Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models

Posted by Soulskill on from the my-god,-it's-full-of-flaws dept.

Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models. They posted details of their research on the Full Disclosure mailing list, and the affected brands include D-Link, Belkin, Linksys, Huawei, and others. Many of the models they examined had been distributed to internet customers across Spain by their ISPs. About half of the flaws involve Cross Site Scripting and Cross Site Request Forgery capabilities, though there is at least one backdoor with a hard-coded password. Several routers allow external attackers to delete files on USB storage devices, and others facilitate DDoS attacks.

5 of 66 comments (clear)

  1. "Video Bytes"? by Anonymous Coward · · Score: 4, Insightful

    Fuck off with these horseshit "features" that nobody wants.

  2. OK by koan · · Score: 5, Insightful

    Most of you /.'ers that have read my comments know that I like to dis Apple, can't stand the fucking fanbois, but I have yet to see the Airport listed in any of these articles.
    If you have point it out to me, it seems they are fairly sound devices.

    --
    "If any question why we died, Tell them because our fathers lied."
    1. Re:OK by NoMaster · · Score: 4, Insightful

      Oh, they've had a few (Secunia's down for me at the moment, but there's a reasonably up-to-date list here), so they're not perfect - but yes, they seem on the whole to have their act together.

      Sure, they're not as configurable as a cheap Linksys (although they can be pushed to do anything you'd reasonably* expect a home/SOHO router to do), you can't shoehorn Linux onto them, and the lack of a CLI or web interface (a OSX / Win only config utility) is shitty - but they're solid, robust, & pretty secure devices which are almost perfect for the average home or SOHO user.

      Oh, and the AC who said "Cannot configure them via a wired port, only wireless (wtf?)" is either a troll or an idiot...

      (* running a server, packet inspection, or doing heavily customised routing is not a reasonable expectation for a home/SOHO router - that sort of thing belongs on a separate machine that doesn't have one testicle dangling out on the WAN...)

      --
      What part of "a well regulated militia" do you not understand?
  3. Only concerns ISP-specific models by American+Patent+Guy · · Score: 2, Insightful

    Past research has shown that the security of ISP-provided routers is often worse than that of off-the-shelf ones. Many such devices are configured for remote administration to allow ISPs to remotely update their settings or troubleshoot connection problems. This exposes the routers’ management interfaces along with any vulnerabilities in them to the Internet, increasing the risk of exploitation.

    So, in other words, these models were specifically made for and distributed by an ISP, and were not off-the-shelf models. The backdoors were there for the ISP managers. For 99% of network users out there, these vulnerabilities are of no practical concern.

  4. Minimum standards by Peter+H.S. · · Score: 4, Insightful

    Really, there ought to be some sensible minimum standards for commercial products that can be connected to the internet. This could include that the company had a decent policy for security fixes and a published contact point for people reporting such problems.

    And how about a pre-published, minimum security support length, so that people buying a smartphone/router/etc. will know in advance how many years it will be supported with security fixes. There are "use by" dates on food, why not on all internet connected devices.