So on last nights security scan of my home, I found a new and interesting thing. Specifically, a TFTP server running. Huh. That is normally something I bring up to rescue some widget that is old-school almost-bricked.
Now, where is it. Its on the ring1. (ring0 is the hard-wire between my 3 larger servers, doesn't go anywhere. ring1 is the things my wife and I use, ring2 is the guests who come over, and ring3 is the evil crap that got bought in a moment of weakness).
Hmm, ok. What is it? Its an asustek tablet. One of the nexus 7's. My nexus 7 is semi-retired and currently in hard-off state, so must be Sonya's. But its pretty unlikely she has purposely installed TFTP server, right? Turns out this is indeed correct. One of the apps she has installed has gone rogue... Someone lost control of their account, or sold it, or whatever, and an update was pushed, and the update has some means of trying to get control of my network. The TFTP server would be how they get some new firmware to a device if they can crash it. And there are still some devices that can be crashed (previous hardening runs have improved my lot, but there are still a good chunk of devices that i'm not sure what to do with).
OK, so what should I do? Well, i reflashed her tablet and yanked the offending app. I could demote her tablet to ring2 or ring3 (but then it can't drive the chromecasts, sonos, remote, plex, ...). Hmm.
I could make some more complex firewall rules, a ring 1.5 maybe, but ugh. So much work. That mud thing, well, its just not there.
Suggestions? Maybe its the sorceror's apprentice syndrome?