Slashdot Mirror

← Back to Stories (view on slashdot.org)

Routers Pose Biggest Security Threat To Home Networks

Posted by Unknown on from the but-it's-a-firewall dept.

Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?" If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.

53 of 264 comments (clear)

  1. dd-wrt?? by neo8750 · · Score: 4, Informative

    http://www.dd-wrt.com/site/ind... Why not right?

    1. Re:dd-wrt?? by Anonymous Coward · · Score: 5, Informative

      DD-WRT is based on the open source OpenWRT, but DD-WRT itself is proprietary.

    2. Re:dd-wrt?? by WRD-EasyTomato · · Score: 5, Informative

      Or try EasyTomato or any of the other Tomato variants (Toastman, Shibby, etc.). Super easy to install, has a pretty and easy to use interface, and it's all open source.

    3. Re:dd-wrt?? by unixisc · · Score: 4, Insightful

      How exactly does an average consumer put things like DD-WRT, or OpenWRT, or Tomato, or pFsense or m0n0wall on a router?

    4. Re:dd-wrt?? by whitroth · · Score: 5, Interesting

      First you have to find the right build of DD-WRT. This involves totally ignoring the router database, which, as one person's website put it, is either massively out of date at best, and *WRONG* at worst, liable to brick your router.

      And if you join the support forum, you discover people talking about their "favorite" builds, something in over 30 years in the field I've *NEVER* heard of. And they don't have formal releases, and regression tests seem to be mostly dependent upon the lead developers.

      Two months of fighting this, and debricking my router 2? 3? times, and I found one that did what I needed (that was to actually serve as a print server for a USB printer, as well as routing).. I have no idea how, or if, I'll be able to upgrade.....

                mark, sr. sysadmin, Linux/Unix

    5. Re:dd-wrt?? by SkunkPussy · · Score: 3, Interesting

      DD WRT has a history of GPL violations, so anyone who's cool doesn't use it!

      --
      SURELY NOT!!!!!
    6. Re:dd-wrt?? by msauve · · Score: 2

      Some devices may indeed be behind carrier NAT and be assigned RFC 1918 addresses. But that's more likely for mobile connections, and very unlikely for home DSL/cable ones - it would break all sorts of things because you have no control over inbound NAT.

      Also, you most certainly meant "192.168...". 196.168.x.x are public IP addresses. If a carrier were to use private IP space, they'd be much more likely to use 10. addresses.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re:dd-wrt?? by msauve · · Score: 2

      Just buy it pre-installed. Buffalo offers that on some models (DD-WRT).

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  2. Has any work been done on.. by Anonymous Coward · · Score: 5, Interesting

    Pentesting the custom firmwares from projects like OpenWRT/DD-WRT/Tomato etc?

  3. PFsense by johneee · · Score: 4, Informative

    I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.

    http://www.pfsense.org/

    Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.

    --
    - ------- There are ten kinds of people in the world. Those who understand binary, and those who... Huh?
    1. Re:PFsense by Spazztastic · · Score: 3, Interesting

      I really liked pfSense but when I used it long ago it was very buggy. It may be time for me to give it another try. However, if you're familiar with the Cisco IOS CLI, Vyatta is another solution. I plan to set up a small low power box to be my router and only use my Linksys Router/AP combo (flashed with DD-WRT) as an access point. It gives you far more options in terms of management, and if you happen to seed a lot of Linux ISOs you don't have to worry about filling up the memory with the routing table.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:PFsense by Xenna · · Score: 3, Interesting

      Yeah, I've been running that stuff for years after getting frustrated with commercial routers. Has been extremely stable.

      Of course, being lazy I got it in appliance form from this place:
      http://www.applianceshop.eu/in...

      "Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing."

      Ultimately it's a matter of (perhaps misguided) trust...

    3. Re:PFsense by carnivore302 · · Score: 4, Informative

      I second that. PFSense is rock solid and comes with a lot of features. Dual wan, vpn, you name it.

      Just as lazy... also got mine from applianceshop.eu.

      --
      Please login to access my lawn
    4. Re:PFsense by FictionPimp · · Score: 2

      I highly recommend the Ubiquiti EdgeMax Router lite. It's 99 bucks and runs a variant of Vyatta. Great little product.

    5. Re:PFsense by johneee · · Score: 2

      If I remember correctly, I tried Vyatta, and because I don't know IOS, I flamed out trying to configure it.

      PFSense was only marginally more difficult than OpenWRT, so it kind of suited my level of expertise.

      With it being on a VM, it means that I have one box that is my router, file server, media server, and experimentation box all in one, which is convenient for me.

      It does mean that the hypervisor is - in theory - exposed to the net, but since it never communicates externally except through the router software, it has basically no attack surface, so it shouldn't be too much of an issue. (he said hopefully) \

      --
      - ------- There are ten kinds of people in the world. Those who understand binary, and those who... Huh?
  4. opensource firmwares not perfect either by Anonymous Coward · · Score: 2, Interesting

    I bet everyone is busy writing smug comments about closed source firmwares, but let's not forget that DD-WRT have had a similar bug. http://www.xtremesystems.org/forums/showthread.php?230880-Massive-DD-WRT-Security-Hole-%28Unauthenticated-Root-Control-Possible%29

    1. Re:opensource firmwares not perfect either by compro01 · · Score: 4, Insightful

      The important difference being that bug was fixed, as opposed to being left wide open forevermore.

      --
      upon the advice of my lawyer, i have no sig at this time
    2. Re:opensource firmwares not perfect either by Minwee · · Score: 5, Insightful

      In fact, it was even fixed for devices which are no longer in production with no need for the original vendor to even still be in business. Open source is funny that way.

  5. Why I buy apple airports by goombah99 · · Score: 4, Interesting

    I don't actually know if it matters or not but I prefer Apple over other wireless routers because it's so damn braindead easy to keep them patched. Apple just pushes out firmware updates (rarely). Every other router I've owned it was a struggle to figure out if it needed a patch, how to do it. Moreover it was a source of worry even when there wasn't a problem which alone was worth any relatively small cost differential.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Why I buy apple airports by Anonymous Coward · · Score: 4, Funny

      Apple is the next thing to godliness. Praise Apple. I wish I was an Apple. Eat me.

      [NO CARRIER]

    2. Re:Why I buy apple airports by jythie · · Score: 4, Insightful

      Eh, to be fair, this is something they are doing right and a lot of manufacturers are not. Techie types sometimes freak out over being automatically patched with who knows what, but for the vast majority of users (including techie types), it is a good strategy.

  6. Sigh - what the heck ... by udippel · · Score: 3, Informative

    I feel that all those links to WRT/PFSense/M0N0Wall/Tomato/etc are kind of redundant.
    Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.
     

    1. Re:Sigh - what the heck ... by drinkypoo · · Score: 3, Insightful

      Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

      So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Sigh - what the heck ... by Imagix · · Score: 3, Informative

      IPv6.

    3. Re:Sigh - what the heck ... by Anonymous Coward · · Score: 3, Funny

      Well, speaking on behalf of other posters here - you are probably supposed to spend all of your time configuring some linuxy version of iptables or some such on a custom router. Then you won't have to worry because you won't have time to play your game...

    4. Re:Sigh - what the heck ... by Imagix · · Score: 3, Funny

      Incentive to pressure your ISP to support a well over a decade old technology, going on two decades.

    5. Re:Sigh - what the heck ... by 0123456 · · Score: 3, Informative

      So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall?

      So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.

      UPnP is simply insane from a security standpoint. Random applications should not be opening random ports without explicit permission.

    6. Re:Sigh - what the heck ... by drinkypoo · · Score: 4, Insightful

      Incentive to pressure your ISP to support a well over a decade old technology, going on two decades.

      I have no viable alternatives. The ISP I'm using now is the best of three shitty options. I live in the USA, did you think I lived in the first world or something?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Sigh - what the heck ... by udippel · · Score: 2

      While your logic looks okay at a first glance, it doesn't at a second.

      When a government has thousands of enraged citizens running towards the government building to set those on fire and loot them, some machine guns might be the means of choice. Though it ought to have been considered by the government du jour, what the reaction of the public will be, with the introduction of strict austerity measures, as well as jus primae noctis?

      There is no fundamental reason, really, to have 1000 games opening 1000 different ports for endless protocols on a home router. Strange enough, one can invite the whole world, chat with billions of people, even tell every other citizen of this world whatsapp, and needs only http. Just to give an example.
      Do not support the laziness of game coders.

      A firewall that can be configured arbitrarily by user applications on their request is about the worst hack possible to connect securely to another network.

    8. Re:Sigh - what the heck ... by 0123456 · · Score: 4, Informative

      What am I missing?

      Again, used to be that the most common way for a Ubuntu machine to get pwned was for the user to install VNC with UPnP enabled. They only wanted to connect over their LAN, but VNC went and opened a UPnP port, and... oops.

      Every new port opened on the router is a potential new security hole.

    9. Re:Sigh - what the heck ... by Minwee · · Score: 4, Insightful

      What is the problem with UPnp??

      All devices inside the local network are considered "trusted"

      I really think you just answered your own question there.

    10. Re:Sigh - what the heck ... by clarkn0va · · Score: 4, Insightful

      Mod parent up. UPnP is insecure by design. It's very purpose is to take security and control out of the hands of the user, and put it squarely in the hands of whatever happens to be running on your network.

      It's too bad that most people don't understand enough about network security to configure their own router, and a double shame that the kludge we call NAT has further broken network applications, but convenient "workarounds" like UPnP could only ever lead to problems like the summary lays out.

      --
      I am literally 3000 tokens away from the chaotic crossbow --Stephen
    11. Re:Sigh - what the heck ... by dreamchaser · · Score: 2

      Configuring port forwarding is trivial on virtually any firewall, so yes, that's what you need to do if you want security.

    12. Re:Sigh - what the heck ... by idontgno · · Score: 2

      Then you won't have to worry because you won't have time to play your game...

      Nah. You've just changed the game you're playing.

      XD

      I'm not sure how you win "iptables", but I'm not real sure how you win a lot of the games out there, so it's probably similar.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    13. Re:Sigh - what the heck ... by nestler · · Score: 2

      Use static DHCP on your DHCP server and a UDP port forward. Your IP won't change (due to static DHCP which always gives the same IP address to a given Ethernet address) so it should never need to be updated. This is pretty straight forward with Tomato firmware.

    14. Re:Sigh - what the heck ... by TyFoN · · Score: 3, Informative

      Got to love competition mandated by law.

      In my area, 15 minutes from the closest city which has about 60.000 inhabitants, I have about 20 providers competing on fiber, cable and copper. You can also toss in a few 4g providers that sell broadband you can carry around.
      I settled for fiber 100/100 with tv and phone for $100 a month. It's not the cheapest, but I'm hooked on the speed :)
      They also provide ipv6 and "bridge mode routers" with a fixed ipv4 address for my own router and a /62 ipv6 prefix.

      We used to have a public telephone company called Telenor, but after it became private it came with the catch that all competitors can buy capacity from them at cost + investment write-offs. It's been working wonders.

  7. What it's not about by andyring · · Score: 4, Insightful

    Yes, this is /. We can upgrade our router firmware or install other firmware. Joe Sixpack cannot.

    The blame for this should be laid squarely at the feet of the router manufacturers. IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:

    1. Be open and forthcoming about bugs found in their router software
    2. By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.
    3. Tell this to their customers in plain English or $localLanguage on the product packaging. And NOT in fine print. Make it very obviously noticeable to the purchaser. This can and should be a signifiant selling point, really. If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

    1. Re:What it's not about by JDG1980 · · Score: 5, Insightful

      By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.

      The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

    2. Re:What it's not about by mcrbids · · Score: 3, Insightful

      The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

      Sure, that's why you sign your updates with decent (open source!) cryptography and embed your public key into the router's firmware.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    3. Re:What it's not about by idontgno · · Score: 2

      If both manufacturers were to produce updates their own hardware, instead of kicking a device to the curb and then never releasing an update again until they receive a court order requiring them to, then this wouldn't be a problem.

      And if ethereal unicorns would shit gold bricks in my back yard, I'd be able to buy a new car.

      But out here in the real world, routers are commodity appliances with a support lifetime measured in months, and you certainly can't sanely expect vendors to kneecap their cashflows by walking away from guaranteed obsolescence and minimized (shortest possible duration) support.

      Profit uber alles, after all.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    4. Re:What it's not about by msauve · · Score: 2

      "By default, routers should ship with automatic firmware updates enabled"

      Let us know how that works out.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
  8. Custom Router by shellster_dude · · Score: 4, Interesting

    After I found that my ASUS RT-15U was running telnet with a default password, open to the world which I couldn't kill or change the password on, I swore of embedded device routers.

    I have replaced it with a small Debian box with dual NICS, and bought a 24port switch from TPLINK. It was the best decision I have ever made. Perfect reliability, complete control, via IPTABLES. I've got auto blocking of malicious ips trying to hit my ssh or port scanning me via DenyHosts and PSAD.

    A couple other custom scripts and DNSMASQ, dhclient, snort, and python, and I have all the other services and features I want, and ONLY the services and features I want.

  9. A big hole is the default password by bzipitidoo · · Score: 2

    The default password, when it is the same default password across all units of the same model or even the same manufacturer, is easy to exploit. Any website can send the user's browser some code that instructs it to attempt to log in via the user's router's web interface with the default password. It works because the user's browser is behind the firewall and therefore "trusted". Once logged in, it's trivial to reconfigure the router to open up all kinds of holes. Harder but still doable is getting the router to host and run malware itself.

    The admin password is the first thing I change on a new router. Manufacturers who still don't individualize the factory set password are responsible for a lot of these problems.

    --
    Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
  10. Re:Wow... misconfigured devices are insecure? by jythie · · Score: 4, Insightful

    If your product can not be reasonably or safely configured by its target market, then while it is tempting to blame the individuals, it is the manufacturer who has failed.

  11. Re:Wow... misconfigured devices are insecure? by jandrese · · Score: 4, Insightful

    A home router that is not by default secure on it's WAN side is defective.

    --

    I read the internet for the articles.
  12. But Routers are good things! by bobbied · · Score: 4, Insightful

    So this article is saying that routers are *bad* things for security right? Not so fast...

    In my view, having a router, even an imperfect one, between you and the internet is a *GOOD* thing for security. Yes, routers might be security risks, but NOT having them is even WORSE of a risk.

    Does *anybody* out there remember what it used to be like? It wasn't that long ago that the standard internet connection was for ONE machine and used a PPP connection that pretty much put your Windows (mostly) box directly on the internet. When all this got started, we didn't even have software firewalls. Imagine having a windows 95 box with all the standard services on a routeable IP address. It WAS extremely risky. I remember having unsolicited popups coming up all the time and bothering me with all manner of advertisements. It was a mess and security was extremely lacking.

    But then we have the dawn of consumer's using routers and doing all the same exploits became harder because of the NAT. Then routers added stateless firewalls, then state-full firewalls and closed many of the avenues used by the "bad guys" to gain control of your system.

    Consumer grade routers have been a HUGE boon to network security in the consumer world. Do they have flaws? Many do, but their contribution to overall security is worth more to me than the risks they may pose. Give me a router, even a flawed one, over nothing. Making the bad guys work harder is a good thing for security, and a flawed router does that.

    It's not that we shouldn't be discussing how routers should be made more secure. Obviously we want them to improve. It's just that we cannot loose sight of how far we've come BECAUSE of these things.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  13. Re:I read the headline as: by Minwee · · Score: 2

    You may want to read that word again.

  14. So, will a 2005-era routers get a firmware update? by BUL2294 · · Score: 4, Insightful

    I seriously doubt that Belkin will put out firmware updates for all the old $50 Linksys router models they inherited support for--instead opting to push users to buy replacement models they otherwise wouldn't need. The likely answer is NO--even with a class-action lawsuit. (In all actuality, a 2006-era 2.4GHz 802.11G WPA2 router is still more than plenty for the crappy broadband speeds available in North America...)

    This is what scares me about the Internet of Things when it comes to long-life appliances that you could own/use for decades... How long will manufacturers (many of whom have 0 experience so far with connecting their products to anything but a power cable) continue to support these devices? Ultimately, government regulation may be required in this space. God knows I wouldn't want my IoT refrigerator to get "bricked" (a really heavy, big brick!) after 20 years because the manufacturer went under & the fridge couldn't phone home... Or worse, because someone found a backdoor that had been in place for all models in use for 9 years before my model was developed...

    --
    Windows 3.1x calc: 3.11 - 3.10 = 0.00
  15. The fault of the device makers... by Lumpy · · Score: 3, Insightful

    there are options for more secure but they fight the hardware hackers instead of embracing them. If they would reach out to the communities and work with them or PAY these groups like OpenWRT to write their firmware they would end up with a better product.

    --
    Do not look at laser with remaining good eye.
  16. Re:Wow... misconfigured devices are insecure? by jxander · · Score: 2

    Not only that, but the device primarily in charge of transporting data is the most likely point of entry for malicious data.

    Who'da'thunk

    --
    This signature is false.
  17. Is it really any better? by Alef · · Score: 3, Interesting

    This is an honest question.

    Is there any penetration testing or statistics that suggests that dd-wrt and the likes are more secure, or is this an it-runs-Linux-so-it-must-be-good knee-jerk assumption?

    I used to run dd-wrt on a router some years ago and liked it feature-wise and performance-wise. However, my confidence in its security took a pretty big hit when I read about this gaping security hole in 2009. It's the kind of issue that makes you doubt that some of the developers really know what they are doing.

  18. How does application programming fit in? by Marrow · · Score: 2

    I think that programmers are going to assume they can talk to the remote host, and then timeout/fallback when that communication fails to take place correctly. If you are going to connect to a server either with tcp or udp, you are going to do a gethostbyname and then send a packet. The NAT appliance is going to see the packets and set up its translation table so that outgoing packets get re-written with the correct source address/port. And the incoming packets from the dest/port are going to get re-written to talk to the client program.
    What messes things up is that the client has to push through the NAT first to setup the translation table. Which works fine unless you are acting as a server and are waiting for an unknown host to talk to. Then the translation table is empty, and your firewall is blocking everything.
    UPnP is a way to create servers without doing administration on the firewall. The application is not aware of any of this unless it tries to use UPnP to poke a dynamic hole in the firewall.

  19. Re:That's why I resisted as long as I could... by timeOday · · Score: 2
    Sure, lose sleep over the notion of somebody parking on your street to crack your WEP and snag your HTTPS streams for offline analysis.

    Meanwhile 70 million credit card numbers were stolen from Target.