One of the reasons we can't have nice things like a secure Internet is that vendors of consumer kit can't be bothered. That's the conclusion The Register reaches after listening to a presentation by HD Moore, author of Metasploit and now chief research officer at Rapid7, at the AusCERT 2013 security conference today. Moore told …
My Edimax wifi router came with Telnet and FTP ports open by default.. I needed to enable SPI to close them but the instruction manual was extremely vague on this subject.
You cannot change the user name from "admin" but fortunately I had created a very long pass-phrase.
What gets me is a lot of this stuff sounds *very* easy to get right
And once got right to simply replicate in your next project.
And the project after that.
I wonder if these developers would pay more attention (or any attention) if their home systems got invaded?
Just incredibly sad.
Re: What gets me is a lot of this stuff sounds *very* easy to get right
Probably not developers deliberately avoiding the problem, but a combination of lack of time, lack of experience, lack of sleep and forced use of certain elements by management.
Well I recently had an interview at an appliance vendor
They seem to believe that networks can somehow be secure, their TCP/IP stack is a custom one running on a microcontroller to small to run Linux.
The big problem is that we are used to having our systems designed by people who know about networking since they are experienced with some form of unixoid system. However there is currently a wave of new devices comming from people to whom the idea of a port-scanner is novel and undocumented protocols are secure... since nobody could exploit a protocol they don't know about.
The problem is, as long as there is nobody who does it right, we will never see any decent solutions.
It is part of the lack of deep understanding problem...
Stats tell you the vast majority of "new" embedded widgets are leveraging both Linux and to a lesser extent the reference microcontroller implementation provided by the industry.
So to a certain extent the view is "port linux (which is probably already done) and put our stuff on it; ship". The time to market is quite short - so the QA and field test part of it is just missing.
The vendors quite quickly move onto a new product - possibly with an entirely different team developing the solution. So there tends to be a little amnesia in the corporate "memory" and each thing is a bit of a seperate miracle.
Some of our international students have very interesting things to say about how this stuff is actually done!
investing a little time in finding hardware that supports OpenWRT or OpenEmbedded takes time and maybe a little bit more money, but I feel a little safer because of it..