US-CERT's top tip: Hack your crap Netgear router before miscreants arrive Owners of three models of Netgear routers are being advised to exploit a security hole in their broadband boxes to, er, temporarily close said hole. The alternative is to switch off the boxes until a firmware update lands. Netgear says that the R6400, R7000, and R8000 series routers are all vulnerable to CVE-2016-582384, a …
If you can run DD-WRT, Tomato Shibby or any other 3rd party firmware I'd give it a try. Most of them are free. You may be happier than with the perpetually insecure software served up router manufacturers. I've been running 3rd party firmware for years and have no plans to go back. On my router 3rd party firmware is more stable than what came from Linksys. 3rd party software gives you more options to tweak your settings and sometimes additional functionality. You can even compile your own. Good luck.
Tomato Shibby here. I've had a lot of routers and I've rarely even looked at whatever was originally installed on them. Why take a chance with written-for-profit proprietary software when there are perfectly good solutions already?
That said, most users are not going to be aware that there are better solutions or how to implement then. My theory is that they believe that the vendor knows best, and that is rarely the case with consumer routers.
" you simply have to trick someone on the router's local network into opening a booby-trapped webpage."
Any old search engine result may work, if not use the offsite advertising network to deliver it instead.
Easy peasy..... Now who has that sort of control or over sight of such things?
Some will be Govt entities and other's will be big businesses.
Whose the loser's in all this? The little people as usual and lots of you work for them, brings a whole new perspective to the work life balance when you think about it!
" you simply have to trick someone on the router's local network into opening a booby-trapped webpage."
Or, if they are running IPv6 and didn't realize there is a private address range, they might have their router on a public IP. That probably also means they are not bright enough to block http requests at the firewall, if they even have a firewall.
Actually it was the 40xx and 80xx series Commodore computers that were susceptible, and the bug was with the CRT controller chip. A poke to a location (59458 if I remember right) would speed up 2001-series PETs by altering the refresh rate (to simplify), but in later models, it would put tremendous strain on the video circuitry and eventually let the magic smoke out.
Oh, and "Being pro-active rather than re-active to emerging security issues is fundamental for product support at Netgear."
Blah, blah, blah, customers first PR, blah, blah. I suppose in their defence, as something from the 90's this is not an emerging security issue and therefore it's OK to be reactive.
In the US, it could be part of the Underwriters Laboratories testing that ensures the device won't burn your house down, lop your arm off, or render your dog infertile. Reasonable assurance against identity theft and having your device used for possibly nefarious means sounds like it should be included, especially for the IOT. Of course it can take years for a lot of these bugs to be discovered, but a little testing by some white hats would certainly help.
It needn't be mandatory. All you'd really need would be a "premium" device from some manufacturer somewhere that had this kind of audit done. It would cost extra, of course. Perhaps a lot extra.
You just need market demand.
If there weren't a demand for such a thing, then what you'd have are stores filled with cheaper, "home" routers pressed out of plastic, rushed to market on a shoestring, with few to no software updates as vulnerabilities became known.
Oh. Wait.
We found a corker of a vulnerability on the SRX5308 a while back but even I'm struggling to believe they've managed a whole new level of fail. The one we found had already been fixed though I strongly suspect this was by accident. They'd replaced much of the software stack but the vulnerable script was still there, just unused.
Even without vulnerabilities, they're just rubbish. We've since switched to pfSense. I did try to install OpenWRT on an SRX5308 to make them useful instead of throwing them under a bus but I haven't been able to get Ethernet to work reliably. I may have another crack at it sometime.
It was nice timing for seeing this. I was in the market for a router to replace the ISP supplied PoS and was browsing expensive Netgear routers on Amazon when I read the original news about this.
As a result I now have ordered a MikroTik router that seems to be better spec than the Netgear and cost less. I will probably never buy another Netgear again either.
I wonder just how much being lazy with a patch has cost Netgear both directly and indirectly? Do you think the guy who caused said delays thinks it's worth it now?
Another possible work-around, change the port number used for local administration of the router. Not sure, however, if this is supported on the vulnerable routers. Like changing the router local IP address, it is security by obscurity. For more, see
http://www.computerworld.com/article/3148680/networking/easily-exploited-netgear-router-flaw-discovered.html
The more I read about unpatched crap from fire-and-forget vendors that think once the device hits the manufacturing line it's time to move onto the next product and forget about supporting what they already produce… the more I think that in future, it'll be a personal requirement that the device is shipped with suitable documentation and firmware.
The reason for this is simple.
I, as a home network operator, am responsible for the emissions my network produces.
If a HTTP GET request for a JPEG with kiddie pr0n is seen from my ADSL connection, is it the vendors of the various devices that gets the blame? No, it's me, and then it's up to me to investigate how that HTTP GET request came to originate from my connection.
If a wireless router starts emitting crap out-of-band… is it the router manufacturer that takes responsibility? No, the ACMA will be knocking on my door first. I then have to play a game of unplug-until-the-noise-stops to find out the culprit.
It is high time that, if we are as end users to carry this RESPONSIBILITY, we should be given the RIGHT to audit. That includes being able to FREELY ACCESS the firmware source code, device schematics and other supporting documentation, and FREELY DISTRIBUTE such items to third parties for the purpose of audit and analysis.
The day of the proprietary black box is over.
Some of the firmware updates (inculding R6400, R7000 and R8000) are now out of beta. The web interface of my R6400 showed a notification about the update. After installing, testing with the 'killall' URL led to a login prompt and, even after I authenticated, it still didn't execute the killall so the fix looks good.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
