Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hack Over a Dozen Home Routers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "Security researchers at Independent Security Evaluators have published a report demonstrating that a slew of home and small office (SOHO) routers are vulnerable to previously undisclosed vulnerabilities. The report asserts that at least thirteen popular routers can be compromised by a remote attacker, and a number of them do not require knowledge of credentials or active management sessions. Some of the routers are not listed as they work with vendors to fix them, but there are 17 vulnerabilities disclosed, with another 21 pending release. An article on CNET includes an interview with some of the researchers."

8 of 109 comments (clear)

  1. Use a FreeBSD box as your firewall by Anonymous Coward · · Score: 4, Insightful

    An older computer redone with a FreeBSD install makes an excellent router and is extremely secure. I would suggest anyone who is comfortable with a *nix command line use this solution as I've found it to be virtually bulletproof.

    1. Re:Use a FreeBSD box as your firewall by Anonymous Coward · · Score: 3, Insightful

      Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

      Even a mini-ITX build is still using more power than I'd prefer.

    2. Re:Use a FreeBSD box as your firewall by AlphaWolf_HK · · Score: 5, Insightful

      I like these embedded devices because they are low power (save you money on an ongoing basis) and do the job. Many even offer some nice things like switch management (e.g. creating vlans) if you use custom firmware. That said, if you do switch to a custom firmware, chances are good that you are immune to these vulnerabilities.

      These security researchers don't really count on the later though. They advocate requiring these devices to require signed firmware. That means no custom firmwares, so if your manufacturer ever abandons the device, and security vulnerabilities are later found, you really can't do anything about it. I like custom firmware for not only that reason (e.g. it uses software that is generally better tested against threats) but because it ads features that most OEMs require you to pay a LOT extra for.

      I hope none of these vendors take the signed firmware advice, or at least allow you to sign your own. But many here already know how that goes. I think Netgear is the only one that might set itself apart in that regard as they carry certain models that are explicitly advertised to the customer as being able to use your own firmware.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
  2. Re:ISP Provided? by JJJJust · · Score: 5, Insightful

    Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

    It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

  3. Easy to mitigate. by viperidaenz · · Score: 4, Insightful

    They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

    1. Re:Easy to mitigate. by viperidaenz · · Score: 4, Insightful

      Because its cross-site-request-forgery.

      If you're logged in to your router and you go to another website that has an image tag with a url of "http://192.168.1.1/admin/enable-remote-login" or submits a form using javascript off to 192.168.1.1 then they've effectively made that request from inside your local network via your browser.

      If there is an exploit that enables remote admin then not only has the attacker now enabled remote admin on your router but they have your external IP address to exploit because you made the request...

      I'm disappointed in the Slashdot moderators for giving this +4 Insightful. It was a good question though.

  4. Warning: $1 a day for some "older computers" by NotQuiteReal · · Score: 5, Insightful

    It's been mentioned, but I have actual metrics (Kill-A-Watt P3) on the electricity used by "old computers"... in my case it was about a buck a day (I'm in So Cal, so YMMV, but I am sure electric rates are going to go up here, since California is going to save the world from global warming [or go broke trying], all by itself, by taxing the bejesus out of anyone with two nickles, You're welcome.)

    BTW - anyone with an old VCR or DVD player you REALLY don't use... about $18 year just to keep it plugged in (flashing 12:00 or not). I tossed 2 units in the Goodwill bin a couple of years ago and haven't missed them.

    --
    This issue is a bit more complicated than you think.
  5. Re:Blaming the victim by epyT-R · · Score: 2, Insightful

    the people responsible are the ones who committed the crimes, not the people who coulda-shoulda-woulda been in positions to prevent it if they had done X more.