Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Internet of Compromised Things

Posted by Soulskill on from the points-of-failure dept.

An anonymous reader writes: Jeff Atwood has a post about a security threat that's becoming more prevalent every day: spreading malware through a compromised router. "Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over." He links to a thorough technical analysis of how even HTTPS encrypted traffic can be subverted. Atwood provides a list of suggestions for keeping your router safe that probably won't be any surprise to people reading this site, and he further recommends only browsing on an unknown router if encryption is available. What I'm curious about are the long-term implications — is there a way forward to re-establish trust in our router infrastructure? What can the open source community do to speed this along?

15 of 62 comments (clear)

  1. Re:What if the malware is baked in when you buy it by Zontar+The+Mindless · · Score: 2, Insightful

    Or you could, you know, go to an ATM, withdraw some cash, then walk into $shop and buy one there, using the cash...

    --
    Il n'y a pas de Planet B.
  2. Trusted Network Fallacy by Anonymous Coward · · Score: 4, Insightful

    The people who designed the internet had the right idea: Dumb network, intelligent edge. Perimeter security and trusted networks are dead ends. Communication is from endpoint to endpoint. The network shouldn't even matter. You might be running IP over avian carriers if that's what you need to do to get a connection. But if you need to trust the network between the endpoints, you're doing it wrong. Even if you could trust your own router, do you trust the ten or more routers behind it? Ubiquitous encryption and authentication with IPSec is possible with DNSSEC supplying the keys.

    1. Re:Trusted Network Fallacy by Anonymous Coward · · Score: 4, Interesting

      I think you still have to trust some aspects of the network. Sure, DNSSEC can provide some protection, but what if your ISP's DNS server is compromised to provide bad information? I suppose you could verify it against other servers. Can you trust that the routers your packets pass through are properly routing your traffic to the IP you want it to reach? If done right, compromising these things could be almost invisible to a lot of users. I think you have to trust certain aspects of the network, though you should use encryption to protect against MITM attacks. I think you can avoid many types of exploits, but you have to trust something in order for the internet to function. The idea of using HTTPS is a step in the right direction, except that CAs can't be trusted and the biggest one has a horrible record of security. Add to it that most users are ignorant of HTTPS and many applications don't reveal the protocol to the user and you have a problem. Can you trust that mobile apps and a lot of other software that doesn't explicitly reveal its protocols to the user makes use of encryption? Sure, you could sniff the packets, but who does that? I just don't think you can entirely remove trust from the equation, though we can do a lot better than we do now.

    2. Re:Trusted Network Fallacy by Anonymous Coward · · Score: 2, Insightful

      what if your ISP's DNS server is compromised to provide bad information?

      That's why you need to use DNSSEC, and by use I mean verify that you got authentic data, which DNSSEC lets you do.

  3. Re:Don't routers already run BSD? by TWX · · Score: 5, Interesting

    Mine runs Linux, compiled for MIPS. It's actually going to be replaced soon anyway so I haven't bothered to do much with it.

    Either way, the average person is only going to use the web interface or the software that the manufacturer provided that runs on the computer, if any. They won't be in position to fix anything that's broken if the manufacturer does not provide either an automatic means or a simple means to do so.

    I think it'll eventually come down to a regulatory issue. Tech companies and those companies that use consumer-facing electronics (like car companies and their infotainment and body-control computers) have proven that they're not interested in maintaining their arguably defective products. Don't mince words, bugs are defects. Companies need to be taken to task over both this and over the increasingly rapid discontinuation of support (like factory-shipped apps on cell phones that stop working and can't be updated because new versions require OS updates that aren't provided) such that companies end up with mandatory windows of support until the last product ships, where all bugs and changes in communications protocols and services are maintained, such that devices that consumers have paid good money for actually last as long as their pricetags indicate that they should. For smartphones I think that window should be five years. For things line broadband routers, it should be at least five years, and I'd argue that it's not unreasonable to demand closer to a decade. For cars, where the average age of cars on the road is now something like twelve or thirteen years, it should be at least a decade for basic feature maintenance and probably another ten years for critical bugs that compromise the security of the vehicle's systems, like these easily unlocked cars we're hearing about.

    Yeah, it sucks to have to maintain old code, but I'm very tired of having to pay for defective products whose features begin to stop working when the companies that wrote those features decide to change directions.

    --
    Do not look into laser with remaining eye.
  4. The entire friggin' internet is compromised by Rosco+P.+Coltrane · · Score: 3, Informative

    Nevermind your own dinky router: any traffic you send on the internet is exploited by greedy "big data" companies and rogue 1984-style government agency. And encryption doesn't stop them from watching what you do...

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:The entire friggin' internet is compromised by Anonymous Coward · · Score: 2, Interesting

      This is unfortunately the ugly reality: the internet as we knew it is dead. What many dreamed would be an empowering tool for the masses became the ultimate instrument of power and control for the Ruling Elite. We can't even leave it because all services are being brought online and online only. We have been enslaved and there's nothing we can do. In the end, I almost think the Ruling Elite deserves its great victory: they have been most astute and far-seeing in their acting. It's the culmination of a 20-year long plan. They let us thought we were on the verge of the ultimate revolution and all the time we were shackling ourselves. Maybe there's a reason they should rule. :(

    2. Re:The entire friggin' internet is compromised by rmdingler · · Score: 3, Insightful

      This is unfortunately the ugly reality: the internet as we knew it is dead. What many dreamed would be an empowering tool for the masses became the ultimate instrument of power and control for the Ruling Elite.

      To be fair, it's actually a little bit of both.

      Having access to all the compiled knowledge of mankind is empowering for any and every person with internet access, as is being essentially free to contact nearly every other Worldly citizen via the web. The ability to monitor an individual's access to that information is maddeningly power grubbing for the government's surveillance state.

      Being realistic, if it was not advantageous to the ruling elite, would they let us keep it?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    3. Re:The entire friggin' internet is compromised by mcrbids · · Score: 2

      I wish this weren't modded up. Really, I do.

      "any traffic" implies "all traffic" and it's simply wrong that "big data" is somehow exploiting, for example, the OpenVPN traffic between my laptop and my home mini server, nor are they making use of anything going on over SSH.

      And encryption doesn't stop them from watching what you do...

      And this is just silly. Of course it does! It is *not* a perfect tool, but it is a damned good one, the engineers did their job. As with any defensive/offensive technique, there are ways to mitigate it, and there are ways to bolster against those mitigations.

      It's plainly obvious from the Snowden leaks that the NSA commonly seeks the private keys of common sites. This strongly implies that the root of the CA fortress is relatively secure - otherwise they wouldn't care. And in light of the Snowden leaks, SSL is being scrutinized, and the holes filled in. OpenSSL finally has a budget!

      Security is a process, not a product. Don't forget that!

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Re:What if the malware is baked in when you buy it by SuricouRaven · · Score: 2

    You can for ADSL routers. Cable service routers usually combine modem and router into one box, and DOCSIS authenticates this device with the other end of the network cryptographically - even if you wanted to replace it, you couldn't. If you check the fine print you'll usually find that the modem-router is the property of the cable company and serves as the demarcation point.

  6. Re:What if the malware is baked in when you buy it by Runaway1956 · · Score: 2

    http://myopenrouter.com/

    If you're interested in security, you'll buy a router which you can flash and program to your own liking.

    I don't know how to counter a custom spying chip that might be embedded on your router's board, but defeating software is pretty damned easy.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  7. HTTPS is not the only encryption by Cigaes · · Score: 3, Insightful

    The first thing I notice about that article is that it help spreading the misconception that HTTP is the only use of Internet and HTTPS the only encryption scheme. I must say, I feel much safer knowing my SSH sessions are not HTTPS-encrypted, because the certification mechanism is completely broken.

    1. Re:HTTPS is not the only encryption by msobkow · · Score: 2

      TLS is no more broken than SSL, and can be used by HTTPS sessions. If anything, SSL is the older and less reliable protocol, and that is what SSH is built over. So is sftp.

      Regardless of whether you are using TLS or SSL, you are relying on the same public key infrastructure system to identify hosts. So I don't know where you get the idea that SSH is "more secure."

      --
      I do not fail; I succeed at finding out what does not work.
  8. Pfft. This all misses the point. by Tatarize · · Score: 3, Interesting

    If you actually care about security maybe you shouldn't let information from the internet control your computer. I mean sure they can edit your webpages via a router to insert whatever, but the inserting whatever part is could just also be malware on the internet proper.

    The point of TNO is that you might as well assume your router is altering webpages and inserting malicious content (either that or there's some already on the internet). One should view the internet as a black box of security threats and then just go from there. Yeah, routers can do that stuff. Security is what you do with that understanding. You don't get a router you can trust. You don't trust the router or the rest of the internet.

    --

    It is no longer uncommon to be uncommon.
  9. Re:Don't routers already run BSD? by TWX · · Score: 2

    Manufacturers should have to support smart phones for five years? What have you been smoking, buddy? And can you pass me some? The hardware itself (screen, casing, battery, etc.) of most phones does not last 5 years - why should the software?

    My phone is a Samsung Galaxy SII. I bought it when it was newly launched. It is now four years old. My previous phone was a T-Mobile G1, also sold as the HTC Dream, the first retail Android phone, which I also bought when it was newly launched. I still have it and it actually still works, but we replaced it in part because of application problems from being limited to Android 2.3.

    Just because you replace your technology frequently doesn't mean that the rest of us do. Frankly I'd rather spend my money on other pursuits rather than re-buying the same theoretically-durable goods all of the time.

    --
    Do not look into laser with remaining eye.