back to article Hacker backdoors Linksys, Netgear, Cisco and other routers

The new year begins as the old year ended: with yet more vulnerabilities turning up in consumer-grade DSL modems. A broad hint for any broadband user would be, it seems, to never, ever enable any kind of remote access to the device that connects you to the Internet. However, the hack published by Eloi Vanderbeken at github, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "alert the victim that something had happened"

    "the crash and resulting reset to default passwords would at least alert the victim that something had happened"

    From a naive point of view, an interruption in service due to a factory reset is indistinguishable from any other brief interruption in service.

    How many SoHo routers ever have anything (passwords or anything else) changed from factory default anyway?

    Is it Sercomm's fault that the vendors selling this stuff don't check for problems like this?

    1. the spectacularly refined chap

      Re: "alert the victim that something had happened"

      But surely a factory reset would also nuke the account name, password, VCI and other settings needed to reconnect? That alone is different since it will need actively fixing. It also makes it useless as an attack vector for anyone coming in from the outside.

      1. dan1980

        Re: "alert the victim that something had happened"

        ". . . makes it useless as an attack vector for anyone coming in from the outside."

        That's what I was thinking!

        It's not even useful for breaking into a WLAN because you'd have to be on the network to access the device, in which case, why reset it?

        Still, it's entirely possible this vulnerability might lead to other, more useful attacks.

        1. Matthew1471!
          Holmes

          Re: "alert the victim that something had happened"

          As commented, the factory reset is one of the many options.

          On some of the devices it is accessible from the outside.

          I see many issues/options even from the inside:

          #1 I may grant you access to my Wireless network but that doesn't mean I want you to recover the password to my devices?

          #2 Same as above but you could on some routers obtain the username and password I use with my Internet provider / dynamic DNS.

          #3 I may grant you access to my "guest" WiFi, you could use that as a launch pad to then get my main WiFi password and/or communicate with my other devices.

          #4 You could just plug something into my router and obtain my WiFi password despite me not actually having given it to you.

          #5 Say I am a business providing you with free WiFi, I don't exactly want you to login to my access point and screw around with any of the settings...

      2. Anonymous Coward
        Anonymous Coward

        Re: "alert the victim that something had happened"

        "It also makes it useless as an attack vector for anyone coming in from the outside."

        Unless you flash it with modified firmware, such as one that captures the credentials of the IT guy that tries to fix it. When he sees that it's set to factory, he'll log in with the default password, upload the settings, set the admin password, log out and back in to make sure it's working. At which point your firmware sends the captured credentials to you.

        1. the spectacularly refined chap

          Re: "alert the victim that something had happened"

          Unless you flash it with modified firmware, such as one that captures the credentials of the IT guy that tries to fix it. When he sees that it's set to factory, he'll log in with the default password, upload the settings, set the admin password, log out and back in to make sure it's working. At which point your firmware sends the captured credentials to you.

          Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?

          Even on the LAN I'm struggling to see the point in 99% of networks this grade of device applies to: you already have free roam of the LAN, so what is the point of disconnecting yourself from other networks? The only rationale there that I could see would be to temporarily alter inter-VLAN routing. Provided, of course, you could hit on correct settings to make the network operate at all after the reset. In any case, how many home networks operate multiple VLANs? Bear in mind most home routers don't even offer the option.

          1. Anonymous Coward
            Anonymous Coward

            Re: "alert the victim that something had happened"

            > Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?

            I could be wrong but I seem to remember that I merely had to connect my router to the modem and Ethernet connected devices were able to get an IP via DHCP. I would only notice this because the wifi settings would be gone. And then I'd probably also assume it's just an ordinary fault.

          2. Matthew1471!

            Re: "alert the victim that something had happened"

            "Yes, but to do that you've got to factory reset it first"... not accurate. Most routers/access points I have updated do not factory reset after a firmware upgrade. The config is often stored in a different location to the firmware.

          3. Anonymous Coward
            Anonymous Coward

            Re: "alert the victim that something had happened"

            FTA

            "In particular, the backdoor allowed him to brute-force a factory reset without providing a password – meaning that on his next login, he had access to everything."

            "Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?"

            If you only mean "outside" to be the wired side coming in from the internet through the DSL modem, then no, the wireless device might not be connected to the internet.

            However, since we're talking wireless devices, "outside" can be the public facing wireless. Once you do a factory reset, you can then connect, via wireless, to configure the access point. You might still not be able to connect to the wired LAN on the "inside", though it might be easy to guess the IP/gateway info and connect.

            So yes, you could upload firmware, and target admin credentials.

      3. 's water music

        Re: "alert the victim that something had happened"

        > But surely a factory reset ... also makes it useless as an attack vector for anyone coming in from the outside.

        Factory reset is only what the researcher managed to work out from reverse engineering code. Presumably there could be other more flexible functions associated with traffic on the listened for port

        1. Anonymous Coward
          Anonymous Coward

          Re: "alert the victim that something had happened"

          Indeed,

          More interestingly, how about pulling out our critical VCI and configuration information through the same port and then re-instatîng the original desired settings over a re-initialized default configuration? The user would only know about it when their admin password stops working.

          I guess it all depends on what other router features are accessible hrough this backdoor. More research please, or links....

          Or imagine it, if you will.....

          1) Remotely penetrate router through the backdoor.

          2) Remotely pipe out the router configuration, perhaps using the default config backup utllity

          3) Install the dump on the same model and / or crack the current admin password offline, If I recall correctly, the admin password stays inside the config dump on most models and can be restored but not easily read,

          4) But I also suspect a good brute force dictionary attack would make mince meat out of most SOHO wifi passwords.

          5) And don't forget to enable the remote maintenance feature before you leave.

          6) Whoo hooo!, now we don't even need no stinking backdoor. And all a whole lot steathier.

          Why we might even be able to get some government funding for this project, if we can talk to the right people at Fort Meade.

          Anon, because I really do worry about these things more than I used to.

      4. Tom 13

        Re: factory reset would also nuke

        For the listed exploit yes, but there might be other exploits that aren't so In Your Face. Which is why neither chip vendors nor device manufacturers should ignore a thorough security review of their products.

      5. Matthew1471!

        Re: "alert the victim that something had happened"

        The factory reset is one of the options a user has. On most devices the port is not internet accessible thankfully, so an attacker would have to be on your local network.

        However on *some* of those affected devices they don't need to be.

        Test yours to be sure. It's easy to see if you can telnet (if you don't feel up to running the Python script that he's provided) to your public IP on that port from another Internet connection.

    2. Mephistro
      Happy

      Re: "alert the victim that something had happened"

      I've seen several SOHO routers 'spontaneously reset' over the years. When asked about it by the user my explanations included crappy electronics and/or crappy electric supply. In the end it was just crappy electronics, he he. One out of two...

      1. M Gale

        Re: "alert the victim that something had happened"

        There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

        In that case, a router would not have a username or password (or copied MAC address) to reset.

        1. mad physicist Fiona

          Re: "alert the victim that something had happened"

          There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

          Perhaps on cable, but nowhere for DSL modems. That's the wonder of local loop unbundling, DSLAMs and MPLS. Without the correct virtual circuit indicator (not set by default, except possibly for ISP own-brand - as opposed to ISP supplied - stuff) it has no idea where to go. VCI 0 is generally a BT Openworld default "Your router is misconfigured" thing.

          1. Anonymous Coward
            Anonymous Coward

            Re: "alert the victim that something had happened"

            "There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

            Perhaps on cable, but nowhere for DSL modems."

            Er, sorry, but BT Retail (probably UK's biggest ISP, regrettably) used to use nothing but the circuit ID for authentication, courtesy of BTWholesale's CentralPlus service. This was prior to the days of BT's 21CN, which may have changed matters somewhat.

            Quite a few modem/routers claim to have a "smart" connect process which allegedly autodetects the appropriate VCI/VPI for common providers; whether it's invoked automagically after a reset is a different question.

            " VCI 0 is generally a BT Openworld default "Your router is misconfigured" thing."

            When did OpenWorld cease to exist?

      2. VinceH
        Big Brother

        Re: "alert the victim that something had happened"

        "I've seen several SOHO routers 'spontaneously reset' over the years. When asked about it by the user my explanations included crappy electronics and/or crappy electric supply. In the end it was just crappy electronics the NSA exploiting this hole..."

        FIFY!

    3. Fink-Nottle

      Re: "alert the victim that something had happened"

      If you look at the linked slides, it seems the researcher inadvertently reset the factory defaults when brute forcing port 32764. However, it seem that prodding the port gently can dump router passwords, set wlan_mgr_enable=1 and other nasties that do not necessarily alert the victim to potential LULz.

    4. Matthew1471!
      Megaphone

      Re: "alert the victim that something had happened"

      The article is slightly wrong, the backdoor allows several options of which factory resetting is one of them.

      they're listed in the presentation and source code for the proof of concept but ...for the non-technical or those who struggled to read it:

      #1. Output all of the settings, all of the usernames, all of the passwords for the device.

      #2. Read just one specified setting/username/password.

      #3. Set one specified setting/username/password just while it's running ("apply").

      #4. Save all the settings that are currently set so they persist a reboot.

      #5. Join the network as if you are not connected to the Internet but another router.

      #6. Output how fast we currently think our Internet or network connection is.

      #7. Allow me to run any Linux (busybox) command I want on this device.

      #8. Store a file on the device.

      #9. Write what version of the software we are running.

      #10. Write out our IP address.

      #11. Factory reset. Lose all settings.

      #12. Read the memory contents of the device.

      #13. Save the memory contents to disk.

      The researcher tried all the options and accidentally hit on #11.

      I wished this had been responsibly disclosed to the manufacturers before it was given to Github, Hacker News and Reddit but now it's out there I hope it helps people who have the same devices know that an update to their device is proably coming that they will need to apply.

    5. Rick Giles
      Linux

      Re: "alert the victim that something had happened"

      "Is it Sercomm's fault that the vendors selling this stuff don't check for problems like this?"

      You seem to forget that the reason they outsourced this in the first place was so they wouldn't have to hire programmers for the project...

  2. Anonymous Coward
    Anonymous Coward

    Hmmmmm

    I wonder if Sercomm is funded by the NSA?

    1. Captain DaFt

      Re: Hmmmmm

      "I wonder if Sercomm is funded by the NSA?"

      And if so, did they supply parts for UAE intelligence satellites as well? :)

    2. Wzrd1 Silver badge

      Re: Hmmmmm

      At least you spotted the common denominator, the vendor making the hardware, rather than the various companies who contracted that hardware from that vendor.

      As it's a company rooted in Taiwan and Taiwan is still sore with the US over the "one China policy", I strongly suspect not.

      I actually wonder if there may be a PRC root in there.

      Still, Hanlon's razor must apply.

      A dumb fuck engineer left the back door in on production units is the most likely.

      Besides, what benefit would the NSA have in trashing your router configuration? Especially since between them, the PRC, RBN, various other state run organizations all own the network routing points, your traffic is already theirs to begin with.

      Or do you honestly thing that it's *only* the UK and US doing that?

      I know as a fact it most certainly is not.

    3. Matthew1471!

      Re: Hmmmmm

      Doubt it. It's more than likely just a diagnostic mode left into shipped products. A lot of the modes offered are useful for diagnostic purposes when you are developing a device and don't really serve any other purpose.

  3. Anonymous Coward
    Pirate

    My router hack is cheaper and foolproof

    Beat the owner of the router within an inch of his life with a lead pipe, and force the password out of him.

    Only about $3 dollars for a new piece of pipe (free if used). Or a $5 wrench will do (http://xkcd.com/538/).

    100% effective (unless he has a bigger pipe, handgun, guard dog, etc).

    1. Anonymous Coward
      Anonymous Coward

      Re: My router hack is cheaper and foolproof

      Doubt it would be 100%. Might kill the guy, or the guy fights you back, forcing you to KO or kill him. Either way, you leave empty-handed and at risk of elevated charges.

      1. Tom 13

        Re: risk of elevated charges.

        YMMV, but in these parts so long as you didn't cop to wanting his password it would probably be lesser charges, at least in terms of actual time served.

    2. Wzrd1 Silver badge

      Re: My router hack is cheaper and foolproof

      Lead pipes tend to have lethal effects.

      Now, a fine old fashioned telephone ring generator can make even the dumb sing like a canary.

      Or a dissected photo strobe unit.

      Or, the old US standby, waterboarding, which is not a torture per those who never experienced it.

    3. Justin Stringfellow

      Re: My router hack is cheaper and foolproof

      This is known as a 'rubber hose' attack..

      http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

  4. William Boyle

    Not likely

    Most users of this gear will not have any idea why their system has gone snafu, and a knowlegeable hacker will restore the system to a functional state pdq, so the user will likely be oblivious as to why their internet was down for awhile - likely that it was an ISP issue! Still, if the attack was done at an appropriate time (really late at night / early in the morning), then the target may NEVER realize that they were hacked, and only know there was a problem when they try to access the management web interface of the device at some future time. FWIW, I am a senior systems engineer at a major corporation, and have been working with many such devices over many years. I probably access my personal router's management interface once every 3-6 months...

    1. Eddy Ito

      Re: Not likely

      "... a knowlegeable hacker will restore the system to a functional state pdq..."

      That would be fine for the average wired user but it is unlikely that the hacker would be able to replicate the wireless key assuming it was changed from the default and the user doesn't rely on the 'magic button' to join the network in the event of problems. Still, any wired devices such as a NAS box will be copied off rather swiftly, even more swiftly if the target is known and mimo is employed to its fullest.

    2. Wzrd1 Silver badge

      Re: Not likely

      Annoying:

      My router incessantly reboots, up to five times per day.

      Second unit, which rebooted twice as often.

      Compromised hardware? Not likely.

      More likely, it's a POS design, whose engineering team should be horsewhipped over, but more likely got bonuses for saving money in their shitty design.

      I say, shoot the lot of them! Right out of the biggest circus cannon one can find and straight into the composting pond of the nearest sewage treatment plant.

      OK, not really. I'd suggest sacking them, but even money, they were long ago downsized and outsourced.

      1. Matthew1471!

        Re: Not likely

        There's one well known manufacturer which had "802.11 pre-n" devices that when they got a little too warm (which was caused by themselves) they'd reboot. Having had to play with one I vowed to never buy one of their products again and haven't.

        You get a feel after a while for which manufacturers are trustworthy or not. Vote with your wallet and make sensible recommendations to your friends/colleagues.

        I was quite surprised that SerComm actually were outsourced by some of the big names to make some of their products.. would of thought the big names had their own expertise.

    3. JohnG

      Re: Not likely

      "Most users of this gear will not have any idea why their system has gone snafu, and a knowlegeable hacker will restore the system to a functional state pdq..."

      Most users would probably notice that their router had lost the settings required to login to their ISP and the hacker would not be able to replace them because they would have been disconnected as soon as the router rebooted with default settings and because the hacker would not have the necessary ISP account details in the first place.

    4. Tom 13

      Re: Not likely

      I'd notice as soon as neither my laptop or tablet would connect. Not sure about the roomie's iPad and Mac which are also on the wireless. They might auto-find and open network. But I very much doubt that after you've done a factory reset you'll be able to reset the original WPA2 key I set.

  5. Mark Eaton-Park

    Weird not one word of how the the company ....

    ... that left a back door in their firmware is to be held responsible. These were not low end kit by the sounds of it so it would be reasonable to a expect a payout of some kind from the hardware manufacturer, the onus was on them to do minimal validation checks, clearly they didn't so whats to stop them leaving holes next time

    1. Matthew1471!

      Re: Weird not one word of how the the company ....

      The vendors have been told AFTER this was posted online. They're having to play catchup. Feel rather sorry for them. They just outsourced the manufacture of some devices, now they're getting told there was a backdoor in them...

      Also a lot of Linksys products. Linksys was bought out ages ago. Belkin have now inherited this backdoor mess through no fault of their own.

  6. asdf

    easy peasy

    At least for the consumer (yes I understand Enterprise is a different beast) the easy way to avoid all this is before you buy a router or dsl modem always verify OpenWRT (or Gargoyle, or dd-wrt, etc) runs on it without issue and then the first thing you do after buying said electronics is get the factory firmware the fuck off the device. Not only will you greatly improve security but usually performance as well. Yes the NSA might have hacked that code base as well but at least being open to the public it can be audited.

    1. dan1980

      Re: easy peasy

      I know ignorance is not really an excuse, but a great many consumers don't know the difference between wireless networking and a wireless Internet connection - let alone understand the concept of firmware.

      Given that the concept, procedure and indeed the benefit of flashing the firmware is foreign to many people, your suggestion, while sound, amounts to Joe Consumer going from trusting a big name company to secure a device he doesn't understand to trusting some chaps on the Internet to secure a device he doesn't understand. While voiding his warranty in the process.

      I held onto my old WRT54G with DD-WRT for ages but it's not a solution for everyone - especially when you're not IT-savvy and your ISP refuses to help you (beyond suggesting you turn it off and back on) because you're using a non-standard device.

      It's quite easy to overestimate the IT abilities of the average person.

      1. Roger Greenwood

        Re: easy peasy

        Also:- It's quite easy to overestimate the IT interest of the average person.

    2. Gav

      Not easy peasy at all

      You have a bizarre idea of what "easy peasy" is.

      99% of consumers don't know or care what OpenWRT is. Or why they should trust the people who wrote it. Nor do they know/care what the advantages of OpenWRT are. Or how to put it on their router.

      And why should they?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not easy peasy at all

        Indeed, and even the 'easy peasy' router firmware install can't happen until you're sure that your particular revision of your particular router/modem supports it. There's no chance of the average consumer even getting that far.

        1. asdf

          Re: Not easy peasy at all

          Sorry poor choice of words. Consumer was not the word I meant to use as has been pointed out clearly. Please substitute with IT nerd or a consumer with an IT nerd friend. I do agree that this is not something your average Joe Schmuck should be dealing with. More proof why its beyond retarded to have the same agency both tasked with securing and weakening IT infrastructure. Especially when its often military folks who tend to glorify the offensive a lot more.

          1. Gav

            Re: Not easy peasy at all

            I'm an IT nerd.

            I'm also a person who doesn't want to waste a day determining how to flash unsupported firmware onto my router, without bricking it, and then spend another frustrating day combing through online forums (supposing I can still connect to the internet) trying to fix the inevitable compatibility issues. Life is too short for than kind of nonsense.

            I really want my router to come equipped with minimal setup requirements and security built in.

            1. asdf

              Re: Not easy peasy at all

              >I'm also a person who doesn't want to waste a day

              If you can't figure out which router to buy and flash it in 15 minutes then are no IT nerd. You may be too lazy to care but the technical aspect to it, is trivial for any decent developer or even hack MCSE. With most commercial consumer firmware you can simply use the built in GUI to do the flash itself. Rarely do you need to do 30-30-30 tftp flash anymore and even if you do that is trivial on most routers as well. Now I can agree with you once you get into J-TAG land but that is more in firmware developer land itself than flashing common routers.

              > trying to fix the inevitable compatibility issues.

              The only compatibility issues I have ever seen have been with factory firmware itself like on my DSL modem. I have yet to see any wireless problems or instability but then again I did some research and made sure I bought a common good well supported by the community router.

              >I really want my router to come equipped with minimal setup requirements and security built in

              Which as this article shows largely requires you to do yourself if you want that. I don't think you know just how atrocious virtually all factory firmware is on these low end routers. But I can understand wanting it to just work without pissing about with it. I am like that with my car.

              1. Anonymous Coward
                Anonymous Coward

                Re: Not easy peasy at all

                "But I can understand wanting it to just work without pissing about with it."

                And therein is the industry's security/functionality argument summed up in one sentence.

  7. Anonymous Coward
    Mushroom

    Well...

    ...where I'm from I can certainly see this attack working extremely well.

    The vast majority of ISP's here simply authenticate users by checking against the MAC address of their router/modem. To the ISP it's one less thing for the user to screw up and hence one less issue for the user to create and subsequently call the ISP to complain about.

    It also makes it easier for everyone when a given user chooses to change their router/modem. Simply call the ISP up, give them the new MAC address (which more often than not is printed somewhere very obvious on the appliance), and let DHCP take care of the rest.

    And as already mentioned, just about everyone isn't interested beyond getting their router up and running and as such most users will not notice much of a difference pre/post factory reset. Sure, WiFi might stop working... but they'll probably just try to log into their router with the default credentials which they never bothered change in the first place to set WiFi up again and all's well in this world again. In their view at least.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well...

      This won't work for any recent D-LINK wireless router. The firmware requires that a new admin password be set on first use, and the default is the one on the card that came with it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well...

        This assumes the password is unique for each individual router sold. Otherwise, a hacker could just build a table of known factory passwords and run through them if the list isn't too long.

        1. Tom 13

          Re: assumes the password is unique for each individual router sold.

          No such assumption is made, in fact quite the reverse. The assumption is the default password is the same on all of them, but it forces you to set one the first time you use it. Sort of like the old days when the standard default password on a new enterprise account was "password" and you reset it as soon as you logged in the first time.

          But the earlier poster is correct that most of the major ISPs in the US have converted to using the serial number or some such as the default password on a consumer router. First thing you should do is change it.

  8. Hans 1

    Factory reset only ?

    So the guy found this undocumented port and managed to use it for a factory reset ... I am sure the NSA have the specs & doc, they can probably change any setting on it, including forwarding ports ...

    Ask Snowden for the leaflet ...

    1. dan1980

      Re: Factory reset only ?

      "I am sure the NSA have the specs & doc, they can probably change any setting on it, including forwarding ports . . ."

      Perhaps they do have the details but why would they care? They've got much easier access to the information they need in much the same way that access to GPS data renders it pointless to put a tracking device on a car.

      There are, of course, potential attacks that could exist, as yet undiscovered, but regardless, it more likely that it's just an oversight by the engineers who worked on it. Perhaps it was a partially implemented feature in some beta code some internal 'backdoor' used for testing (like old school 'cheat codes' in video games) that just never got removed.

      Despite all the revelations of complicity in spying and invasions of privacy, I still fall back to my default position, which is to assume incompetence before malevolence.

      Isn't Sercomm a Taiwanese company anyway?

    2. Matthew1471!

      Re: Factory reset only ?

      Factory reset was one of many options available. Read the presentation or one of my summary comments. The reg article is slightly incorrect in saying it always triggers a factory reset.

      I doubt it has anything to do with the NSA, it looks like it would have been useful for legitimate device testing and in most cases it's not even accessible via the Internet (only the local internal network).

  9. Destroy All Monsters Silver badge
    Mushroom

    Yeah, well

    My router here, (the name of which sounds either like a Nasty German from a bad WWII movie or an electric interference) has two ports open to the Internet that are not particularly well documented (i.e. not at all), apparently for "maintenance purposes" by the ISP. Am I happy about this? Hell no. Did I close them? I tried. Turns out it is impossible for one of them. Pretty sure the overpaid "maintenance engineer" from the ISP will give me an earful and threaten "fines" when he next shows up. Can I replace the crud with something acceptable? No, the Incumbent Operator (tm) has a special sauce protocol and configurationn that can only be applied by him to exactly that hardware. What do?

    Does anyone take consumer security seriously?

    No. Here is a two-year contract instead. F*ck you.

  10. Anonymous Coward
    Anonymous Coward

    Simple solution

    Don't use a single device. If you use one of those combo modem/wireless router devices for everything you deserve what you get - especially if it is provided/managed by your ISP.

    Turn off the modem's wireless and get your own wireless router, and install DD-WRT on it. Then you don't care so much if the modem (or DD-WRT) have a backdoor, so long as both don't. Even if both do, an automated attack is unlikely to get through both.

    Yeah yeah, I know, preaching to the choir here at El Reg. Most who are reading this already know this and do this. The average person gets a device from their ISP and it has a button that enables wireless that's automatically configured, so they do that because its easy. These are the people who will get their bank details stolen by hackers once this attack is scripted.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      I think we're all aware that this would be better to do in theory - but I don't in practice. And I'd wager that many here don't bother with this, either.

      Why? I don't have the room or inclination to run another device. At home, I like to keep my IT estate as physically minimal as possible, and using as little power as I can get away with.

      I don't think it's unreasonable to expect a duty of care from router manufacturers. Some sort of legal mandate to fix howlers going forward for a set, reasonably defined service life of the device ,would be fair, I think. I bet this might even result in firmware being more robustly tested for SNAFUs before it's as much as considered for release.

      I daresay that for most, with good encryption and WPS off, etc, the vast majority are perfectly alright with their built-in wireless AP.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple solution

        Use as little power as possible? An additional device draws what, maybe 10 watts? I'm all for not wasting power unnecessarily, but anyone who is serious can save a lot more energy by adjusting their thermostat a single degree.

        Why single router manufacturers out for a duty of care? How is it different than the security of software on our phones or in our cars? The idea of fixing firmware for a few years is a nice one, but how many people upgrade their firmware? Sure, they can make it automatic, but man that sure is an inviting target for hackers if they could break it - hacking the URL where it checks for updates or hijacking the DNS of a big ISP to point that URL elsewhere. I'd sure as hell turn off automatic updates on a modem or router!

        I've always used two devices because my DSL modem, like almost all DSL modems, run proprietary software. I do manage my own at least, so I'm up on others in that respect, but it is way too useful to be able to have proper control and security of your wireless device to leave it up to the updates of a manufacturer. In many cases, it works like Android updates and you have to get them from your carrier because they've hacked them to not accept "generic" firmware updates. I can't believe anyone with a clue about IT and security would allow themselves to live in such a situation to save a measly 10 watts and a 1/20th of a cubic foot of space.

        1. Charles 9

          Re: Simple solution

          If I wanted to do automated updates, I'd use HTTPS using an unpublished key. The devices would carry the public half of the key. If the hackers obtain it, oh well, because they can't hack the update system without the private key that never leaves the facility. I don't recall there having been many private key thefts of late.

          1. Anonymous Coward
            Anonymous Coward

            Re: Simple solution

            The private key has to be present on the system that's getting the HTTPS requests to be able to authenticate the public key in the router. The next time there's a vulnerability found in the web server software being used, hackers will grab the private key.

            I think encrypted/signed updates would be the way to go, now that routers have enough CPU power to deal with that. Then social engineering is the biggest risk - dangle an untraceable payoff (Bitcoins, perhaps?) to people on the inside and one might bite and give you the key to allow you to sign a hacked update, then you use the other pieces in the puzzle (hacked HTTP server and/or exploited DNS servers at $BIGISP) You can only raise the bar for the attack, not eliminate it.

            1. Charles 9

              Re: Simple solution

              "The private key has to be present on the system that's getting the HTTPS requests to be able to authenticate the public key in the router. The next time there's a vulnerability found in the web server software being used, hackers will grab the private key."

              Such a server wouldn't have to be sophisticated. Such a setup I would hope to make as simple as possible to limit possible avenues. For example, if I could, I wouldn't use SQL in it. Also, perhaps you can run the process through a closed cryptosystem such that the web server never knows the key but shuttles data through a black box (which the server, and thus the malware) can't otherwise reach.

              That just leaves session hijacking, but we're seeing ways to mitigate that.

  11. Da Weezil

    Given that after 12 years of complaints BT Openjoke have yet to cure the periodic instability in my line , I wouldnt think anything or my router crashing/resetting even if repeatedly, so the fcat that this exploit resets the connection would go unnoticed and I suspect many other victims.... sorry I mean users connected to via (often antique) BT copper would be in the same position

  12. Anonymous Coward
    Anonymous Coward

    Yes some folks do take consumer security seriously

    That would be the NSA and other agencies looking to protect us all from terrorism and cybercrime.

  13. Anonymous Coward
    Paris Hilton

    Does anyone take consumer security seriously?

    No. They don't.

    After owning too many routers that have been spaffed to market before they're ready, laden with bugs, security holes, and things that just don't work - I'm very careful with what I buy now.

    In fact, I'm half-tempted to make my own low-energy pfsense box, as soon as space, time, and money allows.

    Paris - because we all have something to learn about plugging holes.

  14. Awil Onmearse

    ISP backdoors

    The only reliable DSL I can get out here in the sticks came with a ISP-contract-mandated Thomson router which has a Superadmin login on the WAN port and only superuser on the LAN port - so the ISP could examine my entire fucking network and I can't do a thing about it.

    Needless to say I soldered a JTag on the thing within minutes and flashed the user config, contract be damned.

    1. Anonymous Coward
      Anonymous Coward

      Re: ISP backdoors

      I'm surprised you haven't gotten a call from your DSL provider claiming your modem is experiencing problems and to expect a tech along shortly to repair/replace your device.

      (I would think a savvy company with such access to their devices would poll them occasionally to check for hacks.)

      1. Awil Onmearse

        Re: ISP backdoors

        "(I would think a savvy company with such access to their devices would poll them occasionally to check for hacks.)"

        A savvy user would give them the reply they expect. ;-)

        As long as they don't try to physically login to the thing to snoop my pr0n er .. perform "repairs" it seems to be ok. A year up and no service call.

        1. Charles 9

          Re: ISP backdoors

          "A savvy user would give them the reply they expect. ;-)"

          Savviness won't help you if you don't know what they're expecting. Besides, depending on the design, there may not be a way to feed the connection false information (if, for example, it triggers a hardware-based check or requests encoded or obfuscated data to test for altered firmware).

This topic is closed for new posts.

Other stories you might like