Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Hack Over a Dozen Home Routers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "Security researchers at Independent Security Evaluators have published a report demonstrating that a slew of home and small office (SOHO) routers are vulnerable to previously undisclosed vulnerabilities. The report asserts that at least thirteen popular routers can be compromised by a remote attacker, and a number of them do not require knowledge of credentials or active management sessions. Some of the routers are not listed as they work with vendors to fix them, but there are 17 vulnerabilities disclosed, with another 21 pending release. An article on CNET includes an interview with some of the researchers."

25 of 109 comments (clear)

  1. Use a FreeBSD box as your firewall by Anonymous Coward · · Score: 4, Insightful

    An older computer redone with a FreeBSD install makes an excellent router and is extremely secure. I would suggest anyone who is comfortable with a *nix command line use this solution as I've found it to be virtually bulletproof.

    1. Re:Use a FreeBSD box as your firewall by Anonymous Coward · · Score: 3, Insightful

      Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

      Even a mini-ITX build is still using more power than I'd prefer.

    2. Re:Use a FreeBSD box as your firewall by 00Monkey · · Score: 4, Informative

      pfSense and others like m0n0wall will work on Netgate's ALIX Kits: http://store.netgate.com/ALIX-Kits-C86.aspx

      They're small and actually look like a router.

    3. Re:Use a FreeBSD box as your firewall by vjlen · · Score: 2, Interesting

      This. We build these for clients and run pfSense on them. Low power, no heat, supports a backup WAN connection with it's three ethernet interfaces. And you can add two more with USB Ethernet adapters.

    4. Re:Use a FreeBSD box as your firewall by AlphaWolf_HK · · Score: 5, Insightful

      I like these embedded devices because they are low power (save you money on an ongoing basis) and do the job. Many even offer some nice things like switch management (e.g. creating vlans) if you use custom firmware. That said, if you do switch to a custom firmware, chances are good that you are immune to these vulnerabilities.

      These security researchers don't really count on the later though. They advocate requiring these devices to require signed firmware. That means no custom firmwares, so if your manufacturer ever abandons the device, and security vulnerabilities are later found, you really can't do anything about it. I like custom firmware for not only that reason (e.g. it uses software that is generally better tested against threats) but because it ads features that most OEMs require you to pay a LOT extra for.

      I hope none of these vendors take the signed firmware advice, or at least allow you to sign your own. But many here already know how that goes. I think Netgear is the only one that might set itself apart in that regard as they carry certain models that are explicitly advertised to the customer as being able to use your own firmware.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    5. Re:Use a FreeBSD box as your firewall by blackicye · · Score: 2

      OpenWRT. Linux interface, router package and power consumption. Easy.

      of if that is too intimidating, DD-WRT or Tomato.

    6. Re:Use a FreeBSD box as your firewall by AlphaWolf_HK · · Score: 5, Informative

      No he isn't doing that. You'll get the same security benefit of having a roll your own box if you loaded your own custom firmware that was better tested, like say tomato or openwrt (I'm not a fan of dd-wrt myself, but it seems secure enough.)

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    7. Re:Use a FreeBSD box as your firewall by AlphaWolf_HK · · Score: 2

      Probem with Pi is that its network throughput is kinda bad. I have a 50mbit pipe, and pi seems to top out at 35. Kind of problematic for XBMC use for me as well in that playing blu-rays results in buffering for me for the high bitrate ones (add nfs/smb overhead and you dip down to 30mbit - some of my blu-rays peak at 39mbit.) Still trying to figure out of the problem is just me (I only got the pi a week ago) or if everybody with high bitrate ripped bd's has this problem. And no, I don't want to transcode them to a lower bitrate.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    8. Re:Use a FreeBSD box as your firewall by blacksmith_tb · · Score: 3, Informative

      www.easytomato.org - nicely polished version for a common (and fairly versatile) modern router, the ASUS RT-N16.

    9. Re:Use a FreeBSD box as your firewall by SuricouRaven · · Score: 2

      That's because the Pi chip doesn't have ethernet at all. Instead the ethernet port is connected via USB internally. It was the only way to meet the low-cost requirement, but comes with a performance cost: USB takes considerable processor time for bulk data transfers.

    10. Re:Use a FreeBSD box as your firewall by wonkey_monkey · · Score: 5, Funny

      so you would sacrifice security for convenience? Then, you deserve neither*.

      You're right. He should block all traffic and whitelist every single IP address as he needs to. Actually, he should manually inspect every packet he receives. Actually, he should have all his packets printed at a remote location and FedEx'd to him for examination and re-input.

      --
      systemd is Roko's Basilisk.
    11. Re:Use a FreeBSD box as your firewall by ChrisMaple · · Score: 2

      That's inadequate; he'd still be vulnerable to a killer joke attack. http://en.wikipedia.org/wiki/The_Funniest_Joke_in_the_World. Each packet must be divided into four parts to be read by a security team, no person being allowed to read more than one part.

      --
      Contribute to civilization: ari.aynrand.org/donate
  2. Somebody alert NASA by servognome · · Score: 2

    They hacked 13 Solar & Heliospheric Observatory routers.

    Yes I did go to the actual article, but got bored after reading the headline.

    --
    D6 63 0D 70 89 81 BB 8E 7B 7C 5F 5D 54 EA AB 73
  3. Re:ISP Provided? by JJJJust · · Score: 5, Insightful

    Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

    It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

  4. Re:ISP Provided? by sinij · · Score: 2

    I see where you went wrong. You are trusting the same guys that try to oversell and under-deliver all while trying to legislate away competition to be technically competent and deliver you a secure router. What makes you think this time will be any different?

  5. This time I'm intrigued... by juventasone · · Score: 3, Interesting

    Comprosing cheap routers is a topic that has been covered on Slashdot many times before. In every previous article, they've required that remote administration be enabled on the router, which is generally never a default setting. This report states, "tested with out-of-the-box configuration settings". Really? Yikes.

  6. Easy to mitigate. by viperidaenz · · Score: 4, Insightful

    They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

    1. Re:Easy to mitigate. by animaal · · Score: 2, Interesting

      They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

      I'm scratching my head here - why would an address like 192.168.1.1 be a problem? It's only an internal IP address. An attack from the outside would come through the external IP address. Once they've breached the router, surely it'd be simple to find internal addresses anyway?

      (Really hoping I don't have to re-address my stuff!)

    2. Re:Easy to mitigate. by viperidaenz · · Score: 4, Insightful

      Because its cross-site-request-forgery.

      If you're logged in to your router and you go to another website that has an image tag with a url of "http://192.168.1.1/admin/enable-remote-login" or submits a form using javascript off to 192.168.1.1 then they've effectively made that request from inside your local network via your browser.

      If there is an exploit that enables remote admin then not only has the attacker now enabled remote admin on your router but they have your external IP address to exploit because you made the request...

      I'm disappointed in the Slashdot moderators for giving this +4 Insightful. It was a good question though.

  7. Warning: $1 a day for some "older computers" by NotQuiteReal · · Score: 5, Insightful

    It's been mentioned, but I have actual metrics (Kill-A-Watt P3) on the electricity used by "old computers"... in my case it was about a buck a day (I'm in So Cal, so YMMV, but I am sure electric rates are going to go up here, since California is going to save the world from global warming [or go broke trying], all by itself, by taxing the bejesus out of anyone with two nickles, You're welcome.)

    BTW - anyone with an old VCR or DVD player you REALLY don't use... about $18 year just to keep it plugged in (flashing 12:00 or not). I tossed 2 units in the Goodwill bin a couple of years ago and haven't missed them.

    --
    This issue is a bit more complicated than you think.
  8. Don't forget Buffalo by Zynder · · Score: 3, Informative

    The Buffalo Nx00 series (mine is an N900 I think) also uses DD-WRT and actively advertises it. In basic mode, it is a Buffalo branded implementation but there is a variable to set which puts it in advanced DD-WRT Mode. It was the primary driver in my decision to purchase said router. My knowledge at the time was that Buffalo only did backup solutions & SANs but went out on a limb and bought it anyway. I have never been more happy. Buy one today!

  9. Re:Blaming the victim by epyT-R · · Score: 2, Insightful

    the people responsible are the ones who committed the crimes, not the people who coulda-shoulda-woulda been in positions to prevent it if they had done X more.

  10. Won't help you by dutchwhizzman · · Score: 2

    Using a firewall box behind the router your ISP mandates you use, will not help you against a number of threats. Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic. The extra firewall may or may not prevent them gaining access to your computers behind the IPV4-NAT your router usually does. That's the only protection an extra firewall might give you. I'm saying might, since slight misconfiguration or access to a hackable service behind the firewall will negate all security that firewall is giving you.

    Advocating FreeBSD, or any other specific solution is not helpful here. There are plenty of other adequate firewall solutions, more or less regardless of the operating system they may be running.

    In practice, it will only help if manufacturers and vendors will be found liable for security flaws in their equipment and will automatically have to pay not just the price of the device and all damages to all customers that have bought it, but also a fine if they are found to be negligent. It's clear that vendors don't take security seriously (all tested devices were hacked) and ISPs aren't either. Home users can't be expected to know their security details up to such a high level so can't really be blamed for trusting their ISP or a leading brand to take care of security adequately. ISPs, vendors and manufacturers are supposed to know and actively secure their devices. Since they don't seem to care, some sort of threat should be put in place to make them take this more seriously.

    --
    I was promised a flying car. Where is my flying car?
  11. Confirmed case here by xyourfacekillerx · · Score: 5, Interesting

    My parents' ISP issued router came down with a case of malware. The ISP kept putting them into walled-garden claiming botnet activity, and after months and months of this, I intervened. upon my investigation (which also took months) and thanks to their reluctant but cooperative security team, we determined it was not the only connected device that had the malware, but the router itself. And only because I "hacked" into it at some point and observed the malware in action, and reported my results back to the ISP. I thought my method (though it required some circumvention) was an intentional feature of the router. I didn't realize it was a vulnerability. Not at the time. I mean how do they remotely configure your router while on call or live chat with them? How can they expect me to think I can't do the same thing myself?

  12. Re:the quote from the researcher by Wilf_Brim · · Score: 2

    I disagree. There is a demand for security, at least among some a certain set of consumers. The current problem is that apparently none of the commercially available routers appear to be worth anything when it comes to security. Every time an article like this appears on /. I keep looking for some recommendations as to what to do. And I never find anything. The only recommendation I did find was from Mr. Kitchen, about using an old computer and smoothwall. Well, first, physically that wouldn't work (the cable modem, router, and switch all live up on a small shelf near the patch panel for my house. Yes, I paid $$ to get the place wired). Second, I really doubt my ability to keep a linux box up, operating, and fully patched. Keeping the router's firmware up to date is easy (it checks itself, and will pop up on the admin page when a new firmware is available: some will even flash themselves if you allow it): a unix OS isn't going to be that easy. I really don't understand why some manufacturer doesn't use this as a marketing opportunity. There is a niche here. I'd may more (maybe significantly more) for something that is secure, works well, and meets my needs.