Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models

Posted by Soulskill on from the my-god,-it's-full-of-flaws dept.

Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models. They posted details of their research on the Full Disclosure mailing list, and the affected brands include D-Link, Belkin, Linksys, Huawei, and others. Many of the models they examined had been distributed to internet customers across Spain by their ISPs. About half of the flaws involve Cross Site Scripting and Cross Site Request Forgery capabilities, though there is at least one backdoor with a hard-coded password. Several routers allow external attackers to delete files on USB storage devices, and others facilitate DDoS attacks.

66 comments

  1. What? Again? by Anonymous Coward · · Score: 1

    How can this be? I pays good money for good stuffs. Dlink is goods?

    1. Re:What? Again? by Chewbacon · · Score: 2

      D = dropped

      --
      Chewbacon
      The Bible is like Wikipedia: written by a bunch of people and verifiable by questionable sources.
    2. Re:What? Again? by Anonymous Coward · · Score: 0

      What does this have to do with SOHO?

    3. Re:What? Again? by FatdogHaiku · · Score: 1

      I thought it was D = D'oh!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    4. Re:What? Again? by Zontar+The+Mindless · · Score: 1

      About as much as you do with Self-Organising Holarchic Open Systems.

      --
      Il n'y a pas de Planet B.
    5. Re:What? Again? by GigaplexNZ · · Score: 1

      It has everything to do with SOHO.

  2. They are missing a few. by Anonymous Coward · · Score: 4, Interesting

    Netgear has some major security flaws they they've refused to address for a long time. Mainly direct remote access. I'm not sure if this is by design via the NSA or because they are horrifically lazy, but I stopped caring what they thought and installed Linux on my router. Openwrt and dd-wrt work better than the original in most cases, except in the realm of tx power modification. That seems to have sucked since people started frying their antenna's and the dev's stopped pursuing it.

    1. Re:They are missing a few. by antdude · · Score: 1

      Which models are these in Netgear?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  3. Better than expected... by fuzzyfuzzyfungus · · Score: 1

    With 22 different models of crap home routers I would have expected the pen-testing equivalent of clotted rivers of gore pouring through heaps of smouldering rubble and pooling around the skull pyramids that seem to rise higher than the walls that once offered the false promise of shelter. Not merely 60 serious vulnerabilities.

    1. Re:Better than expected... by koan · · Score: 1

      That would imply they were at least a bit organized.

      --
      "If any question why we died, Tell them because our fathers lied."
    2. Re:Better than expected... by GigaplexNZ · · Score: 1

      At this rate, it'll be easier (and perhaps more useful to consumers) to list the routers without known unpatched vulnerabilities.

  4. "Video Bytes"? by Anonymous Coward · · Score: 4, Insightful

    Fuck off with these horseshit "features" that nobody wants.

    1. Re:"Video Bytes"? by penguinoid · · Score: 1

      Oh, someone wants them. Just not the Slashdot community.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    2. Re:"Video Bytes"? by Zontar+The+Mindless · · Score: 1

      I'm already glad I don't know what it is. Not going to look it up, either.

      --
      Il n'y a pas de Planet B.
    3. Re:"Video Bytes"? by Anonymous Coward · · Score: 0

      Those of you who run that kind of thing might find the following filter makes it less intrusive and more palatable:

      slashdot.org##.units-12.river-group ...although that still doesn't get rid of the obnoxious blue header.

    4. Re:"Video Bytes"? by Zontar+The+Mindless · · Score: 1

      Okay. Now I know. It's that stupid-looking video bar thing mid-page that I've been scrolling past by reflex for the last few days.

      --
      Il n'y a pas de Planet B.
  5. OK by koan · · Score: 5, Insightful

    Most of you /.'ers that have read my comments know that I like to dis Apple, can't stand the fucking fanbois, but I have yet to see the Airport listed in any of these articles.
    If you have point it out to me, it seems they are fairly sound devices.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:OK by Anonymous Coward · · Score: 1

      Yea, Apple makes itself known as selling a rather expensive Airport Extreme router. But they do work harder at firmware and issues. But they are not without problems only the Apple stuff is not nearly as popular as Netgear, Linksys, or some others.

    2. Re:OK by iMouse · · Score: 4, Informative

      ...right out of the AirPort Extreme manual?

      To set up your AirPort Extreme using a Mac, you need the following:
      A Mac computer with an AirPort or AirPort Extreme Card installed to set it up wirelessly, or a Mac computer connected to an AirPort Extreme Base Station with an Ethernet cable to set it up using Ethernet

      To set up your AirPort Extreme using a Windows PC, you need the following:
      A Windows PC with 300 MHz or higher processor speed and a compatible 802.11a, 802.11b, 802.11g, or 802.11n wireless card to set it up wirelessly, or a Windows computer connected to an AirPort Extreme Base Station with an Ethernet cable to set it up using Ethernet

      I own several AirPort Extreme/Express devices...range and performance are just as good as other premium consumer-brand routers and access points. I have several Extremes sitting in an 802.1x environment...rock solid reliability and performance. If I had one complaint, it would be that the radio is a bit noisy...in a quiet room, you can often hear a tinny squeal when under load.

    3. Re:OK by NoMaster · · Score: 4, Insightful

      Oh, they've had a few (Secunia's down for me at the moment, but there's a reasonably up-to-date list here), so they're not perfect - but yes, they seem on the whole to have their act together.

      Sure, they're not as configurable as a cheap Linksys (although they can be pushed to do anything you'd reasonably* expect a home/SOHO router to do), you can't shoehorn Linux onto them, and the lack of a CLI or web interface (a OSX / Win only config utility) is shitty - but they're solid, robust, & pretty secure devices which are almost perfect for the average home or SOHO user.

      Oh, and the AC who said "Cannot configure them via a wired port, only wireless (wtf?)" is either a troll or an idiot...

      (* running a server, packet inspection, or doing heavily customised routing is not a reasonable expectation for a home/SOHO router - that sort of thing belongs on a separate machine that doesn't have one testicle dangling out on the WAN...)

      --
      What part of "a well regulated militia" do you not understand?
    4. Re:OK by Anonymous Coward · · Score: 0

      you can't shoehorn Linux onto them

      That's a security feature. Many/most are running OpenBSD.

    5. Re: OK by jo7hs2 · · Score: 1

      I think the new APE has a fan, that may be what you are hearing.

    6. Re:OK by Gr8Apes · · Score: 1

      It is expensive, until you need a reliable wireless connection. Then, compared to Cisco and other business class routers, the APE is an absolute bargain. Yes, you don't get enterprisey management, but all I want or need is a reliable wireless connection. Linksys, D-link, TrendNet, Buffalo, etc have all failed at this basic requirement for a wireless router. I used to get a new router every 3-6 months or so as the current one went flaky. Tallied up the costs in a year and decided to buy an APE. 5 years later, still running the same APE and it's been rebooted only a handful of times. I'm considering getting a new one only to get the upgraded wireless speeds.

      --
      The cesspool just got a check and balance.
    7. Re:OK by Zaiff+Urgulbunger · · Score: 1

      the lack of a CLI or web interface (a OSX / Win only config utility) is shitty

      ..is a total non-starter for me. I broadly speaking like Apple, but they do some really stupid things sometimes and this is most definitely one of them.

    8. Re:OK by fluffernutter · · Score: 1

      I've had an AirPort extreme for 5-6 years and I haven't had to think much about it. Occasionaly the one macbook in the house tells me it needs new firmware and it has all worked out ok. However, I have it in gateway mode with a dd-wrt box behind it. If I needed to use special software (or go to the macbook) to configure the firewall and what not, that would be very frustrating to me security or no security.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
  6. Only? wait for IOT by QuantumReality · · Score: 2

    Then you will see headlines like this "New audit of devices from Internet of Things category uncovers 65 000 flaws in 8 000 different devices, 240 million of this devices are in use today globally". Just think about those botnets...

    1. Re:Only? wait for IOT by Chewy509 · · Score: 3, Funny

      Due to the number of growing exploits against SOHO routers, SmartTVs, UEFI firmware, etc... we at work now tend to refer to IoT as BoT... aka Internet of Things == BotNet of Things...

      And it's a simple case of not if, but when this will happen...

    2. Re:Only? wait for IOT by Zontar+The+Mindless · · Score: 1

      Oooh, and it's even recursive.

      --
      Il n'y a pas de Planet B.
  7. Stuff is crap anymore by Anonymous Coward · · Score: 1

    Let's face it, manufactures make stuff for pennies and sell it for as much as they can with as little support and warranty as they can. Notice how you can hardly talk to anyone about a issue without handing over a credit card. Firmware is as flimsy as the antenna these routers use. Nothing about a router seems well built, they skimp on heat sinks and shielding and wonder why their is so much interference? Throw the FCC a few bucks and they pretty much pass anything. Even then the FCC cares so little about security or function other then what is important to specs. Anymore if a product does not perform as expected it goes back in the box and back to the store. Can't count on anyone knowing how to fix it and most times you get another of the same its defective too. I don't spend a lot of routers anymore. Tear apart a expensive router and its made just as poorly as a cheaper one. Just more bands that flake out against each other. Sorry for the rant, but its about time the router makers get hit with payback for lousy firmware. Too bad its the end user that pay's the price.

  8. Only concerns ISP-specific models by American+Patent+Guy · · Score: 2, Insightful

    Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers’ management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.

    So, in other words, these models were specifically made for and distributed by an ISP, and were not off-the-shelf models. The backdoors were there for the ISP managers. For 99% of network users out there, these vulnerabilities are of no practical concern.

    1. Re:Only concerns ISP-specific models by gstoddart · · Score: 3, Informative

      So, in other words, these models were specifically made for and distributed by an ISP, and were not off-the-shelf models. The backdoors were there for the ISP managers.

      Well, I trust my ISPs router ... well, not at all, actually.

      Because I assume my ISP is either incompetent or dishonest, I don't really care which, I simply don't trust them. And I sure as fuck don't trust them with access to my actual network. I want a layer of security between me and their shit, because I assume their stuff is trivially hacked.

      My wife and I each have our offices set up where our own router is getting DHCP from the ISPs router, and then firewalling everything from it. We each have our own locked down wifi, and entirely separate networks. I'm pondering a third router to provide the guest wifi.

      Other than disabling the ISPs wifi and using our own, I wouldn't even know the SSID or the password for the ISPs crap. I assume they haven't turned it on without asking, but I never check -- come to think of it, I'd have to find out how.

      My parents and my in-laws have routers we've bought them to sit behind the crap the ISP provides. Because I know for a fact that in both cases the ISP provides a router with default wifi SSID and passwords which are published in the docs they give you.

      Because it's printed in the "how to" for every damned subscriber, and you can't change it, you can pretty much imagine that if you find an SSID of the right name you can connect to it, and probably have management access to it.

      For 99% of network users out there, these vulnerabilities are of no practical concern.

      But the problem is so many households trust that the wide open, back doored, well known remote-admin credentialed, shitty routers they've been provided with give them any form of security.

      Which means for the overwhelming majority of home users who aren't tech savvy and paranoid, these vulnerabilities are absolutely of practical concern ... because their PCs are directly plugged into the ISPs router, or they're using wifi from the ISPs router.

      I'm betting a lot of home users figure they have the router from the ISP, so they don't need anything else.

      That these are ISP models doesn't diminish the number of people who could be impacted ... it greatly magnifies it. Because most people who don't know better (and a few who do) connect their PC directly to the ISPs router.

      Honestly, go talk to a random neighbor .. see if they have anything between them and their ISPs router. My best is they don't.

      --
      Lost at C:>. Found at C.
    2. Re:Only concerns ISP-specific models by Nostalgia4Infinity · · Score: 1

      FTA: ASUS AC68U ASUS RTN56U & ASUS RTN10P & ASUS-RTN66U & ASUS-RT56-66-10-12 ASUS-RTG32 BELK-PHILIPS (?) BELKIN F5D7230-4 BELKIN F5D8236-4V2 BELKIN F9k1105V2 BELKIN-F5D7231-4 BELKIN-F5D7234-4 D'LINK DIR-600 D'LINK DIR-604 D'LINK DIR-645 D'LINK DIR-810L & DIR-826L & DIR-615 & DIR-651 & DIR-601 & WBR1310 & D2760 D'LINK DSLG604T D'LINK-DIR-2740R EDIMAX BR6208AC LINKSYS BEFW11S4 V4 LINKSYS L120 LINKSYS WRT54GSV7 LINKSYS-BEFW11S4 V4 LINKSYS-LWRT54GLV4 LINKSYS-WRT54GV8 LINKSYS-X3000 LINSYS L000 Medialink WAPR300N Microsoft MN-500 NETGEAR DGN1000B & DG834v3 & DGN2200 NETGEAR WNDR3400 NETGEAR-DGN1000 & NETGEAR-DGN2200 NETGEAR-WNR834Bv2 NETGEAR-WPN824v3 NETIS WF2414 Netis WF2414 TENDA 11N TPLI ALL TPLI-WR940N & WR941ND & WR700 TRENDNET E300-150 TRIP-TM01 TRIP-TM04 Trendnet TW100S4W1CA ZYXEL MVR102 ZYXEL NBG416 ZYXEL-NBG334W

    3. Re:Only concerns ISP-specific models by dbIII · · Score: 1

      I suppose I'm lucky to have an ISP that not only is happy for clients to bring their own modem but had docs for how to setup close to a dozen popular models.

  9. bad info on D-Link DSL-2750B? by Anonymous Coward · · Score: 1

    described attack and info URL doesn't work on my unit

  10. WRT54GL? by Anonymous Coward · · Score: 0

    Does anyone who actually owns a WRT54GL run the stock firmware on them? I thought the whole point of that router was the fact you can drop Tomato, DD-WRT or OpenWRT onto it - I've had OpenWRT running my home network for years now.

    1. Re:WRT54GL? by Anonymous Coward · · Score: 0

      I know of at least one user who does.

    2. Re:WRT54GL? by rthille · · Score: 1

      I was running OpenWRT on a WRT54GS, but moved and ended up with 50Mbit Comcast (crap) rather than ~2Mbit Sonic.net (awesome! but too damn slow due to distance from CO). If discovered the WRT was limiting thruput to ~12Mbit rather than the 50Mbit I had on the other side of it, so I'm using an Apple Airport Express with stock firmware until I can get OpenWRT setup on a Netgear WNDR3700.

      And I thought I was way behind the times when i was still running the WRT54GS. So I guess my question is, is anyone still running that ancient hardware for their main connection?

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
  11. Here we go again by technosaurus · · Score: 1

    ... expecting all models to be flawless.

    1. Re:Here we go again by thegarbz · · Score: 2

      Not at all. I'm completely open to security flaws in products. But only if the company supports the products fixes the flaws and provides continuous updates for older gear.

      I am for instance very tolerant of Windows or Linux based security flaws, I am tolerant for flaws in iOS too. But I expect my Android devices and my home router to be flawless considering the manufactures provide bugger all support after their sale.

  12. Minimum standards by Peter+H.S. · · Score: 4, Insightful

    Really, there ought to be some sensible minimum standards for commercial products that can be connected to the internet. This could include that the company had a decent policy for security fixes and a published contact point for people reporting such problems.

    And how about a pre-published, minimum security support length, so that people buying a smartphone/router/etc. will know in advance how many years it will be supported with security fixes. There are "use by" dates on food, why not on all internet connected devices.

    1. Re:Minimum standards by dbIII · · Score: 1

      Travelling down that road can mean that you have to be a member of lobby group X before your devices are allowed, and that group will have a cost of entry designed to squeeze out linux users, bsd users, radio hobby types and anyone else who doe not have a commercial stake. See the broadcasting sector for examples.

    2. Re:Minimum standards by Peter+H.S. · · Score: 2

      Not necessarily. The alternative to no laws isn't bad laws.

      As it is now companies can spew out insecure products with impunity and even silently drop any security support for devices consumers have just bought, not forgetting the classic tactic of not acknowledging security problems and just plain ignoring them. This can't go on.

    3. Re:Minimum standards by RandomAdam · · Score: 1

      Router support period -0.25 years.....we stopped supporting it before it was sold.

      --
      @Random_Adam

      Sometimes a sig doesn't have to be funny!!
    4. Re:Minimum standards by dbIII · · Score: 1

      Maybe I'm too cynical but that's how I'd see it going - a sensible minimum standard hijacked and turned into a barrier to new players entering the market with collatoral damage of linux, freebsd etc. Such a thing could be avoided if the general public can get in on the rule drafting process.

  13. Yeah, but can you stop the NSA by gizmo2199 · · Score: 2

    Does anyone know of a SOHO package that can keep out the three letter agencies? I'm pretty sure even if these SOHO routers had stellar security does anyone believe they could keep out the NSA or a determined attacker from compromising your network? Even the best models basically just have a linux distro running iptables.

    --
    This Sig does not Exist.
    1. Re:Yeah, but can you stop the NSA by aXis100 · · Score: 3, Informative

      Linux "just running iptables" is perfectly secure.

      In general you cant just hack firewall software directly. What you do is find a protocol that is allowed through the firewall and then exploit some vulnerability on that protocol. Examples would be default passwords or SQL injection in a web management interface, buffer overflows in a DNS response, weak encryption in a VPN etc.

    2. Re:Yeah, but can you stop the NSA by Metabolife · · Score: 1

      You can't escape hardware based exploits/backdoors. There's a lot of silicon in these things to hide in.

    3. Re:Yeah, but can you stop the NSA by mcrbids · · Score: 1

      Just to be fair "perfectly secure" is probably overstating things considerably. It would pass "no known exploits" pretty well, certainly "commercially viable".

      The only "perfectly secure" computer is off, unplugged from the Internet, and encased in 50 feet of reinforced concrete. And even then, there *are* ways to exploit it using *ahem* brute force...

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    4. Re:Yeah, but can you stop the NSA by Anonymous Coward · · Score: 1

      You won't keep out the NSA. Defeating a state actor with funding and technical competence that exceeds your own in ways that you can't imagine is not a realistic goal, especially when they have allied state actors (FBI/local law enforcement) who can infiltrate/burgle your premises and gain physical access to your boxen. If they want you, they will have you, and if you make it hard for them, they'll find a charge to have your stuff picked up for inspection and you thrown in detention long enough to break you. Your pretensions to opsec mean nothing against a force that can tamper with your hardware or just have you picked up on a bogus drugs/kiddie porn/crazy gun nut threatening society charge. Trying to keep out the NSA is not your goal, because it is unattainable, and it's probably unnecessary to boot: they probably aren't really interested in you anyway.

      A realistic goal, however, is keeping out the kids down the block who might well be trying to leech your wifi and, if possible, rampage through your systems for the hell of it. Another realistic goal would be keeping out eastern European crime syndicates or Chinese script-kiddies, people without a reasonable probability of calling in domestic actors like the FBI to tamper with your gear or bust you on bogus charges. Defend against them, and don't worry about the NSA (and encrypt all your traffic to make life harder for the NSA, because even if one person can't defeat them, everyone together can make the haystack too deep to find any needles).

    5. Re:Yeah, but can you stop the NSA by jopsen · · Score: 1

      You can't escape hardware based exploits/backdoors. There's a lot of silicon in these things to hide in.

      Hmm, it would be fun to build an arduino based router. I suspect someone already did... But I think this would be the only way to reduce the amount of silicon.
      Hiding a generic backdoor in an atmega chip that plays well with a generic backdoor in say an ethernet and/or wifi processing chip would be an accomplishment.

    6. Re:Yeah, but can you stop the NSA by aaaaaaargh! · · Score: 1

      Forget it, they have exploits for every programmable machine you can possibly imagine.

    7. Re:Yeah, but can you stop the NSA by goarilla · · Score: 1

      Arduino ? Good luck with your 20 KB/s router.

  14. Basic security by Whiteox · · Score: 1

    Some of these flaws (maybe all) can be accessed by default logins. As soon as you have passed that, you have full control. To help prevent that you can change the device's IP and give it unique login credentials. It won't stop someone determined who wants access as all it needs is brute force to find the device's IP login page. In other words some of the vulnerabilities aren't device issues but user responsibilities. That pretty much goes for non-isp supplied routers.
    A few ISP supplied routers do have backdoors and are remotely controlled ostensibly for the benefit of the user. In these cases it is almost impossible to alter the unit's IP address or login credentials.

    --
    Don't be apathetic. Procrastinate!
  15. Wouldn't it be shorter to list secure products? by dsmatthews9379 · · Score: 1

    Assuming somebody does sell a secure SoHo router product, or is our only option to install something like DD-WRT and be vigilant when it comes to security updates?

  16. Mod parent up! by Anonymous Coward · · Score: 0

    Agreed. Slashdot has gotten retarted

  17. Death Will Not Release You. by Ungrounded+Lightning · · Score: 1

    ... not letting me delete my account.

    Slashdot is like the Mafia, CIA, and the Los Angeles Science Fiction Society: Once a member, ALWAYS a member.

    As LASFS says: "Death Will Not Release You."

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  18. Re:Fuck you. by Bite+The+Pillow · · Score: 1

    Delete your account means what?

    Scientology is the only reason that some data has been deleted from Slashdot. But your account is here because why?

    Just stop visiting here. Or delete your cookies. Or be responsible for what you have posted. Or you can just plead "I was drunk."

    Delete your account has the follow-on effects of, what exactly? What is it that you wish to omit from the record?

    Or is it everything? Because unless you are a Scientologist with lots of money, probably nothing will be removed other than your ability to log on.

    And log on is different from log in. And Scientology is just the first thing that came to mind.

  19. All browser vulnerabilities .. by nickweller · · Score: 1

    Seems to be most/all browser vulnerabilities. Which begs the wisdom of embedding a mini web server on your security devices. For example, the UPnP protocol, putting convenience over security.

  20. The Linksys what? by valnar · · Score: 0

    They listed the Linksys WRT54GL. Alex, I'll take "Routers nobody should be using anymore" for $2000.

  21. Forget that brand name crap by Anonymous Coward · · Score: 0

    After years of dealing with POS routers from Linksys, D-Link, Netgear, Belkin, etc., I finally wised up and bought a Mikrotik router a couple years ago. It gives me rock solid, bullet-proof performance for a fraction of the price of the crap you find on the shelves in the big box stores.

  22. LibreCMC is a better option; sources available by Anonymous Coward · · Score: 0

    Unfortunately DD-WRT is the worst as far as "open source" embedded distributions are concerned. They violate licenses and don't respect users rights to the source code. Unfortunately even the better embedded distributions like OpenWRT include proprietary bits. None of this is good if your concerned about security. While I'm not going to suggest LibreCMC is magically more secure the fact of the matter is you can't build a secure distribution or router from proprietary software. Unfortunately this does severely limit the devices you can run LibreCMC on. However if you care about your privacy and security it's the only acceptable starting point.