Zero-Day Bugs In Numerous Modems/Routers Could Compromise Millions of Users

An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.

Openwrt

[JonathanP.Bennett]

This is why the ability to install secure and Open Source firmware like OpenWrt is so important.
https://openwrt.org/

Re:Openwrt

[sexconker]

The Chinese will just move the backdoors deeper into the hardware.
We're long passed the point of no return on this one.

Re:Openwrt

[vux984]

I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?

If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.

Re:Openwrt

[sexconker]

Past.
(I had "We passed the point of no return on this one a long time ago." and just moved shit around. Oopsie doopsie poopsie.)

Re:Openwrt

[The_Dougster]

OpenWRT is really good. I won't buy a router now unless its on the OpenWRT supported hardware list.

Re:Openwrt

Buy a new router. Routers which are supported by the latest OpenWRT release can be bought for less than $20. You don't need a fancy gigabit router on the edge of your home network. I would tell you what to get and where and how much it actually costs, but Google won't let me search US shops, because apparently a search engine should under no circumstances let me search anything outside my area. Fuck this, the internet is dead. Why have a router when the internet is like this. What we need are VPN gateways to some sane place. But if you want a cheap router that works fine with the latest OpenWRT (support for multiple SSIDs, client and AP at the same time, VLAN tagging on the ethernet switch, etc.), search for "tp-link tl-wr841n".

Re:Openwrt

[gstoddart]

So, here's the problem with that:

All of these modems are distributed by various telcos to their customers.

As well as:

It also appears that some of the modem's firmware was also modified by the telecommunications companies that distributed the modems to their customers.

So, the real problem is these modems belong to the telco, you probably can't change the firmware, and the bugs in some cases seem to have been introduced by the telcos.

No amount of open source ANYTHING is going to fix telcos who are providing customers with modified versions of the routers which they've done a poor job of changing.

EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems.

Shit like this is why companies need to bear some legal responsibility, and why telcos should be barred from modifying equipment for their own purposes -- their desire to brand it or add their own special functionality as often as not leaves users with abandoned devices which can't be fixed.

Any sufficiently advanced incompetence is indistinguishable from malice. And this is some pretty advanced incompetence.

Re:Openwrt

[gstoddart]

"EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems."

Why not? Are you required to use the ISP's modem and router, or is it just convenient to do so?

I strongly suspect in a lot of cases it is a requirement. ISPs tend to just sort of tell you what they're doing and don't much care what you think of it.

If I was required to use the ISP's hardware, I would put my own trusted equipment between my network and the ISP's.

I have a router/firewall between me and the ISPs modem, but I'm not certain that the class of problems these holes create can all be mitigated by treating the modem as not trusted. Because ultimately it still carries your traffic.

Actually if I was required, I would probably choose a different ISP, but luckily I do have that option.

It's great if you have the choice, and it's meaningless if you don't.

Re:Openwrt

[davecb]

There was an ACM article about hardware backdoors: turns out they show up as rarely-acessable code when you do a (normal) check to get rid of redundant or under-used circuts.

Re:Openwrt

[bobbied]

As in all of life, it depends. It depends on what you want your router to actually do...

Personally, I use OpenWRT on a couple of WNDR4300's that I picked up off of E-Bay over time, but I went with this router because it was CHEAP and had a VLAN capable switch. Even though I use this device, I'd not suggest it to others because currently the OpenWRT build for it is something you have to do on your own, not that it's hard, it's just time consuming.

But more to your question.. How do you know what hardware is best supported in OpenWRT? I suggest the following: First, check the supported hard ware list and make sure your exact hardware is there and shows that it's supported. Then make sure there are understandable installation instructions and that there is a build provided for your device. Finally, take a look at the device's forums and poke around to find out what kinds of problems other people are having with the hardware. In short, investigate the issues, use your favorite search engine, go look it up.

Re:Openwrt

[bobbied]

Personally, I DON'T run the Telco provided router and I suggest you not use it either. In fact, my ISP sent me a new router just last week and I don't plan to even unwrap it. Go buy your own, load your choice of open source firmware on it and leave the ISP's router in the box.

If you are REQUIRED to run the ISP's router, put your own router *behind* it and hide your whole network from your ISP either by using NAT or have a very strict firewall rule set (or both). (I.E create a DMZ and put your network behind it).

Re:Openwrt

[vux984]

You don't need a fancy gigabit router on the edge of your home network.

My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.

I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.

  I -like- having wifi AP all built into one box, but separating them into two separate boxes would make openwrt easier than I'm game to consider it.

Price is always a factor but "less than $20" is needlessly frugal. I will pay more for "better".

I would tell you what to get and where and how much it actually costs, but Google won't let me search US shops,

I'm in Canada; so that would have been moot. But model information is appreciated.

Re:Openwrt

[WD]

OpenWRT runs on 3G/4G modems?

Re:Openwrt

[wvmarle]

For hackers, maybe.

For the vast majority of the population (myself included) a router is a fire-and-forget thing. It's set up, it works, that's it. I never log in to my router to see if there's a firmware update (even while I faintly remember there is such an option, most people won't realise this at all). I don't get notified that there is a new update, so will have to remember and manually check for it. That just doesn't happen, and I like to play with those devices. Most people are less interested and really won't check ever for updates.

So if my router is vulnerable, it'll stay so for very long. The same so for many other routers. They probably stay vulnerable until they break down and are replaced (10 years for my previous wifi router, which actually still works - never had a software update, don't know if it's even possible). Routers have to be perfect the moment they leave the factory, that's the only way to keep them safe.

Re:Openwrt

[JonathanP.Bennett]

I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?

If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.

What hardware do you have that isn't supported?

Re:Openwrt

[houstonbofh]

Why not? Are you required to use the ISP's modem and router...?

With Uverse, yes.
With Comcast for static IP addresses, yes. (But you can put your real router behind theirs and turn off NAT.)
A lot of ISPs consider their "customers" personal property.

Re:Openwrt

[vux984]

What hardware do you have that isn't supported?

Dlink DIR-835
https://wiki.openwrt.org/toh/d...

As I wrote elsewhere in the thread:

My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.

I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.

    I -like- having wifi AP all built into one box, but if separating them into two separate boxes would make openwrt easier than I'm game to consider it.

And the cycle begins anew

[Kichigai+Mentat]

Cue renewed calls for auditable firmware.
Cue those calls continuing to fall on deaf ears.

I mean, let's face it, barring something cataclysmic this just ain't going to happen.

Arguably there are trade secrets contained within the firmware, which could be exploited by competitors. Motorola wouldn't want Xoom to find out that a commonly used algorithm for dealing with DOCSIS comms is in fact less efficient than another one they dug up, nullifying their competitive edge. And likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.

Auditable firmware would also expose management controls used by telecoms and ISPs. This would expose their capabilities, and how they work. People wouldn't just know how far reaching these controls are, but also how limited they are. It could raise the specter or nefarious people reverse engineering access to those controls, and doing things they aren't supposed to do. So they're going to fight it too.

Then there are legislative bodies. Auditable firmware could not only expose any backdoors that are currently in use, but expose any they try to implement in the future. So they're going to do what politicians do best and try to sweep the whole thing under the rug.

This leaves us, thankfully, with at least one ally: The FCC, who have said they will not be blocking the use of third party firmware on wireless devices, so at least we can still retreat to open sourced firmware wherever possible, instead of relying on others to open up code for us.

Re:And the cycle begins anew

[PRMan]

The FCC needs to be given authority to fine tech companies for security problems. $1 per model shipped for the first offense and doubled for each additional offense within a given time period.

Re:And the cycle begins anew

[sexconker]

likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.

Is D-Link going to fight against customers who open the box and try to use the thing? Because that's how I found out that my D-Link routers had critical problems that couldn't be fixed in firmware (not that D-Link would bother doing so if they could).

Re:And the cycle begins anew

[Kichigai+Mentat]

What grade of problem is high enough to warrant a fee? It responds to pings and can be DDoS'd? It's SMB client has a vulnerability that lets anyone on the LAN access an attached drive? What about people who don't update their firmware? What about older devices that are no longer supported?

The problem is that almost everything is going to have some sort of a security problem at some point, so where is the line drawn?

Re:And the cycle begins anew

[Kichigai+Mentat]

D-Link already got your money. Unless they're charging for firmware updates, and unless you're going to sue them, they've already won.

Re:And the cycle begins anew

[Kichigai+Mentat]

There aren't any 'management controls' to speak of on the modem firmware.

Pretty sure Comcast has a remote management interface so they can turn on and off that Xfinity Wifi access point. Or so you can customize your Wifi access point via an app on your phone.

Your telecom/ISP may not have full access to any hardware you own, but there's still hardware you rent, and publishing the source of the firmware for that is something I doubt they would want.

Re:And the cycle begins anew

[sexconker]

It's a Pyhrric victory, because I'm not buying their fucking shit anymore, and neither is anyone in my sphere of influence (work, friends, family, neighbors, etc.).
They don't exactly have a stranglehold on the market, yet they behave like there are no alternatives. The only more egregious example of "Nah, fuck you, customer." I've seen was with OCZ. We all know how that turned out.

Re:Welp

[campuscodi]

These are low-end routers distributed "for free" to new telco customers. Since the modems are free, people eat them up. Telcos usually buy them in boats, not crates. I worked for an ISP where the engineers were sad because the company just bought an entire boat of Huawei routers they had to configure.

Re:Welp

[citylivin]

Who are those manufacturers?

Huawei makes a cellular wireless router modem that i was just supporting for a customer last week. Cost like $400 bucks, takes a sim card and i was getting like 80mbps over LTE network. This is for a contractor who works in the field out of their truck. So they are out there, even if they arent as common in the consumer arena as netgear or linksys.

Re:Fuck technology

[gstoddart]

LOL .. in Soviet Russia, technology fucks you!!

And everywhere else in the world.

Re:Openwrt Has A Show Stopper Design Flaw

[U2xhc2hkb3QgU3Vja3M]

No freakin' way. They should switch to systemd instead.

All hail the wall wart

[MyFirstNameIsPaul]

More and more I tend to think the number one protector of consumer and small business gateways is the wall wart, which predictably fails every 2-5 years, giving the appearance of a new device being needed, thus another temporary improvement in security. I suspect that one day, a clever malware maker will figure out how to grab voltage and current in the device and inform the users a new power supply is required.

Personally, I run pfSense on an Atom board with numerous NICs.

All Chinese?

[PRMan]

I was going to point out that they are all Chinese companies (and imply something insidious) but 2 of them are Taiwanese and there's no way that they would help the Chinese government.

Re:Cisco for home

[godel_56]

As an IT professional this is why I always stress using Cisco equipment for home networking equipment. A good example is the Cisco RV325 router, or the Cisco RV180W for wireless that are both strong in design, and reasonably priced for home use.

But apparently you can't use punctuation in the router's password.

Re:Welp

[Dr_Barnowl]

Huawei supply a lot of ISPs with routers in the UK ; TalkTalk, amongst others.

Re:This is why protection by hosts = superior

[barbariccow]

oh no.

Liability is Coming

[SwashbucklingCowboy]

"After six months, manufacturers have failed to fix the issues."

That kind of crap will eventually cause Congress to enact legislation to make manufacturers liable for unpatched vulnerabilities.

Re:Liability is Coming

[ruir]

Are not they passing legislation making politicians liable for corruption? It is so fine and dandy legislating other people work and putting them working for free for the media cartels, but god forbids them from cleaning their own backyard.

No reference to upgrades

[ruir]

Disclaimer: I worked in the past for a cable operator... What the article does fail to mention is that once there is: 1st) Once there is an update, the ISP provider upgrades all of the modems REMOTELY. 2nd and for more important. Normally the (cable modem) routers are in a protected network with PRIVATE IP addresses. So if you are using a model that does not doubles up as router, you are good. If you do that, the modem usually is crappy and slow anyway, disable the routing function, buy your own router, and put it only doing bridging.

Re:Fuck technology

[Kichigai+Mentat]

So Soviet Earth?

HTTPS interception

[manu0601]

TFA tells about intercepting HTTPS. How does a modem-router flaw allow that, since HTTPS is an end to end protection?

Re:HTTPS interception

[houstonbofh]

TFA tells about intercepting HTTPS. How does a modem-router flaw allow that, since HTTPS is an end to end protection?

It allows you to capture the encrypted packets. :) Of course, some of that encryption is trivially easy to crack, but not all. Shhh... Your are spoiling the article.

Re:Openwrt Has A Show Stopper Design Flaw

[houstonbofh]

So the Router firmware that everyone here coos about actually uses a sucky firewall?
Netfilter != pf.
Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

Re:Openwrt Has A Show Stopper Design Flaw

[macs4all]

So the Router firmware that everyone here coos about actually uses a sucky firewall? Netfilter != pf. Typical F/OSS Fail.

So pick another one like http://www.smallwall.org/ or http://www.pfsense.org/ or whatever. The nice thing about FOSS is choice.

But that's like saying you really only have one choice: Both smallwall and pfsense are simply Derivatives of the now-abandoned (like so many other F/OSS Projects), M0n0wall.

And since smallwall's main focus is "Small and Lean", rather than "Robust and Complete", I would think that using it wouldn't be a step "up" in the world of firewall-dom.

As far as pfsense goes, I can't figure out where it lives, since it is considered a Derivative of m0n0wall, but yet it lists pf as a dependancy. So??? Heck, even iOS runs pf (which I actually found amazing). What is OpenWRT's problem?

Re:Openwrt Has A Show Stopper Design Flaw

[houstonbofh]

M0n0wall was shut down when Manual decided that he wanted a life again. :) SmallWall is a continuation of the M0n0wall code base. pfSense was a fork that went with pf and a plugin architecture to allow expandability, while M0n0wall and SmallWall want to remain more focused.
And while it is small and lean, it have the enterprise firewall features you would expect like VPN support.