# TiVo Remote Web Access



## ifekas (Aug 2, 2002)

I have finally got TiVo web working; and am having difficulty deciding the best way to set it up for remote access from different locations.

I have done various searches; TiVohelp seemed to provide the most comprehensive advice, and advised against making TiVo IP accessible over the Internet via port forwarding on the router. 

However, the 'solution' was to access TiVo web through the home pc via VNC/Remote Access, etc. This may be more secure for the TiVo, but opens up all sorts of issues re computer hacking; and I would rather have a hacker delete recordings on the TiVo rather than access my personal files, and hence I am not so keen on this idea. Another drawback is that one's computer would have to be on the whole time, which is a waste of energy and contributes to carbon dioxide emissions. And also, VNC/Remote Desktop may not always be available on public terminals.

The document goes onto say that if one makes TiVo web accessible over the Internet, one can password protect the logon (though the passwords are set in plain text) and change the port number. This would seem sufficient security for me.

What was more concerning was the possibility mentioned of DOS attacks that could 'easily' crash the TiVo. Perhaps members who have set up their TiVos accessible on the internet could comment on whether this is the case or not.


----------



## iankb (Oct 9, 2000)

LogMeIn and GoToMyPC both provide secure access to your PC, without having to open up any incoming ports on your firewall. They both make connections using outgoing ports to central servers, and both can be accessed by web browsers from any public terminal, without software installation.


----------



## cwaring (Feb 12, 2002)

ifekas said:


> I have done various searches; TiVohelp seemed to provide the most comprehensive advice, and advised against making TiVo IP accessible over the Internet via port forwarding on the router.


Just to say that I've been doing it that way for about six months now, with only rudimentary password protection, and not had any problems, that I am aware of, anyway


----------



## johnnye (Oct 18, 2005)

Mine has been on the internet (via port forwarding on the router) with only the tivoweb password protection for at least 12 months without any problems. 

According to the router stats, other than an occasional blanket port scan and my own use, there haven't even been any attempts to access the TiVo from the internet.

Compared to the damage that could be done by an open port on a PC, what is the worst that could happen with the TiVo? No attacker will know what it is  to do anything malicious, and the only real issue might be DoS attacks but this would be very unlikely, and can be stopped if your router has the ability to recognise them.

Of course, sod's law says that once you try it, the hackers from hell will descend and cause your TiVo to self-ignite, just as you leave to go out for the evening. Don't say you weren't warned !


----------



## terryeden (Nov 2, 2002)

I've had mine on Port 80 with the standard TiVoWeb password protection (I have changed it from the default) for nearly 2 years with no trouble. I'm also using dyndns.org to provide a name rather than an IP address. Although the TiVo can't update Dyndns, my PC does every time it switches on. My IP doesn't change that rapidly to be a problem.


----------



## AMc (Mar 22, 2002)

I use a high port and password protection - no trouble in about 6 months since I first installed it.
The accessibility is more than worth the risk to me.


----------



## ericd121 (Dec 12, 2002)

johnnye said:


> Compared to the damage that could be done by an open port on a PC, what is the worst that could happen with the TiVo?


That's what I said the last time this was discussed  and someone suggested that a compromised Tivo would let the hacker access everything else on your network.


----------



## johnnye (Oct 18, 2005)

Hmm, that's a good point and I may have to consider it. Most of the home PCs have a software firewall and I could exclude the static IP address of the TiVo from the trusted zone. My server doesn't have a firewall, though, for performance reasons, so that may need revising. 
Decisions, decisions, decisions, but nothing to lose any sleep over


----------



## AMc (Mar 22, 2002)

Typical - Trying to check something from work and it goes wrong!
I get the login prompt as a windows dialogue IDed as 'Tivo-web' - so I know the IP is mine the port forward is working and Tivo is at least running something responding to HTTP. 
Put in my username and password and it just hangs.

I assume I going to have to wait until I get home unless someone can suggest something else to prod Tivoweb remotely?


----------



## cwaring (Feb 12, 2002)

Can you Telnet in and either re-start TW or re-boot the Tivo? That doesn't require a username/password.


----------



## sanderton (Jan 4, 2002)

The chances of a TiVo being compromised is very low; even if a hacker managed to get access it's unlikely they would have any malicious binaries compiled for a Series 1 Tivo, and TiVo can't access Windows shares etc.

I have three TiVos exposed on standard ports with only the TW password for protection for several years and have had no issues.


----------



## AMc (Mar 22, 2002)

cwaring said:


> Can you Telnet in and either re-start TW or re-boot the Tivo? That doesn't require a username/password.


Unfortunately I have only forwarded one external port to 80 on the internal network for Tivonet. The standard Telnet ports are closed on my router/firewall.
I'll be home in an hour or so just a pain.


----------



## ifekas (Aug 2, 2002)

Thanks for the replies. 

It is good to know that quite a number of users have got their TiVos setup for external access with the appropriate password protection, and haven't had problems, as this is what I want to do!

I hadn't thought about hackers using the TiVo to get access to my computer; although the possibility of this is quite unlikely, I'll leave the computer's software firewall switched on.


----------



## cwaring (Feb 12, 2002)

ifekas said:


> I hadn't thought about hackers using the TiVo to get access to my computer; although the possibility of this is quite unlikely, I'll leave the computer's software firewall switched on.


You shouldn't need to if your Router has one; which I thought they all did?


----------



## ptruman (Jan 8, 2003)

Get an upgradeable router (mine is a Linksys WET54GS), and put a 3rd party firmware on it (I'm running Sveasoft).

I can now access my LAN from anywhere, using the routers onboard SSH software, and then open up 'tunnels' to anything internal. It's considerably more secure than just raw port forwarding. Takes a bit of setting up, but it's well worth it


----------



## iankb (Oct 9, 2000)

cwaring said:


> You shouldn't need to if your Router has one; which I thought they all did?


A router's firewall won't stop a hacked TiVo from accessing other PC's on the same side of the firewall so, if this is a worry, then a software firewall on the PC would make sense.


----------



## iankb (Oct 9, 2000)

Although I haven't tried it, you could try to create a true DMZ (De-Militarised Zone), whereby you run two separate subnets (e.g. 10.215.x.x and 192.168.x.x) , with a second (non-ADSL) network router in-between.

i.e. The network connected to your broadband router would have the TiVo and any other publicly-available web-server in it, while the other PC's would sit on an internal network behind the separate router. The second router would need to be allocated an external address in the DMZ's subnet. Internal PC's would pass through two firewalls and two sets of NAT address translation but, unlike with the built-in DMZ function of routers, would be fully-protected against machines in the DMZ by the second firewall.

If this works, then you have the advantage of being able to run several machines in the DMZ, together with a single external IP address.

_[And for those who don't understand what a network DMZ is used for, it's where you put computers that must be exposed to the outside world but, if hacked, would not compromise your internal network.]_


----------



## Ian_m (Jan 9, 2001)

I wouldn't worry about it too much. I have moved my TiVoWeb to a non standard port (edit the tivoweb.cfg file) and have ADSL router (NetGear DG834G) port forwarding on with two rules.

1st rule is port forwarding but from my works IP only with logging if not matched.

2nd rule is same again port forwarding but from any external IP address with no logging

Thus access from my work does not clog the logs, any access from any other IP get logged.

In two years I have not seen anything triggering the second rule other than when I accessed my TiVo from a web Cafe in Menorca.

Yes I know it maybe too late logging after the event/hack but I don't think its worth much more effort than simple changing of port numbers. 

Oh also I have a block rule with logging for port 80 (HTTP) and 20,21 (FTP) and 23 (Telnet) which gets quite a bit of scanning from IPs all over the place.


----------



## The Obo (Feb 22, 2005)

Pete77 said:


> ...and said he never had any problems so long as it was configured to forward on Port 443 and not Port 80.





Ian_m said:


> I wouldn't worry about it too much. I have moved my TiVoWeb to a non standard port (edit the tivoweb.cfg file) and have ADSL router (NetGear DG834G) port forwarding on with two rules.
> 
> 1st rule is port forwarding but from my works IP only with logging if not matched.
> 
> 2nd rule is same again port forwarding but from any external IP address with no logging


I also have a Netgear DG834G setup similar to Ian_m. Except that because of my work firewall rules I have had to leave the Tivo on Port 80 (with password protection of course). I want to use Port 80 for something else and it appears every other port is blocked from my work except for HTTPS.

Question: Can I move my Tivo to Port 443 by simply changing the port number in the Tivoweb.cfg file?

I use DynDNS - will _https://www.mydomainname.homeip.net_ work? (is this the same as _http://www.mydomainname.homeip.net:443_?)

Is it all as simple as this? Or is there some sort of security certificate requirement to use port 443?


----------



## cwaring (Feb 12, 2002)

The Obo said:


> Question: Can I move my Tivo to Port 443 by simply changing the port number in the Tivoweb.cfg file?


Yes.



> Is it all as simple as this?


Yes



> Or is there some sort of security certificate requirement to use port 443?


No.


----------



## The Obo (Feb 22, 2005)

cwaring said:


> Yes.
> 
> Yes
> 
> No.


Brilliant - Thanks!! I'll try it tonight.....


----------



## aerialplug (Oct 20, 2000)

Orenosp is probably the cleanest, most secure and elegant way of doing it, but this means you have to have a remote PC running at all times to act as a gateway for your TiVo. This way you can genuinely leave your TiVo on the internet safe in the knowledge that unless someone guesses your username and password, your TiVo won't be pestered by external communications.

I have (well, had until a crash this weekend) this setup and it works fine for me, providing a password protected encrypted connection to the TiVo.

The only difficulty with orenosp is that the current version costs $89. There are still versions of the old free "single licence" versions floating around though...

The main advantage orenosp gives over the router solution is that all transactions between your remote PC and the orenosp server are encrypted, so someone doing packet sniffing won't be able to get at your username and password.


----------



## aerialplug (Oct 20, 2000)

Oh - I forgot to mention the other way I access TiVo remotely.

I've got Cygwin running an ssh server on the remote PC (that's on the same network as TiVo).

Locally, I use puTTY, mapping a port on my local machine with the TiVo's TivoWeb port. All I then have to do is log in using Putty and point the local web browser to http://127.0.0.1:portnum (where portnum is a port that I've chosen puTTy to to map to on the local machine)

I've got this setup because I also use this ssh tunnel to access my home PC from work using Microsoft Remote Desktop and I've mapped a few other remote ports onto my desktop at work.


----------



## iankb (Oct 9, 2000)

The Obo said:


> Is it all as simple as this? Or is there some sort of security certificate requirement to use port 443?


You would need a security certificate to use https with port 443. There is a small possibility that your company firewall will spot that you are only using http with port 443, and block it. The firewall might allow http with ports 8080, 3128, or 6588, which are often used as internet proxies.


----------



## The Obo (Feb 22, 2005)

Port 443 has worked a dream - thanks everyone!


----------



## Fofer (Oct 29, 2000)

I've used Orenosp, port forwarding, and an account on dyndns.org for years now... but this only let me access one of my two DTiVo's remotely. And while it worked fine on my Treo 650, it didn't work with the browser on my new Treo 700p.

I'm playing with the new tivo remote access tool from tivoupgrade (at PTVupgrade.com) and it seems to work well.
No more dynamic IP following, no more port mapping on routers, etc. Check it out!


----------



## tivoupgrade (Sep 27, 2000)

Definitely curious as to whether things work on UK TiVo DVR models. If anyone is so inclined, please head over to the pre-beta thread and give things a whirl!

Thx,
Lou


----------



## zippy7272 (Dec 29, 2004)

tivoupgrade said:


> Definitely curious as to whether things work on UK TiVo DVR models. If anyone is so inclined, please head over to the pre-beta thread and give things a whirl!
> 
> Thx,
> Lou


Never heard of this before but...

Seems to work for me!

Now can I use it on my poxy mobile....

Damn, having said that it now locked up twice since installing.

Anyone else use this in the UK?


----------

