Slashdot Mirror

← Back to Stories (view on slashdot.org)

Quanta LTE Router May Be Most Unsecure Router Ever Made (softpedia.com)

Posted by BeauHD on from the backdoor-here-backdoor-there-backdoors-everywhere dept.

An anonymous reader writes: LTE routers made by Quanta Computer Incorporated, a Taiwanese hardware manufacturer, are plagued by over twenty major security flaws ranging from backdoor accounts to remote code execution bugs, from hardcoded SSH keys to undocumented diagnostics pages, and from weak WPS PINs to network eavesdropping functions. As the researcher explains: "A personal point of view: at best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The vendor has not fixed any of these issues even after almost four months.

51 of 76 comments (clear)

  1. So. by rmdingler · · Score: 3, Funny

    The router equivalent of your recorded answering machine message, "Leave a message; we're in Disneyland and you're not!"

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:So. by Thanshin · · Score: 5, Insightful

      The router equivalent of your recorded answering machine message, "Leave a message; we're in Disneyland and you're not!"

      The recorded message would rather have to be:
      "Leave a message; we're in Disneyland. If you're Bob, we left the door open so you can water the plants. Don't worry about the alarm. We changed the passcode to "1111" before turning it off, in case you turn it on by mistake. While you're there, could you check all the money is still on the big desk? We put it there so you could check faster, but now we're worried the wind may have pushed it outside the window. (we left the windows open in case the dog we lost five years ago comes back.)"

  2. At least... by BradleyUffner · · Score: 4, Funny

    But at least it's locked down so you can't install any custom firmware and mess with the power levels!

  3. Definition of unsecure by Thanshin · · Score: 2

    A steel chain with twenty wooden links is still stronger than a steel chain with one paper link.

    A router with no access control whatsoever is less secure than the given example.

    1. Re:Definition of unsecure by Thanshin · · Score: 3, Interesting

      Counterarguments:

      A steel chain with steel painted wooden links is way more dangerous than a steel chain with a clearly visible paper link.

      A router identified as having no access control is way safer than a router which is expected to be secure.

    2. Re: Definition of unsecure by Thanshin · · Score: 1

      What I'm arguing is that security shouldn't be evaluated by "volume of flaws", but by "size of the largest flaw".

      For my argument I used a chain to recall the clear fit to this situation of the classic proverb "A chain is only as strong as its weakest link".

    3. Re: Definition of unsecure by gstoddart · · Score: 1

      From the sounds of TFS, the "size of the largest flaw" is the sheer volume of flaws; this router sounds like it's pretty much garbage.

      Semantics about which aspect of it is shittiest seems pointless when the whole thing is a steaming pile of a turd of bad security.

      --
      Lost at C:>. Found at C.
    4. Re: Definition of unsecure by omnichad · · Score: 1

      Once you replace the firmware, you're getting rid of all of the security vulnerabilities native to the device.

    5. Re:Definition of unsecure by jellomizer · · Score: 1

      Well I would feel safe if it is connected to one of these canadian ones

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    6. Re: Definition of unsecure by Grishnakh · · Score: 1

      I don't understand what you are arguing here. Why don't we just skip the paper/wood/yarn chains and just use a proper steel chain right from the start, specifically, one where you are allowed to inspect the links and upgrade them to titanium if you so wish?

      1) Because people don't care about security, they just want whatever's cheapest and seems to work.

      2) Because titanium would be worse than steel if you just tried use them as a drop-in replacement. Titanium isn't as strong as steel volumetrically, so by replacing a steel link with a titanium one (of the same size, which is necessary for it to be a drop-in replacement), you're putting a weak link there which will break. You could theoretically make a titanium chain that's as strong but lighter than a steel one, but it won't be the same size, it'll be bigger/thicker. However, titanium also doesn't have the hardness that steel does, so it would wear much faster. A quick Google search seems to back this up: hardcore cyclists do have titanium chains available to them, but they're horrifically expensive and don't last very long, so they only make sense on all-out racing bikes where they'll replace the chain after every race.

  4. I'm all for language changing over time by H3lldr0p · · Score: 1, Insightful

    But "unsecure"? Seriously? Was this writer not aware of the commonly available "insecure" which, I'm guessing since that's a new word to me, means almost the exact same thing??!

    I could get down with "unsecurable", a device that goes out of it's way to keep me from making it more secure than it started out as. There's nothing "insecurable", unless you're some sort of monster trying to spread insecurities to the general populace.

    Com'on editors, you've got one job to do. Why not do it well?

    1. Re:I'm all for language changing over time by Anonymous Coward · · Score: 4, Funny

      Slashdot Headline May Be Using Most Unpossible English Ever Made

      News at 11

    2. Re:I'm all for language changing over time by Jason+Levine · · Score: 3, Funny

      You want the editors to do their jobs? That's unpossible!

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    3. Re:I'm all for language changing over time by Thanshin · · Score: 1

      I was about to say the same, but it could hurt the editors unsecurities.

    4. Re:I'm all for language changing over time by wonkey_monkey · · Score: 2

      I'm all for language changing over time

      Shush then.

      "Insecure", to me, is far more commonly used to mean "lacking in confidence." If the editors had gone with that, there'd be dozens of posts mocking the choice and insisting that all the router needs is to be told it's beautiful.

      Someone who is insecure has insecurities. Something which is unsecure does not have unsecurities.

      "Unsecure" has come to take "insecure"'s place since "insecure" gained its psychological connotations (which may have happened around 1980, when "unsecure" started gaining in popularity). So blame psychiatrists.

      --
      systemd is Roko's Basilisk.
    5. Re:I'm all for language changing over time by DarkOx · · Score: 2

      English does not really have many rules, and only descriptive not prescriptive dictionaries. You understood the writers intent, communication was successful. So I would say to you "get over it."

      That said I agree your usage is preferable. The faulty device is insecure.

      I don't think it would be wrong to say, "The house has been left unsecured."

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:I'm all for language changing over time by squiggleslash · · Score: 1

      So we need to make up words to prevent others from making very obvious jokes based upon puns?

      BTW "secure" has the same psychological connotations. Just saying...

      --
      You are not alone. This is not normal. None of this is normal.
    7. Re:I'm all for language changing over time by wonkey_monkey · · Score: 1

      No, we re-adopt words ("unsecure" has been around since the century before last) when other words gain new meanings and leave a gap to be filled, or as new technology and new concepts become more prevalent.

      BTW "secure" has the same psychological connotations. Just saying...

      True, but not to the same extent as "insecure." You might ask someone if they were insecure, but you probably wouldn't ask (meaning the exact opposite) if they were secure.

      --
      systemd is Roko's Basilisk.
    8. Re:I'm all for language changing over time by LQ · · Score: 1

      An unsecured system is insecure. If you look at a dictionary for "insecure", it will give different definitions for when applied to people and things.

    9. Re:I'm all for language changing over time by KGIII · · Score: 1

      > I don't think it would be wrong to say, "The house has been left unsecured."

      Nor should you. That's correct usage. Just like unsecured loans.

      --
      "So long and thanks for all the fish."
    10. Re:I'm all for language changing over time by wonkey_monkey · · Score: 1

      Please stop trying to educate people until you understand how the language actually works.

      The English language works based on what words people use, and apparently they "unsecure" more than "unsecured" these days. There's no central authority to appeal to. You can deny the existence of the word "unsecure" if you want, or a particular meaning of it, but it's a bloody useful one to have around. And it has a subtly different meaning to "unsecured" in this context.

      --
      systemd is Roko's Basilisk.
  5. Re:Does this mean it's the most unlocked router ev by pushing-robot · · Score: 3, Funny

    Yes! You have complete power, and so does everyone else! It's all part of Quanta's new paradigm holding-hands sharing culture!

    (Say... does anyone know how this /. shilling works? Do I just wait for my check now?)

    --
    How can I believe you when you tell me what I don't want to hear?
  6. About time? by TheReaperD · · Score: 3, Interesting

    Isn't about time for manufacturers to face civil and potentially criminal penalties, plus recalls, for shipping insecure and faulty electronic products like every other product industry? Until is is less expensive to ship a secure (understanding that nothing is perfectly secure) product than it is to pay fines, penalties and recalls, vendors will continue to ship faulty and insecure products. Right now they know that it will cost them little to nothing to deal with insecure and faulty products so they do so with impunity and we get stuck with the crappy products in the end with the only possible recourse being an expensive class-action lawsuit that will take years and net those affected very little in the end. The class-actions tend to be very hard to win as there's very little case precedent for the owners of insecure products. People don't want to be the ones first to risk millions in legal fees and lawyers to set the initial precedence.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
    1. Re:About time? by Joe_Dragon · · Score: 1

      And criminal penalties means it's for the CEO's and VP's. Or maybe give the coders / IT staff PE powers. So they can tell there boss to F* off and say I'm not signing off on this rushed code with no QA testing.

    2. Re:About time? by TheReaperD · · Score: 1, Redundant

      The router market is probably one of the areas of technology that needs regulations and penalties the most. The total cost of having these insecure products on the marketplace far exceeds any benefit we get from cheap routers. These routers make it far too easy to gain access to personal data, launch DDoS attacks, replicate viruses and host criminal data with no trace which all hurt the internet as a whole. The only agency that seems to have any real authority over them is the FCC and they don't tend to deal with quality control of specific equipment, much less security. The CPSC is probably the most appropriate agency of existing ones to deal with it but, they don't seem to consider themselves in charge of equipment like this either.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    3. Re:About time? by TheReaperD · · Score: 1

      I personally like the idea of whistleblowers getting a share of any fines levied so that it gives them incentive to report any issues that management swept under the rug.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    4. Re:About time? by Joe_Dragon · · Score: 1

      whistleblowers need to have full protection from hacking laws

    5. Re:About time? by geekmux · · Score: 1

      Such controls exist in the FAA and FDA regimes. I don't think the router market is willing to bear the costs. It call has do do with risk and the cost of mitigating it. It should be enough in the router business for low quality produces to be driven out of business.

      Low quality products exist because of low quality consumers.

      Unless you plan on enacting legislation to outlaw stupidity, low quality products will continue to thrive, and in some cases dominate the industry.

      When ignorance is the dominating factor, you have your answer as to what the true problem is. Good luck fixing that shit with legislation.

    6. Re:About time? by swb · · Score: 1

      Doesn't this create a moral hazard, where coders or QA testers have a perverse incentive to allow bad code to get established and then blow the whistle?

      I think sometimes "bad projects" can take on a life of their own if they're allowed to get past some initial starting point. It reaches some critical mass where shared complicity, scale and external expectations cause it to seem unfixable without unjust blame, excessive work or external consequences.

      It some ways, it's like the citizens of a nation electing douchebags for decades and then complaining about government douchebaggery and wanting a prize for highlighting a problem.

    7. Re:About time? by gstoddart · · Score: 1

      Low quality products exist because of low quality consumers.

      Bullshit, low quality products exist because of low quality laws.

      What you're suggesting is the worst possible case of "caveat emptor" in which consumers are responsible for companies which make shitty products.

      That will NEVER SOLVE THE PROBLEM. Consumers don't have perfect knowledge, they may not have any knowledge.

      I'm not going to do engineering assessments of every product I buy to take responsibility for the manufacturer not making garbage.

      You don't outlaw stupidity, you outlaw companies making garbage products which aren't suitable for the purpose they're actually sold for ... you sure as fuck don't blame the consumer for low quality products.

      This is exactly why all those claims about "letting the market fix it" are bullshit, the market doesn't fix this kind of problem, because the market intrinsically assumes some greed, lying asshole can cheat and leave it up to the consumers to discover that.

      The market just assumes that a large amount of people with perfect information are making good decisions, which is a complete lie. And that's why the "free market" is utterly incapable of solving this kind of problem.

      --
      Lost at C:>. Found at C.
    8. Re:About time? by Joe_Dragon · · Score: 1

      An Engineer that signs off on a unsafe design can be looking at some hard time.

    9. Re:About time? by omnichad · · Score: 1

      So all one would have to do after stealing from a company is admit that fault and disclose the vulnerability?

  7. Most unsecure? by Tyrannicsupremacy · · Score: 1

    Or least secure?

    --
    http://i.cubeupload.com/T6cyLu.png
    1. Re:Most unsecure? by wonkey_monkey · · Score: 1

      Most unsecure? Or least secure?

      Yes.

      --
      systemd is Roko's Basilisk.
    2. Re:Most unsecure? by Tyrannicsupremacy · · Score: 1

      Thanks.

      --
      http://i.cubeupload.com/T6cyLu.png
  8. Re:Does this mean it's the most unlocked router ev by Jason+Levine · · Score: 3, Funny

    Based on how Quanta makes their router, I think you post your bank account information and wait for the money to come rolling in.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  9. And sadly.... by Lumpy · · Score: 1

    The dipshits at that company refuse to give out any information so that OpenWRT or DDWRT can be easily compiled for it. What is it with china companies being stupid and not embracing a community doing all the programming for them?

    --
    Do not look at laser with remaining good eye.
    1. Re: And sadly.... by jsh1972 · · Score: 1

      That probably answers the question of if it was due to incompetence or a deliberate act by the vendor.

  10. The problem is written in the name! by LordHighExecutioner · · Score: 3, Funny

    Quanta routing is using Heisenberg's indetermination principle for routing, so their packets are either secure and insecure at the same time.
    Good old newtonian routing policy can fix this.

  11. Vulnerability Warriors meet EOL by Virtucon · · Score: 3, Interesting

    From: https://pierrekim.github.io/bl...

    Mar 15, 2016: Quanta confirms the product is EOL and the released firmware was approved by the operator. Quanta can't modify of change without the customer's approval. Quanta does not have plan to patch or change FW as the product is EOL. Quanta thanks Pierre Kim for the information and will consider the findings into our next product development in the near future.

    So then the Vulnerability finder discloses, which is fine but the product is EOL. Don't buy it, don't use it. As a rule don't buy network routers from unknown or little known manufacturers. It may be cheap now but it'll cost you eventually.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:Vulnerability Warriors meet EOL by TheReaperD · · Score: 2

      Other industries, such as cars, if the product you shipped has a serious design flaw then you have to recall and fix it, regardless of the product's age or if it is considered EOL. The same should apply here.

      --
      "Be particularly skeptical when presented with evidence confirming what you already believe." -
    2. Re:Vulnerability Warriors meet EOL by cdrudge · · Score: 1

      In other industries, such as cars, if the product fails craptastically, people can die. If a badly designed coffee pot malfunctions, people could be hurt or die. If a baby crib has a part that is found to be able to break off creating a choking hazard, a baby could die. All these types of events are already covered under existing laws/regulations by several different federal agencies (or by equivalents in many other non-US countries).

      If a router fails due to some massive security holes, no one dies.

      Keep a little perspective when considering what is a serious design flaw and how recalls for defects should be treated the same.

    3. Re:Vulnerability Warriors meet EOL by WhiteKnight07 · · Score: 2

      Unless of course that router is in a hospital or medical insurance office. Then someone very well could die due to incorrect treatment or lack of treatment.

      --


      We're going to make information free Mr. Anderson, whether you like it, or not.
    4. Re:Vulnerability Warriors meet EOL by Virtucon · · Score: 1

      Other industries, such as cars, if the product you shipped has a serious design flaw then you have to recall and fix it, regardless of the product's age or if it is considered EOL. The same should apply here.

      And that's up to the laws within a country. Change the laws, or simply just don't buy cheap ass routers.

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    5. Re:Vulnerability Warriors meet EOL by cdrudge · · Score: 1

      There is ZERO chance that said router is in a hospital with medical equipment hooked up to it. And who the hell cares if it's in a medical insurance office. Insurance offices don't provide medical services so zero lives are at risk.

  12. I've done worse - almost by davidwr · · Score: 1

    I made a router with no root admin password.

    "Almost" because I didn't plug it into the interwebs :).

    Oh, I guess it doesn't count that I started with a PC, two NICs, and a Linux distro. But hey, it ran Linux, so that counts for something.

    But yeah, as a commercial product that is supposed to be run-able out of the box by an unsophisticated user, I expect it to be "fit for its purpose" - which means that at a minimum, it's security reflects industry best practices.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  13. Re:Slashdot has the most inintelligent editors! by jsh1972 · · Score: 1

    Slashdot has the most untelligent editors

    FTFY

  14. Recursive ungoodness by jsh1972 · · Score: 1

    Those backdoors have backdoors in them!

  15. Certified Best in Class by theendlessnow · · Score: 1

    Certified Best in Class by the FBI

  16. Re:SLASHDOT APPLYING CENSORSHIP by omnichad · · Score: 1

    It's a dupe from yesterday -
    https://yro.slashdot.org/story...

    So maybe this is an improvement.

  17. From apples to giraffes by lhowaf · · Score: 1

    The use of "from x to y," where x and y don't represent the start and end of a range of related items, is called a "false range." Lots of marginal writers use false ranges but this summary contains 3. That's like using everything from soup to dirigibles.