Zero-Day Bugs In Numerous Modems/Routers Could Compromise Millions of Users

An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.

Re:Openwrt

[gstoddart]

So, here's the problem with that:

All of these modems are distributed by various telcos to their customers.

As well as:

It also appears that some of the modem's firmware was also modified by the telecommunications companies that distributed the modems to their customers.

So, the real problem is these modems belong to the telco, you probably can't change the firmware, and the bugs in some cases seem to have been introduced by the telcos.

No amount of open source ANYTHING is going to fix telcos who are providing customers with modified versions of the routers which they've done a poor job of changing.

EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems.

Shit like this is why companies need to bear some legal responsibility, and why telcos should be barred from modifying equipment for their own purposes -- their desire to brand it or add their own special functionality as often as not leaves users with abandoned devices which can't be fixed.

Any sufficiently advanced incompetence is indistinguishable from malice. And this is some pretty advanced incompetence.