what these ports are used for as the OS on the Home Hub is locked down.

 

I've found mention of TCP port 2555 for UPnP for a home router Modem BBox-2. As the HH4 is also made by Sagem Communications and runs a BT version of Jungo OpenRG, then there are likely similarities. As port 2556 is right next door, there's always a possibility it's also for UPnP. If you don't need UPnP, or are concerned, then try turning it off and scan again.

 

The other thing the HH have is a mechanism for BT to access the Hub remotely (with your permission of course ). You can check and enable/disable this from the Hub GUI via Settings -> BT Access Control.

 

Presumably this scan was to the broadband network IP address i.e., the outside IP address? Out of curiosity, where was the host running nmap connected? On the local LAN such that it scanned the outside address of the hub from the inside, or was it actually connected to "outside" e.g., from a friends house, via tethered connection to a mobile?

 

I don't have a HH4, but for the HH5 I see a different set of results when scanning the outside IP from inside, verses scanning outside IP from outside.

 

Ultimately there may not be too much you can do about these open ports. If you're really concerned the best option is an open firewall that you have full access to and can control.

 

Regards

Ok

I agree that TCP 2555 can be upnp. It can also be
RIS Data Collector Inter Communication

TCP 2556 can be: IIS Data Collector (outside requests), mysqld, ..

How do you turn upnp off on the HH4?

I connected the HH4 to my laptop, and scanned the internal IPv4 address of the router beginning with 192.168.

What Open firewalls would you suggest?

For TCP 6161 it could be many different services. Some returned by google are:
ActiveMQ (on Cisco product), Patrol Internet Server Mgr (the assigned name), Snare Lite (Open Source Project), VVB_CVD (on Cisco product), used as an FTP port, VEEAM vPower, vCloud Director, Juniper products, and MaximIntegrated 1-wire

.. Hence could be any of these and possibly several others.

I presume I would need to get an internal view of the HH4 to determine accurately what is running on it?
How could one do this?

Agreed that these ports could be used by all sorts of things. The more you Google, the more differences you'll find 

 

Turn off UPnP via Advanced Settings -> Firewall -> UPnP, then click the Off radio button .The Extended UPnP Security option will obviously disappear when you disable UPnP. This will at least prove 2555 and 2556.

 

Presumably you scanned the hub as you want to try and understand any exposure you might have to attack. If you really want to know what ports are open to the Internet and so how vulnerable you might be, you're going to have to scan the external IP and from a host that is not on your local LAN. In the past I've tethered the host with nmap to my phone and then scanned the external IP address assigned to the Home Hub.

 

The following is a scan of a HH5, and you'll see there are differences depending upon which address you scan and where from. That makes sense as why would port 53 (DNS) be open on the external IP address.

 

Internal IP from inside i.e., nmap assigned 192.168.1.X address:
Discovered open port 53/tcp on 192.168.1.254
Discovered open port 80/tcp on 192.168.1.254
Discovered open port 139/tcp on 192.168.1.254
Discovered open port 443/tcp on 192.168.1.254
Discovered open port 445/tcp on 192.168.1.254
Discovered open port 6969/tcp on 192.168.1.254

 

External IP from inside i.e., nmap assigned 192.168.1.X address
Discovered open port 80/tcp on 81.X.Y.105
Discovered open port 443/tcp on 81.X.Y.105
Discovered open port 1024/tcp on 81.X.Y.105
Discovered open port 6969/tcp on 81.X.Y.105

External IP from outside i.e., nmap scanner on Vodafone IP address:
Discovered open port 25/tcp on 81.X.Y.105
Discovered open port 80/tcp on 81.X.Y.105
Discovered open port 1024/tcp on 81.X.Y.105
Discovered open port 8085/tcp on 81.X.Y.105

 

 

As I said in the previous post, "Difficult to know exactly what these ports are used for as the OS on the Home Hub is locked down". I don't know any way to get an internal view of the HH. As I say it's based on Jungo OpenRG so get the source to that if you feel so inclined. It'll only be an indication as we don't know what BT do to OpenRG once they get it.

 

Regards

From a security perspective, if you don't know why it is open or for what purpose it should be closed.

I'm fairly certain BT support staff can tunnel into your router as when I had a query they told me what the SSID was (I had changed it from default) and some of the devices on my network.

 

I bought another HG612 and flashed it with unlocked firmware to remove the BT agent and PTM 301 as I use my own router so BT require no access.

 

You would have thought that there should be a physical button so customers can authorise this rather than it being enabled by default.

 

BTW - Steve Gibson's Shieldsup site will scan your routers open ports. Choose all service ports for the full 0-65535 port scan.

Agreed about the open port. Shut them down if possible.

I suspect that the information about your SSID was gathered via CWMP. The router connects periodically to send back data, and the ACS can also initiate a connection to the router at any time.

Useful to know about ShieldsUp.

Regards