back to article Mass break-in: researchers catch 22 more routers for the SOHOpeless list

Yet another disclosure tips 22 SOHO routers in the security bin, with everything from privilege escalation and authentication bypass to hard-coded credential backdoors. That disclosure – more than 60 vulnerabilities from big-name vendors including D-Link, Belkin, Huawei, Linksys, Netgear, Zyxel and Sagem – was made by Spanish …

  1. psychonaut

    saw this in the wild yesterday

    a netgear router. dns was set to somewhere claiming to be something to do with an american defence comany (once id whois'd the dns ip address) cant remember exactly what. it was injecting ads into all the devices on then network and remote management had been turned on. the clue was that it effected their ipad and 2 pc's with exactly the same ads.

  2. Mage Silver badge
    Devil

    UPnP

    I know people think they need it, but uPnP is a daft concept, or at least staggeringly badly designed. Up there with Autorun on USB devices, CDs etc.

    Devices on a Network that could auto-install code on your PC?

    I always disable it on Routers and Windows Services.msc

    1. Anonymous Coward
      Anonymous Coward

      Re: UPnP

      "Devices on a Network that could auto-install code on your PC?"

      That's not quite how it works. UPnP is simply a networking protocol. How it is implemented however is a different story but I don't think you'll find it installing anything on your PC.

      There are valid use cases for UPnP for the unskilled or people who just want things to work. However I will grant you that it is part of an easy path to a NAS presenting itself smartly on the interwebs with no ftp password - the epic fail here is of course ftp in the first place 8)

    2. big_D Silver badge

      Re: UPnP

      Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices.

      Without UPnP many things won't work properly, such as multi-player gaming on XBox, PS4 etc. some VOIP services etc.

      Among other things, it allows incoming messages to be sent to the correct device. Using port forwarding you can only forward to one device, using UPnP a device on the network (E.g. an XBox) can request a port and then tell the other end which port on the router to use.

      1. Michael Wojcik Silver badge

        Re: UPnP

        Without UPnP many things won't work properly, such as multi-player gaming on XBox, PS4 etc. some VOIP services etc.

        So no downside to disabling it, then.

  3. Dan 55 Silver badge

    And it's so easy to sort out

    SOHO router manufacturer offers drivers to OpenWRT which makes the OpenWRT community happy because if it's one thing that makes them happy it's drivers. Then all it needs to do is choose the packages for their router, preconfigure them, and change the WebUI from LuCI to something else (I believe it's what marketing call adding value). They could even push fixes to packages for bonus points.

    Or they can just carry on flailing around with their own firmware year after year and getting it wrong, wrong, and wrong again.

    1. Destroy All Monsters Silver badge

      Re: And it's so easy to sort out

      MUH LOSS OF CONTROL OVER MUH IP!

  4. Anonymous Blowhard

    @Mage: Sound advice, thumbs up from me.

  5. Probie

    The old way

    I am for ISP's just giving a modem or a bridge and opening up a market for Sophos, Cisco, Juniper, Palo Alto, etc ..... (the list of enterprise vendors go on) to provide a small appliance. Really the problem is that carriers only certify a small list of "many function" routers. So why not just make is simple and go back to providing a link with a connecting device that "just" bridges mediums? It does make it the responsibility of the end customer, but perhaps if people were more aware of there own security it might make for a better outcome.

    1. Dabooka
      Stop

      Re: The old way

      And the interim chaos? Who'd manage the fall out from that?

      An admirbale aim, but totally unworkable in the real world. Accountability, and a couple of US of A class actions for breaches, is the only way this will move on

    2. Velv
      FAIL

      Re: The old way

      The public want a one stop box that gets the home online. The last thing they want is to have to choose and buy ANOTHER box to make it work.

      I'm not suggesting this is the right thing. My VirginMedia cable modem is in modem mode and I run my own router. But like most readers here I'm a geek and can figure out what's required. Non geeks don't care - just make it work.

      1. Rich 11

        Re: The old way

        I couldn't agree more.

        I'm still using the cable modem VirginMedia (then Telewest) first gave me more than 15 years ago. I've ignored any offers of a modem upgrade and happily run my own routers off it. I don't know if the old modem is effectively putting a cap on my download speed, and don't care because what I get is more than sufficient for my needs.

        1. Anonymous Coward
          Anonymous Coward

          Re: The old way@ Rich 11

          "I'm still using the cable modem VirginMedia (then Telewest) first gave me more than 15 years ago. I've ignored any offers of a modem upgrade and happily run my own routers off it. I don't know if the old modem is effectively putting a cap on my download speed,"

          Depends on your package. I presume you're using a Motorola Surfboard, of which there were several different flavours. From memory the best of them would only achieve 40 Mb/s, and the older ones often a lot slower. If you're receiving and happy with a 20 Mb/s service then there's probably no need to change. If you're on a higher speed (check your bills for the package) just run a Speedtest.net diagnostic and see what it reports. I'd expect VM's routers to be optimised for diagnostics, but for these purposes that's a good thing.

          If your download speed is significantly slower than your billed speed, call customer services and ask for an upgrade to a Superhub 2 (they'll probably be very helpful IME, but if asked to, refuse to pay for an upgrade, since you're already paying for the speed and they're not delivering it). Despite the bad publicity, the Superhub 2 is IME a decent fact cable modem, and an adequate if unexceptional wireless router. They usually don't fuss about getting the old modem back, so even if you're not happy with the Superhub 2, you could just reinstate the Surfboard.

    3. Anonymous Coward
      Anonymous Coward

      Re: The old way

      > I am for ISP's just giving a modem or a bridge

      This is how fibre currently works (at least in the UK).

      OpenReach give you the modem and you are usually free to discard the ISP provided router and use an off-the-shelf replacement.

      1. John H Woods Silver badge

        Re: The old way

        "... you are usually free to discard the ISP provided router ..." -- AC

        It's usually possible, but for a non-zero number of large ISPs, it's a breach of your contract conditions. Most likely they will just not provide you their support (not a huge loss) but they could conceivably degrade your service for the remainder of your contract without you having much recourse.

        1. Anonymous Coward
          Anonymous Coward

          Re: The old way

          > Most likely they will just not provide you their support (not a huge loss) but they could conceivably degrade your service for the remainder of your contract without you having much recourse.

          This is a problem on LLU ADSL lines for sure but not so much on fibre. ISPs tend to choose ADSL modem / routers with chip-sets that play nicest with the brand of DSLAM they've installed in the exchange, the T&Cs are usually there to make their lives easier by stopping you from installing something random that might not work as well.

          With fibre the man from OpenReach comes round and connects the modem to the master socket and does the business in the cabinet; the actual connection bit is all done in the white box. After that it's just a standard PPPoE connection to whatever networking equipment you want.

          Some ISP provided modem / routers have a bridge mode anyway. My old BeBox certainly did.

  6. Anonymous Coward
    Anonymous Coward

    Complexity is the biggest issue

    The firewall functionality is being swamped by the complexity of the other "useful stuff (TM)" that the suppliers try to use to give them a USP.

    If they want to do this, they need to partition the security code so that it can be developed and tested to a high standard and be protected from the rest.

  7. Peter Prof Fox

    Live naughty links in Reg articles?

    The full disclosure list has things like: this URL (a live link) forces your router to do naughty things. This might not be a good idea.

    1. chivo243 Silver badge

      Re: Live naughty links in Reg articles?

      @Peter Prof Fox

      do you mean the link to the Full Disclosure? I couldn't open it here at work... content filter says: Hacking!

      Had to log in at home to view the link, glad to see my gear is not on this list! yet?

  8. Anonymous Coward
    Anonymous Coward

    Just purchased a DD-WRT router & why ISP provide the router

    so having read months / years of SOHO router being hacked poor security and backdoor stories i have just purchased a router running DD-WRT.

    I consider myself fairly technical but I will still need to look and search for details of how to configure this router correctly. It will get done though. even if i have to admit defeat and ask a friend for help.

    Now your average ADSL user just wants a single box to plug in and go preferably with a router that has been preconfigured by the ISP. so they dont even need to read a manual, install a CD or log in to the routers IP address and do any settings, they just plug in the cables and press the wifi easy connect button.

    ISPs know this so will continue to provide the kit as :

    (1) users will look for the easiest option. so go with the supplier who provides the kit.

    (2) standard kit and preconfigured kit reduces the number of support calls that the ISP receives.

  9. Doctor Syntax Silver badge

    So far, so good

    So far ISP-provided router hasn't appeared on any of these lists. But is that just because nobody's looked at it. However it doesn't seem to have any external ports open as far as I can see.

  10. Chronos
    FAIL

    Bloody hell!

    Please ensure you turn off prefetch in your browser when looking at the Full Disclosure article. Security mailing lists usually obfuscate exploit URLs by using things like hxxp:// but this article seems to not only have failed to do so but also made them hyperlinks. If you have a vulnerable device and your browser takes it into its empty head to prefetch those links despite the rel="nofollow" attribute - well, let's just say possible unintended consequences, shall we?

  11. chivo243 Silver badge

    My ISP

    Each time I've had issues with my modem and needed replacing, or my ISP tells me I need to upgrade to take advantage of xyz feature, the modem comes preconfigured, I plug it in, and presto, back in business.

  12. Anonymous Coward
    Anonymous Coward

    > It's time for the carriers to take responsibility for their customers

    BT already do this. We have a business line in the office here with a Home Hub 3 that they installed after support for the HH3 ended.

    They manage the updates remotely which means it's on the first version of the firmware and will never be updated because it's out of support and you can't do it manually.

    So yeah, expecting the carriers to cover this is a terrible, terrible idea. Just look at the mobile phone carriers.

  13. This post has been deleted by its author

    1. Destroy All Monsters Silver badge
      Coat

      Re: Catch 22 routers?

      The Snowdens of yesteryear warned us about this!

  14. Anonymous Coward
    Anonymous Coward

    Old news

    That's a particularly poor sampling of routers, many are *very* old wireless G routers. I know home users don't cycle routers as frequently as enthusiasts, but even so. Feels like a non-story. YMMV

  15. Michael Thibault

    Interesting to see

    Linksys WRT54GL in there--if only in a limited way--as it's been a long-time favourite of the DD-WRT crowd.

    1. unitron

      Re: Interesting to see

      I think that's the first 54G, and maybe the first Linksys, to be mentioned as being at risk for this, and I wonder why the GL and none of the previous versions of the 54G would be the only one.

  16. Anonymous Coward
    Anonymous Coward

    We ain't seen nuffin yet

    Even supposing that it's possible to reduce he numbers of vulnerable routers, there will be FAR more vendors and FAR fewer opportunities to encourage / require the vendors of "things" to "know or care enough to ship secure devices".

  17. Aitor 1

    price problem.

    Isps are the market drivers. And they demand routers at less than 15£. Also, they must be attached to a freely available model they sell, and provide the same security updates.

    As it is simply uneconomical to do so, support ia crap.

  18. Michael Wojcik Silver badge

    Then on to BUGTRAQ for the PhD

    made by Spanish students working on a master's thesis at the Full Disclosure list

    I didn't realize Full Disclosure's Masters program had been accredited.

  19. AndrewDu

    Simple NetGear adsl "modem" here; Cisco 819 behind it, configured by me; separate DrayTek WAP's;

    WLAN uses 802.1x. Active Directory certificates. No shared keys.

    *smug grin*

    No doubt someone will now tell me these are the worst possible choices...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like