Slashdot Mirror
Routers Pose Biggest Security Threat To Home Networks
Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?"
If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
http://www.dd-wrt.com/site/ind... Why not right?
Pentesting the custom firmwares from projects like OpenWRT/DD-WRT/Tomato etc?
I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.
http://www.pfsense.org/
Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.
- ------- There are ten kinds of people in the world. Those who understand binary, and those who... Huh?
I bet everyone is busy writing smug comments about closed source firmwares, but let's not forget that DD-WRT have had a similar bug. http://www.xtremesystems.org/forums/showthread.php?230880-Massive-DD-WRT-Security-Hole-%28Unauthenticated-Root-Control-Possible%29
I don't actually know if it matters or not but I prefer Apple over other wireless routers because it's so damn braindead easy to keep them patched. Apple just pushes out firmware updates (rarely). Every other router I've owned it was a struggle to figure out if it needed a patch, how to do it. Moreover it was a source of worry even when there wasn't a problem which alone was worth any relatively small cost differential.
Some drink at the fountain of knowledge. Others just gargle.
I feel that all those links to WRT/PFSense/M0N0Wall/Tomato/etc are kind of redundant.
Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.
Yes, this is /. We can upgrade our router firmware or install other firmware. Joe Sixpack cannot.
The blame for this should be laid squarely at the feet of the router manufacturers. IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:
1. Be open and forthcoming about bugs found in their router software
2. By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.
3. Tell this to their customers in plain English or $localLanguage on the product packaging. And NOT in fine print. Make it very obviously noticeable to the purchaser. This can and should be a signifiant selling point, really. If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.
"Reuters Pose Biggest Security Threat To Home Networks"
I resisted wireless as long as I could because of this very issue. I can turn on my computer and see a dozen networks, and I live in the suburbs. Unfortunately, convenience and devices I wanted to use finally required it (can't use an iPad without wireless), so I caved a few years ago. Thankfully, I learned long, long a go that if I didn't want something on the Internet, I didn't let it near an Internet connected computer. I have an old laptop I use for personal things that is not connected to any internet whatsoever, and if I need to move files it's on a burned, finalized CD. Sure, it can still be read semi-remotely if someone wants to invest in that magnetic scanning tech that can read what data you are writing to your hard drive, but a) I don't have anything that would be THAT valuable to anyone, and b) if someone was going to use that on me, I've got far greater things to worry about.
design goals that emphasize usability over security
I wonder why usability was able to sell more than security? Hmm. Let's think about that.
Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP.
Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.
Commercial, closed-source products just tend to have these problems and it's pie-in-the-sky to wish for a vendor to produce a secure product. If you want it secure, probably your best bet is an open source, open hardware mini server (like cubieboard or Raspberry Pi) and you're going to have to learn to do it yourself.
After I found that my ASUS RT-15U was running telnet with a default password, open to the world which I couldn't kill or change the password on, I swore of embedded device routers.
I have replaced it with a small Debian box with dual NICS, and bought a 24port switch from TPLINK. It was the best decision I have ever made. Perfect reliability, complete control, via IPTABLES. I've got auto blocking of malicious ips trying to hit my ssh or port scanning me via DenyHosts and PSAD.
A couple other custom scripts and DNSMASQ, dhclient, snort, and python, and I have all the other services and features I want, and ONLY the services and features I want.
Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.
Considering UPnP is broken by design, that's not really an improvement. Replacing a security hole in the router by a hundred apps that want their own ports to expose their own security holes to the Internet doesn't help much.
Forgive me if I'm wrong, but wasn't OpenWrt based on this same firmware? Or is this bug with the VxWorks-based firmware that Linksys later switched to?
The default password, when it is the same default password across all units of the same model or even the same manufacturer, is easy to exploit. Any website can send the user's browser some code that instructs it to attempt to log in via the user's router's web interface with the default password. It works because the user's browser is behind the firewall and therefore "trusted". Once logged in, it's trivial to reconfigure the router to open up all kinds of holes. Harder but still doable is getting the router to host and run malware itself.
The admin password is the first thing I change on a new router. Manufacturers who still don't individualize the factory set password are responsible for a lot of these problems.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
what about http://www.ipfire.org/ ? Needs a bit more grunt than dd-wrt but it is very easy to upgrade....
If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
If only it supported routers with built-in ADSL (which was the dealbreaker last time I looked at DD-WRT - and it took me some digging to discover that was why none of the routers I wanted to use it on).
If that's since been fixed - and supports a router I can actually buy somewhere - then mod me happy.
Personally, I could put together a low-power Linux box, get an ADSL modem, an ethernet switch, wireless access point (sounds like Belinksysco crap would be just as big a liability in WAP-only or modem-only mode) but (a) that's replacing 1 always-on box with 2-3 always-on boxes (b) there's the non-zero chance that I could screw up and (c) it doesn't really help joe public who need a reliable, secure plug-and-go box.
Any trustworthy all-in-one ADSL Modem/Routers/WAPs out there?
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
If your product can not be reasonably or safely configured by its target market, then while it is tempting to blame the individuals, it is the manufacturer who has failed.
I dispute the posts assertion that home routers are designed for usability. The interfaces for home routers are typically confusing, slow, awkward, undocumented, ugly, not discoverer, poorly conveying, and inconsistent.
-Cosmotic ÔÔ
A home router that is not by default secure on it's WAN side is defective.
I read the internet for the articles.
So this article is saying that routers are *bad* things for security right? Not so fast...
In my view, having a router, even an imperfect one, between you and the internet is a *GOOD* thing for security. Yes, routers might be security risks, but NOT having them is even WORSE of a risk.
Does *anybody* out there remember what it used to be like? It wasn't that long ago that the standard internet connection was for ONE machine and used a PPP connection that pretty much put your Windows (mostly) box directly on the internet. When all this got started, we didn't even have software firewalls. Imagine having a windows 95 box with all the standard services on a routeable IP address. It WAS extremely risky. I remember having unsolicited popups coming up all the time and bothering me with all manner of advertisements. It was a mess and security was extremely lacking.
But then we have the dawn of consumer's using routers and doing all the same exploits became harder because of the NAT. Then routers added stateless firewalls, then state-full firewalls and closed many of the avenues used by the "bad guys" to gain control of your system.
Consumer grade routers have been a HUGE boon to network security in the consumer world. Do they have flaws? Many do, but their contribution to overall security is worth more to me than the risks they may pose. Give me a router, even a flawed one, over nothing. Making the bad guys work harder is a good thing for security, and a flawed router does that.
It's not that we shouldn't be discussing how routers should be made more secure. Obviously we want them to improve. It's just that we cannot loose sight of how far we've come BECAUSE of these things.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
the biggest security threat to computers is the user. users improperly configure things, wont take security precautions (like using weak passwords) and will outright download viruses/malware. far too many users are not competent enough to tell the difference of a real popup window and a website claiming they have a virus and they need to install their trojan horse immediately.
Anons need not reply. Questions end with a question mark.
I seriously doubt that Belkin will put out firmware updates for all the old $50 Linksys router models they inherited support for--instead opting to push users to buy replacement models they otherwise wouldn't need. The likely answer is NO--even with a class-action lawsuit. (In all actuality, a 2006-era 2.4GHz 802.11G WPA2 router is still more than plenty for the crappy broadband speeds available in North America...)
This is what scares me about the Internet of Things when it comes to long-life appliances that you could own/use for decades... How long will manufacturers (many of whom have 0 experience so far with connecting their products to anything but a power cable) continue to support these devices? Ultimately, government regulation may be required in this space. God knows I wouldn't want my IoT refrigerator to get "bricked" (a really heavy, big brick!) after 20 years because the manufacturer went under & the fridge couldn't phone home... Or worse, because someone found a backdoor that had been in place for all models in use for 9 years before my model was developed...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Is an Ubuntu machine with three NICs. The firewall is configured with the Shorewall utility. It only needs to be rebooted for kernel updates.
NAT should setup a rule to allow your machine to get packets as long as you send some packets there first. Unless your game machine is acting as a game server and getting packets from many host, it should just work. Otherwise, you could/should setup a port forward to your internal machine.
I have been thinking this about the internet of things as well. Then when they roll out IPv6 we can put all of our extremely dated hardware directly on the internet!
there are options for more secure but they fight the hardware hackers instead of embracing them. If they would reach out to the communities and work with them or PAY these groups like OpenWRT to write their firmware they would end up with a better product.
Do not look at laser with remaining good eye.
The failure is the whole notion that computers and technology should be "easy" for people to set up. Nobody insists that electrical circuits be designed for end users to be able to install and configure, nobody insists that plumbing be made so that every home user can just buy a garbage disposal and hook it up correctly themselves. Why in the hell do we think routers and computers should be easy. They aren't, and they never will be. It's complicated technology and if you don't understand it, you're going to fuck it up. That holds true no matter what we're talking about. So, in summary, not only is it "tempting" to blame the users, but it's appropriate.
It does not matter what kind of hardware or software you have or use without knowing what the best security practices are you will be vulnerable. People just want something easy to use. A good example is UPnP. used improperly it can open up the network to all kinds of vulnerabilities but people are willing to sacrifice their security because they don't want to take the time to learn about proper port forwarding. So the problem will continue until people take security seriously. Having said that their is nothing wrong with OpenWRT, DD-WRT, or Tomato firmwares but without knowing how to set them up securely it's still a huge problem. Lack of and misunderstanding of information does not help either alot of these communities associated with these firmwares have very poor documentation.
Chris Sheppard
Don't forget to hard disable the microphone on the laptop if it has one. There is a malware that can communicate using high frequency sound, from a networked machine to un-networked one.
I think that is about as likely as getting molested by a unicorn.
Seriously folks, I'm all for reasonable amounts of security but this sort of thing is just hide under the bed paranoia.
This sort of issue is why the Free Software Foundation was created. It wasn't because Stallman had some kind of political agenda, it's because he wanted to fix the driver for his printer, but couldn't because it was proprietary. The "Internet of Things" has the exact same problem, and the exact same solution.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Yeah. Script injection to do CSRF with DNS rebinding.
http://media.blackhat.com/bh-us-10/presentations/Heffner/BlackHat-USA-2010-Heffner-How-to-Hack-Millions-of-Routers-slides.pdf
Not only that, but the device primarily in charge of transporting data is the most likely point of entry for malicious data.
Who'da'thunk
This signature is false.
If your ISP sticks you with inherenently insecure hardware then that's on the ISP. This is not a situation where they are powerless. This is yet another example of how you don't necessarily have to be an idiot. Better choices are possible. Saner engineering choices are possible.
You don't have to (and you should not) tolerate crap.
A Pirate and a Puritan look the same on a balance sheet.
This is an honest question.
Is there any penetration testing or statistics that suggests that dd-wrt and the likes are more secure, or is this an it-runs-Linux-so-it-must-be-good knee-jerk assumption?
I used to run dd-wrt on a router some years ago and liked it feature-wise and performance-wise. However, my confidence in its security took a pretty big hit when I read about this gaping security hole in 2009. It's the kind of issue that makes you doubt that some of the developers really know what they are doing.
GRC? I would trust Steve Gibson with my flaky hardrive (spinrite) let alone telling me if my ports are wide open or not.....
Food usually works. If not that, there is always money.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
NAT is a general concept, not a standard. One NAT may implement exactly that, but others may not. This is something hard for programmers to design for.
I agree, except it's better to push people on to 802.11n in the 2.4Ghz space; it uses the radio space more efficiently and won't slow down your neighbours. It also adds range and reliability. Considering most complaints aren't going to be about the routing performance but the wireless coverage, upgrading to n would be a boon for many, especially dual-band if their devices can run on 5Ghz.
Now there's one hoopy frood who really knows where his towel is!
I think that programmers are going to assume they can talk to the remote host, and then timeout/fallback when that communication fails to take place correctly. If you are going to connect to a server either with tcp or udp, you are going to do a gethostbyname and then send a packet. The NAT appliance is going to see the packets and set up its translation table so that outgoing packets get re-written with the correct source address/port. And the incoming packets from the dest/port are going to get re-written to talk to the client program.
What messes things up is that the client has to push through the NAT first to setup the translation table. Which works fine unless you are acting as a server and are waiting for an unknown host to talk to. Then the translation table is empty, and your firewall is blocking everything.
UPnP is a way to create servers without doing administration on the firewall. The application is not aware of any of this unless it tries to use UPnP to poke a dynamic hole in the firewall.
The part of a "home network" that is connected to the 'net is the biggest threat?
It's also the part that's doing the simplest thing (assuming you haven't networked your light switches). No bumbling grandma clicking every popup in sight, no kids downloading their warez. A router should be a rock-solid appliance that shouldn't be able to be "hacked" in any meaningful way without physical access.
Bottom line, it's surprising - or at the very least troubling - that routers are such a security problem.
Last post!
My current ISP uses VDSL2 for all their current plans, and they only offer modem+router combos (and refuse to even allow you to put them into bridge mode). The problem is that VDSL2 requires a cert from the ISP to work, so even if I could find a compatible VDSL2 standalone modem I wouldn't be able to use it.
There is only one other primary ISP available to me, and they are a cable provider, and also only offer modem+router combos. At least for them they'll remotely put their device into bridge mode, but you're still stuck with a router connected to the internet in your home and you just have to trust them that it'll be fine (and I've heard they're far from stable).
It seems like my only options if I want to run my own router hardware are to pay for an expensive business plan (I mean, at least I hope they still offer modem-only solutions for businesses) or to just stick with my old ADSL plan. It's slow, but I can use my own router with their inoffensive standalone modem, and as a bonus my plan is old enough that I don't have usage caps, unlike seemingly every other plan in Canada now (unless you pay an extreme additional premium).
I remember sigs. Oh, a simpler time!
It's not a question about warranty or even availability of replacement parts, it's a question about opening themselves up to extremely long support schedules, something they have never had to do before. If I call an appliance repairman for a 40 year old fridge, he'll likely be able to find the right replacement part... But that model no longer holds true in IoT. Look at cars (at least in the US)... Auto manufacturers have taken on the responsibility that all of their past models could face a recall, even 15+ years after the fact. (NHTSA still opens cases for cars sold in the '90s). The same would have to be said about Internet-connected devices--specifically household appliances.
The problem is that we're talking about operating systems, web hosting software, network stacks, databases, device drivers, etc., that would need to be supported for, easily, 20+ years. Think back to 1994--what software that existed then is supported now??? NONE. So, imagine you buy in 2014 an IoT refrigerator full of the latest & greatest Android 4.4.x and/or Linux 3.13.x FOSS software--what sort of support would you expect for any of that in 2034??? Would you expect Amana, GE, Kitchenaid, Electrolux, Miele, Kenmore, etc., engineers to be fixing Linux 3.13.x kernel security holes in their 20-year old appliances? FOSS or not, as a consumer, I would expect that appliance to continue to work & not get bricked by malware that was deposited remotely...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
I agree with you, in theory. In practice, however, nobody is fixing bugs/security holes in obsolete platforms. Let's say the IoT existed in 1994 & you bought a new Kenmore IoT fridge running Linux 1.x. Fast forward to 2014--who today is doing anything with the Linux 1.x kernel? Nobody--including Kenmore support engineers. Your fridge was pwned probably 15 years ago...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Considering UPnP is broken by design, that's not really an improvement. Replacing a security hole in the router by a hundred apps that want their own ports to expose their own security holes to the Internet doesn't help much.
I feel like I can be responsible for anything that runs on my machine, so I'm okay with that.
In 1998, I purchased a computer running Windows. Shortly afterwards, I installed Linux 2.2 and a webserver on it. Strangely enough, the computer is still working, is running a modern kernel with full support for the hardware, and somehow managed to avoid being pwned at any point in the intervening 15 years.
The nice thing about open-source software is that you generally don't need to run obsolete software on ancient hardware. That Kenmore IoT fridge would probably run a Linux 3.x kernel without problems, as long as the software was genuinely open-sourced.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Bullshit. If you're supplied with your ISP's router, simply buy a second one and plug your PCs and ISP router into your own. It's yours, you can block traffic with it even if the one feeding it can't.
Where did all the nerds go?? Way too many normals here these days who are anti-science and technology and ignorant of both.
Free Martian Whores!
NAT should setup NOT a rule to allow your machine to get packets as long as you send some packets there first.
Even an AC can be right. I was reading something else into the grandparent, who is right, of course. Mea culpa maxima.
But you bought an off-the-shelf PC in 1998 with standard components. I'm talking about a (mythical) fridge with unique components, unique software, unique drivers, etc. Sorry, but an IoT device will likely never run more than a "+ 0.1" version higher of an underlying OS & related software ("+ 0.2" for Linux)--given track records of manufacturers working on old products. They won't open source everything for fear competitors would use it competitively against them. To add, even if they did open source the whole IoT fridge, you're assuming that someone would actively pick up the project... Simply open sourcing something & dumping it on the Internet doesn't mean anyone's actively interested & working on that project.
Windows 3.1x calc: 3.11 - 3.10 = 0.00