$10 Router, No Firewall Blamed In $80M Bangladesh Bank Hack (reuters.com)
Earlier this a year, a spelling mistake in an online bank transfer prevented nearly $1 billion heist at Bangladesh's central bank and the New York Fed. The hackers, however, still had managed to steal about $80 million. Bangladesh government blamed the New York Fed for not spotting the suspicious transactions earlier. As it turns out, they should also be taking some blame, if not all. An anonymous reader writes: Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world's biggest cyber heists said. The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank's SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police's criminal investigation department.
There is no difference.
Consumer grade routers have a HUGE failing point (I haven't verified yet if it can be worked around by making/reflashing the bootloader to 'boot closed' or not.) In the event of a power outage, reinitialization of the router/switch bridges all ports. In the event the router/switch operating system doesn't come up the switch is left in 'dumb switch' mode store and forwarding all packets via all ports (unless the ethernet address is already in the 'dumb switch' cache.) The router/switch does not return to 'all ports closed' or 'configured settings' modes until the OS (in my experiments, linux) has initialized and booted all the way to userspace. In the even the OS is corrupted and never boots, or voltages were low enough during initialization to fail it into an unknown state, it also fails opens.
While this might not seem like a big deal for the average consumer, this is a huge potential privacy breach as well as security breach since intentionally 'blipping' the power grid where a desired consumer router is located (and not on ups) can allow you to kill firewalling between the router/switch and the network resulting in layer 2 access to a target network and thus the ability to map out target network topology, or provide false dhcp settings to computers on the network who automatically request network configuration when ethernet comes back up, also allowing you to gather suspected internal IPs by the DHCP renewal requests.
While this is a good example of the dangers of using some of this equipment at that level, it should really be broadened to a discussion of the perils of consumer grade equipment as a whole, and whether these issues are due to dangerous defaults in hardware or simply software level misconfiguration (opening all ports by default in the bootloader.)