Quanta LTE Router May Be Most Unsecure Router Ever Made

An anonymous reader writes: LTE routers made by Quanta Computer Incorporated, a Taiwanese hardware manufacturer, are plagued by over twenty major security flaws ranging from backdoor accounts to remote code execution bugs, from hardcoded SSH keys to undocumented diagnostics pages, and from weak WPS PINs to network eavesdropping functions. As the researcher explains: "A personal point of view: at best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The vendor has not fixed any of these issues even after almost four months.

So.

[rmdingler]

The router equivalent of your recorded answering machine message, "Leave a message; we're in Disneyland and you're not!"

Re:So.

[Thanshin]

The router equivalent of your recorded answering machine message, "Leave a message; we're in Disneyland and you're not!"

The recorded message would rather have to be:
"Leave a message; we're in Disneyland. If you're Bob, we left the door open so you can water the plants. Don't worry about the alarm. We changed the passcode to "1111" before turning it off, in case you turn it on by mistake. While you're there, could you check all the money is still on the big desk? We put it there so you could check faster, but now we're worried the wind may have pushed it outside the window. (we left the windows open in case the dog we lost five years ago comes back.)"

Does this mean it's the most unlocked router ever?

That I can do whatever I want with it?

At least...

[BradleyUffner]

But at least it's locked down so you can't install any custom firmware and mess with the power levels!

Definition of unsecure

[Thanshin]

A steel chain with twenty wooden links is still stronger than a steel chain with one paper link.

A router with no access control whatsoever is less secure than the given example.

Re:Definition of unsecure

[Thanshin]

Counterarguments:

A steel chain with steel painted wooden links is way more dangerous than a steel chain with a clearly visible paper link.

A router identified as having no access control is way safer than a router which is expected to be secure.

Re: Definition of unsecure

I don't understand what you are arguing here. Why don't we just skip the paper/wood/yarn chains and just use a proper steel chain right from the start, specifically, one where you are allowed to inspect the links and upgrade them to titanium if you so wish?

Get a router from a reputable vendor (they still exist) and slap OpenWRT (or whichever flavour of router os you prefer) in it and just be happy. Or build a router from PC spare parts and slap some Linux or *BSD in it, if you want more control.

Re: Definition of unsecure

[Thanshin]

What I'm arguing is that security shouldn't be evaluated by "volume of flaws", but by "size of the largest flaw".

For my argument I used a chain to recall the clear fit to this situation of the classic proverb "A chain is only as strong as its weakest link".

Re:Definition of unsecure

A chain with a fatal defect is still fatally flawed. Grey areas tend to be more dangerous than black and white because you may not know there is an issue. Sometimes nothing is better than something that kind of works. Eating a poisoned apple is not better than being hungry.

Re: Definition of unsecure

[gstoddart]

From the sounds of TFS, the "size of the largest flaw" is the sheer volume of flaws; this router sounds like it's pretty much garbage.

Semantics about which aspect of it is shittiest seems pointless when the whole thing is a steaming pile of a turd of bad security.

Re:Definition of unsecure

A chain with a fatal defect is still fatally flawed. Grey areas tend to be more dangerous than black and white because you may not know there is an issue. Sometimes nothing is better than something that kind of works. Eating a poisoned apple is not better than being hungry.

"Quanta LTE Router May Be The Least Secure Router Ever Made "

Boom, done.

Re: Definition of unsecure

[omnichad]

Once you replace the firmware, you're getting rid of all of the security vulnerabilities native to the device.

Re:Definition of unsecure

[jellomizer]

Well I would feel safe if it is connected to one of these canadian ones

Re: Definition of unsecure

[Grishnakh]

I don't understand what you are arguing here. Why don't we just skip the paper/wood/yarn chains and just use a proper steel chain right from the start, specifically, one where you are allowed to inspect the links and upgrade them to titanium if you so wish?

1) Because people don't care about security, they just want whatever's cheapest and seems to work.

2) Because titanium would be worse than steel if you just tried use them as a drop-in replacement. Titanium isn't as strong as steel volumetrically, so by replacing a steel link with a titanium one (of the same size, which is necessary for it to be a drop-in replacement), you're putting a weak link there which will break. You could theoretically make a titanium chain that's as strong but lighter than a steel one, but it won't be the same size, it'll be bigger/thicker. However, titanium also doesn't have the hardness that steel does, so it would wear much faster. A quick Google search seems to back this up: hardcore cyclists do have titanium chains available to them, but they're horrifically expensive and don't last very long, so they only make sense on all-out racing bikes where they'll replace the chain after every race.

I'm all for language changing over time

[H3lldr0p]

But "unsecure"? Seriously? Was this writer not aware of the commonly available "insecure" which, I'm guessing since that's a new word to me, means almost the exact same thing??!

I could get down with "unsecurable", a device that goes out of it's way to keep me from making it more secure than it started out as. There's nothing "insecurable", unless you're some sort of monster trying to spread insecurities to the general populace.

Com'on editors, you've got one job to do. Why not do it well?

Re:I'm all for language changing over time

Slashdot Headline May Be Using Most Unpossible English Ever Made

News at 11

Re:I'm all for language changing over time

[Jason+Levine]

You want the editors to do their jobs? That's unpossible!

Re:I'm all for language changing over time

[Thanshin]

I was about to say the same, but it could hurt the editors unsecurities.

Re:I'm all for language changing over time

[wonkey_monkey]

I'm all for language changing over time

Shush then.

"Insecure", to me, is far more commonly used to mean "lacking in confidence." If the editors had gone with that, there'd be dozens of posts mocking the choice and insisting that all the router needs is to be told it's beautiful.

Someone who is insecure has insecurities. Something which is unsecure does not have unsecurities.

"Unsecure" has come to take "insecure"'s place since "insecure" gained its psychological connotations (which may have happened around 1980, when "unsecure" started gaining in popularity). So blame psychiatrists.

Re:I'm all for language changing over time

[DarkOx]

English does not really have many rules, and only descriptive not prescriptive dictionaries. You understood the writers intent, communication was successful. So I would say to you "get over it."

That said I agree your usage is preferable. The faulty device is insecure.

I don't think it would be wrong to say, "The house has been left unsecured."

Re:I'm all for language changing over time

[squiggleslash]

So we need to make up words to prevent others from making very obvious jokes based upon puns?

BTW "secure" has the same psychological connotations. Just saying...

Re:I'm all for language changing over time

[wonkey_monkey]

No, we re-adopt words ("unsecure" has been around since the century before last) when other words gain new meanings and leave a gap to be filled, or as new technology and new concepts become more prevalent.

BTW "secure" has the same psychological connotations. Just saying...

True, but not to the same extent as "insecure." You might ask someone if they were insecure, but you probably wouldn't ask (meaning the exact opposite) if they were secure.

Re:I'm all for language changing over time

A router with this many vulnerabilities certainly evokes a lack in confidence it will remain secure.

Many words in English, even if they have the same part of speech, have more than one definition. For example, "home" can be a dwelling, a baseball plate, a beginning position from which to start a procedure, an institution for people needing professional care, a gathering place for a sport team's fans, etc. We who speak English (and the same pattern applies for other languages too) rarely have an issue with overloading the definition of words.

Creating new words is a different matter. Since "unsecure" can be equally overloaded with all of the same definitions as "insecure", it becomes unclear which definitions are being included and which are being excluded. You might think that "unsecure" only applies to router security, but I can quickly imagine people describing a person as being "unsecure" in his possessions. Once that is permitted, then a person in a shoddy emotional state can easily be described as "unsecure". The problem is not the new word, it is that the new word inherits meaning from the old one without clear differentiation.

Language is used to communicate, and better language is preferred; but, not because it adheres to a rule more closely. It is preferred because it is less likely to introduce mis-transmission of the message. Your attempt to divide the meaning of "insecure" into "insecure and unsecure" is laudable, but it is fraught with problems. The biggest problem is that the majority of the rest of the world doesn't share your division as you have mentally modeled it. This means that when you reach for this new word, you decrease the chance they will understand you. Perhaps, in time you will convert the world to your mental model of the division, but I doubt it. The primary driver of my doubt is that there is not a pressing need for a computer-technical word for insecure. Insecure still manages to describe the situation as well as unsecure might, and the latter has no history or people backing it en masse.

It is not a psychiatrist's call to change the preexisting word, they merely added a new definition to the preexisting ones. However, it does seem that this definition, among the many to choose from for "insecure" raises connotations that are uncomfortable for you. That's your prerogative; but, I assure you, it is not a shared phenomena.

Re:I'm all for language changing over time

[LQ]

An unsecured system is insecure. If you look at a dictionary for "insecure", it will give different definitions for when applied to people and things.

Re:I'm all for language changing over time

I'm all for language changing over time

Shush then.

"Insecure", to me, is far more commonly used to mean "lacking in confidence." If the editors had gone with that, there'd be dozens of posts mocking the choice and insisting that all the router needs is to be told it's beautiful.

Someone who is insecure has insecurities. Something which is unsecure does not have unsecurities.

"Unsecure" has come to take "insecure"'s place since "insecure" gained its psychological connotations (which may have happened around 1980, when "unsecure" started gaining in popularity). So blame psychiatrists.

Please stop trying to educate people until you understand how the language actually works.

Insecure. A reflection of a person's mental/emotional state. Something not guarded against entry or theft.
Unsecured. Something not guarded against entry or theft.

There is no such thing as "unsecure", and there is no such thing as "insecured."

Re:I'm all for language changing over time

You want the editors to do their jobs? That's unpossible!

The editors can be taught. That makes it repossible.

Re:I'm all for language changing over time

[KGIII]

> I don't think it would be wrong to say, "The house has been left unsecured."

Nor should you. That's correct usage. Just like unsecured loans.

Re:I'm all for language changing over time

[wonkey_monkey]

Please stop trying to educate people until you understand how the language actually works.

The English language works based on what words people use, and apparently they "unsecure" more than "unsecured" these days. There's no central authority to appeal to. You can deny the existence of the word "unsecure" if you want, or a particular meaning of it, but it's a bloody useful one to have around. And it has a subtly different meaning to "unsecured" in this context.

Re:Does this mean it's the most unlocked router ev

[pushing-robot]

Yes! You have complete power, and so does everyone else! It's all part of Quanta's new paradigm holding-hands sharing culture!

(Say... does anyone know how this /. shilling works? Do I just wait for my check now?)

About time?

[TheReaperD]

Isn't about time for manufacturers to face civil and potentially criminal penalties, plus recalls, for shipping insecure and faulty electronic products like every other product industry? Until is is less expensive to ship a secure (understanding that nothing is perfectly secure) product than it is to pay fines, penalties and recalls, vendors will continue to ship faulty and insecure products. Right now they know that it will cost them little to nothing to deal with insecure and faulty products so they do so with impunity and we get stuck with the crappy products in the end with the only possible recourse being an expensive class-action lawsuit that will take years and net those affected very little in the end. The class-actions tend to be very hard to win as there's very little case precedent for the owners of insecure products. People don't want to be the ones first to risk millions in legal fees and lawyers to set the initial precedence.

Re:About time?

Such controls exist in the FAA and FDA regimes. I don't think the router market is willing to bear the costs. It call has do do with risk and the cost of mitigating it. It should be enough in the router business for low quality produces to be driven out of business.

Re:About time?

[Joe_Dragon]

And criminal penalties means it's for the CEO's and VP's. Or maybe give the coders / IT staff PE powers. So they can tell there boss to F* off and say I'm not signing off on this rushed code with no QA testing.

Re:About time?

[TheReaperD]

The router market is probably one of the areas of technology that needs regulations and penalties the most. The total cost of having these insecure products on the marketplace far exceeds any benefit we get from cheap routers. These routers make it far too easy to gain access to personal data, launch DDoS attacks, replicate viruses and host criminal data with no trace which all hurt the internet as a whole. The only agency that seems to have any real authority over them is the FCC and they don't tend to deal with quality control of specific equipment, much less security. The CPSC is probably the most appropriate agency of existing ones to deal with it but, they don't seem to consider themselves in charge of equipment like this either.

Re:About time?

[TheReaperD]

I personally like the idea of whistleblowers getting a share of any fines levied so that it gives them incentive to report any issues that management swept under the rug.

Re:About time?

The only way to really approach this is to have a minimum standard.

Security has no upper limit. You can always make something more secure. Eventually it may become so secure that it is cost prohibitive to operate (that's certainly not the case here). This means that we would need a minimum security standard, in a field where we barely have professional standards (I personally feel that unit testing is a bare minimum professional standard in programming).

The only chance I see of moving forward towards you goal is to have the equivalent of UL for routers. However, the UL program is not without it's drawbacks. Remember it was a voluntary program initially, but insurance companies eventually refused to insure non-UL certified products. So it was an insurance policy that effectively caused UL to be a success, where now it blocks out smaller players from entering a particular market, as they cannot afford to certify their products. (UL unlike a few less successful standards, requires verification and guidance from design through maintenance).

As we do not currently insure computer software assets, the financial incentive to drive for mass adoption is missing. History has shown that a pure disincentive model fails frequently. Governments can only ban things effectively when more money is preserved by banning them. For example, DDT is easily banned because the government can compel the manufacturer to attempt remediation which is far more expensive than the profit of the sale. As we do not have a clear security minimum standard for routers and we also do not have a clear way to value the damage done (manpower is not a good measure, it is highly uncorrelated with the damage), I doubt we will see effective legislative action in the immediate future.

Re:About time?

[Joe_Dragon]

whistleblowers need to have full protection from hacking laws

Re:About time?

[geekmux]

Such controls exist in the FAA and FDA regimes. I don't think the router market is willing to bear the costs. It call has do do with risk and the cost of mitigating it. It should be enough in the router business for low quality produces to be driven out of business.

Low quality products exist because of low quality consumers.

Unless you plan on enacting legislation to outlaw stupidity, low quality products will continue to thrive, and in some cases dominate the industry.

When ignorance is the dominating factor, you have your answer as to what the true problem is. Good luck fixing that shit with legislation.

Re:About time?

[swb]

Doesn't this create a moral hazard, where coders or QA testers have a perverse incentive to allow bad code to get established and then blow the whistle?

I think sometimes "bad projects" can take on a life of their own if they're allowed to get past some initial starting point. It reaches some critical mass where shared complicity, scale and external expectations cause it to seem unfixable without unjust blame, excessive work or external consequences.

It some ways, it's like the citizens of a nation electing douchebags for decades and then complaining about government douchebaggery and wanting a prize for highlighting a problem.

Re:About time?

If an airplane goes down, it is a minimum 20 million dollar loss before you deal with the complexities of whether it was occupied. That will drive minimum standards so that $2,000 add on doesn't sink the ship. If a router fails, it is a minimum zero dollar loss, and possibly a tens of millions dollar loss, but nobody really knows the distribution curve. It's not easy to cost-justify how much money needs to go into router verification.

Re:About time?

[gstoddart]

Low quality products exist because of low quality consumers.

Bullshit, low quality products exist because of low quality laws.

What you're suggesting is the worst possible case of "caveat emptor" in which consumers are responsible for companies which make shitty products.

That will NEVER SOLVE THE PROBLEM. Consumers don't have perfect knowledge, they may not have any knowledge.

I'm not going to do engineering assessments of every product I buy to take responsibility for the manufacturer not making garbage.

You don't outlaw stupidity, you outlaw companies making garbage products which aren't suitable for the purpose they're actually sold for ... you sure as fuck don't blame the consumer for low quality products.

This is exactly why all those claims about "letting the market fix it" are bullshit, the market doesn't fix this kind of problem, because the market intrinsically assumes some greed, lying asshole can cheat and leave it up to the consumers to discover that.

The market just assumes that a large amount of people with perfect information are making good decisions, which is a complete lie. And that's why the "free market" is utterly incapable of solving this kind of problem.

Re:About time?

[Joe_Dragon]

An Engineer that signs off on a unsafe design can be looking at some hard time.

Re:About time?

I would expect any whistleblowing would need to show that decision makers were actively pushing for code they knew to be flawed.

Re:About time?

[omnichad]

So all one would have to do after stealing from a company is admit that fault and disclose the vulnerability?

Most unsecure?

[Tyrannicsupremacy]

Or least secure?

Re:Most unsecure?

[wonkey_monkey]

Most unsecure? Or least secure?

Yes.

Re:Most unsecure?

[Tyrannicsupremacy]

Thanks.

Re:Does this mean it's the most unlocked router ev

[Jason+Levine]

Based on how Quanta makes their router, I think you post your bank account information and wait for the money to come rolling in.

free trade

It comes as no surprise that companies manufacturing technology in a totalitarian state would have security issues. You get what you pay for. One day people will realize that possibly paying double for a PC or router made in a western country is less costly than security breaches. At least here, the PC makers are trying to fight it.

Re:free trade

It comes as no surprise that companies manufacturing technology in a totalitarian state would have security issues. [...]

Ah, you are confusing mainland China with Taiwan. Taiwan ostensibly has a democratic government. Of course that doesn't change the behavior of the crappy router. It may indicate though, the reasons for it's crappiness are laziness, greed and incompetence.

Look at those backdoors

Damn... I counted at least 5 backdoors in there... and the security researcher says he didn't disclose all. Must have been coded by chipmunks or something.

There's OpenWRT for it or it rots on store shelves

Listen up, router manufacturers. If you lock down your routers to prevent flashing alternative firmware, you turn your product into an expensive and ugly paperweight. This incident is just one more example why running proprietary software on routers is a strict no-go.

And sadly....

[Lumpy]

The dipshits at that company refuse to give out any information so that OpenWRT or DDWRT can be easily compiled for it. What is it with china companies being stupid and not embracing a community doing all the programming for them?

Re:And sadly....

And overwrite the government mandated backdoors?

Re: And sadly....

[jsh1972]

That probably answers the question of if it was due to incompetence or a deliberate act by the vendor.

The problem is written in the name!

[LordHighExecutioner]

Quanta routing is using Heisenberg's indetermination principle for routing, so their packets are either secure and insecure at the same time.
Good old newtonian routing policy can fix this.

Vulnerability Warriors meet EOL

[Virtucon]

From: https://pierrekim.github.io/bl...

Mar 15, 2016: Quanta confirms the product is EOL and the released firmware was approved by the operator. Quanta can't modify of change without the customer's approval. Quanta does not have plan to patch or change FW as the product is EOL. Quanta thanks Pierre Kim for the information and will consider the findings into our next product development in the near future.

So then the Vulnerability finder discloses, which is fine but the product is EOL. Don't buy it, don't use it. As a rule don't buy network routers from unknown or little known manufacturers. It may be cheap now but it'll cost you eventually.

Re:Vulnerability Warriors meet EOL

[TheReaperD]

Other industries, such as cars, if the product you shipped has a serious design flaw then you have to recall and fix it, regardless of the product's age or if it is considered EOL. The same should apply here.

Re:Vulnerability Warriors meet EOL

[cdrudge]

In other industries, such as cars, if the product fails craptastically, people can die. If a badly designed coffee pot malfunctions, people could be hurt or die. If a baby crib has a part that is found to be able to break off creating a choking hazard, a baby could die. All these types of events are already covered under existing laws/regulations by several different federal agencies (or by equivalents in many other non-US countries).

If a router fails due to some massive security holes, no one dies.

Keep a little perspective when considering what is a serious design flaw and how recalls for defects should be treated the same.

Re:Vulnerability Warriors meet EOL

[WhiteKnight07]

Unless of course that router is in a hospital or medical insurance office. Then someone very well could die due to incorrect treatment or lack of treatment.

Re:Vulnerability Warriors meet EOL

Except that what you wrote isn't true. Cars for example are required to be supported for 10 years if I remember correctly. After 10 years they are no longer required to support them and are no longer required to do recalls for them. When was the last time you heard about a safety recall being performed on a 1978 Pinto?

Re:Vulnerability Warriors meet EOL

Was the router advertised as a medical device? If not, then it isn't the problem. Attacks can come from within, and usually do.

The feudal wall and moat security model is dead, but lots of IT doesn't want to hear it. People still run firewalls, instead of just securing the OS to do nothing with packets to unused ports.

Re:Vulnerability Warriors meet EOL

[Virtucon]

Other industries, such as cars, if the product you shipped has a serious design flaw then you have to recall and fix it, regardless of the product's age or if it is considered EOL. The same should apply here.

And that's up to the laws within a country. Change the laws, or simply just don't buy cheap ass routers.

Re:Vulnerability Warriors meet EOL

[cdrudge]

There is ZERO chance that said router is in a hospital with medical equipment hooked up to it. And who the hell cares if it's in a medical insurance office. Insurance offices don't provide medical services so zero lives are at risk.

Who rebrands them so we know who to avoid?

I hope we don't have a lot of cable ISPs rebadging this stuff...

At a guess, code this bad was probably ripped off from an open source project and backdoored intentionally.

Re:Does this mean it's the most unlocked router ev

Put my account information in? When did Quanta move to Nigeria?

Oh well, if this router pays for itself, sign me up!

What is worst

incompetence, or malice? Incompetence can be remedied, but with U.S manufacturers you know it's the latter, not necessarily by the hands of the manufacturers. I'll hedge my bets on hardware built outside of the U.S.

Slashdot has the most inintelligent editors!

Slashdot has the most inintelligent editors. They unthink more good ideas. When they do add commentary it is an intrue twist on the original article.

Re:Slashdot has the most inintelligent editors!

[jsh1972]

Slashdot has the most untelligent editors

FTFY

I've done worse - almost

[davidwr]

I made a router with no root admin password.

"Almost" because I didn't plug it into the interwebs :).

Oh, I guess it doesn't count that I started with a PC, two NICs, and a Linux distro. But hey, it ran Linux, so that counts for something.

But yeah, as a commercial product that is supposed to be run-able out of the box by an unsophisticated user, I expect it to be "fit for its purpose" - which means that at a minimum, it's security reflects industry best practices.

Recursive ungoodness

[jsh1972]

Those backdoors have backdoors in them!

Certified Best in Class

[theendlessnow]

Certified Best in Class by the FBI

Re:SLASHDOT APPLYING CENSORSHIP

[omnichad]

It's a dupe from yesterday -
https://yro.slashdot.org/story...

So maybe this is an improvement.

From apples to giraffes

[lhowaf]

The use of "from x to y," where x and y don't represent the start and end of a range of related items, is called a "false range." Lots of marginal writers use false ranges but this summary contains 3. That's like using everything from soup to dirigibles.