Forgot your password?
typodupeerror
Security

Researchers Hack Over a Dozen Home Routers 109

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Security researchers at Independent Security Evaluators have published a report demonstrating that a slew of home and small office (SOHO) routers are vulnerable to previously undisclosed vulnerabilities. The report asserts that at least thirteen popular routers can be compromised by a remote attacker, and a number of them do not require knowledge of credentials or active management sessions. Some of the routers are not listed as they work with vendors to fix them, but there are 17 vulnerabilities disclosed, with another 21 pending release. An article on CNET includes an interview with some of the researchers."
This discussion has been archived. No new comments can be posted.

Researchers Hack Over a Dozen Home Routers

Comments Filter:
  • by Anonymous Coward on Wednesday April 17, 2013 @10:18PM (#43479141)
    An older computer redone with a FreeBSD install makes an excellent router and is extremely secure. I would suggest anyone who is comfortable with a *nix command line use this solution as I've found it to be virtually bulletproof.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

      Even a mini-ITX build is still using more power than I'd prefer.

      • by 00Monkey (264977) on Wednesday April 17, 2013 @10:28PM (#43479227) Homepage

        pfSense and others like m0n0wall will work on Netgate's ALIX Kits: http://store.netgate.com/ALIX-Kits-C86.aspx

        They're small and actually look like a router.

      • by Joce640k (829181)

        Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

        Even a mini-ITX build is still using more power than I'd prefer.

        What about a Raspberry Pi?

        • The onboard ethernet is actually connected via USB, and a second network port would have to be connected the same way. It's doable, but not really optimal. Fine for those on low-bandwidth connections, but many internet services now would easily overwhelm it. It's only a 100mbit port at best, and the processor might be a limitation before you reach that point.

      • My Atom mini-ITX router was running happily at 14W.

      • by rvw (755107)

        Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

        Even a mini-ITX build is still using more power than I'd prefer.

        How about a Raspberry Pi like device with two ethernet ports and FreeBSD on it?

      • by Grishnakh (216268)

        Exactly. Using an older computer as a router is a massive waste of power (and space). Get something that's designed specifically for the purpose: a modern router like a typical Linksys unit uses a tiny amount of power and is very small. And the software side isn't a problem: just install DD-WRT on it.

    • by Nerdfest (867930)

      No wireless AP though.

      • So add the WRT54GL to it running Tomato, OpenWRT, or DDWRT.

        $50 from NewEgg
        http://www.newegg.com/Product/Product.aspx?Item=33-124-190 [newegg.com]

        • by Nerdfest (867930)

          Older router, slower processor, G only. Buffalo has some nicer routers with DD-WRT per-installed. Really though, I was just saying that for most people, a wireless access point is their primary concern, not a hardened router.

          • Re: (Score:3, Informative)

            by blacksmith_tb (855386)
            www.easytomato.org - nicely polished version for a common (and fairly versatile) modern router, the ASUS RT-N16.
            • by Cederic (9623)

              I find the default software on my RT-N66U to be pretty solid. It's a fine router too, easy to configure, hasn't even needed rebooting since I bought it.

      • I've got one of these [jetwaycomputer.com] running debian wheezy. It acts as firewall/router/wifi-hotspot/OpenVPN gateway, and even allows me to have a *real* DMZ, unlike most home routers.

    • by AlphaWolf_HK (692722) on Wednesday April 17, 2013 @10:34PM (#43479277)

      I like these embedded devices because they are low power (save you money on an ongoing basis) and do the job. Many even offer some nice things like switch management (e.g. creating vlans) if you use custom firmware. That said, if you do switch to a custom firmware, chances are good that you are immune to these vulnerabilities.

      These security researchers don't really count on the later though. They advocate requiring these devices to require signed firmware. That means no custom firmwares, so if your manufacturer ever abandons the device, and security vulnerabilities are later found, you really can't do anything about it. I like custom firmware for not only that reason (e.g. it uses software that is generally better tested against threats) but because it ads features that most OEMs require you to pay a LOT extra for.

      I hope none of these vendors take the signed firmware advice, or at least allow you to sign your own. But many here already know how that goes. I think Netgear is the only one that might set itself apart in that regard as they carry certain models that are explicitly advertised to the customer as being able to use your own firmware.

      • Don't forget Buffalo (Score:3, Informative)

        by Zynder (2773551)

        The Buffalo Nx00 series (mine is an N900 I think) also uses DD-WRT and actively advertises it. In basic mode, it is a Buffalo branded implementation but there is a variable to set which puts it in advanced DD-WRT Mode. It was the primary driver in my decision to purchase said router. My knowledge at the time was that Buffalo only did backup solutions & SANs but went out on a limb and bought it anyway. I have never been more happy. Buy one today!

        • by Grishnakh (216268)

          If I didn't have a Cisco/Linksys E1000 running DD-WRT, I'd definitely be getting a Buffalo just for their support of DD-WRT.

    • by sinij (911942)
      Above is technically complex solution (not everyone on /. is up for it, never mind general crowd) when much easier solutions like custom router firmware like Tomato or DD-WRT exist.
    • by NotQuiteReal (608241) on Wednesday April 17, 2013 @11:24PM (#43479513) Journal
      It's been mentioned, but I have actual metrics (Kill-A-Watt P3) on the electricity used by "old computers"... in my case it was about a buck a day (I'm in So Cal, so YMMV, but I am sure electric rates are going to go up here, since California is going to save the world from global warming [or go broke trying], all by itself, by taxing the bejesus out of anyone with two nickles, You're welcome.)

      BTW - anyone with an old VCR or DVD player you REALLY don't use... about $18 year just to keep it plugged in (flashing 12:00 or not). I tossed 2 units in the Goodwill bin a couple of years ago and haven't missed them.
    • Using a firewall box behind the router your ISP mandates you use, will not help you against a number of threats. Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic. The extra firewall may or may not prevent them gaining access to your computers behind the IPV4-NAT your router usually does. That's the only protection an extra firewall might give you. I'm saying might, since slight misconfiguration or access to a hackable service behind the firewall will ne

      • Ehm, that's why you set your router in "bridge" mode and use it as a dumb ADSL modem. Or, if you're like my dad and have real fiber at home, you just plug into the ONT. No more modem needed. Sure, you have to do the PPPoE yourself on firewall/router-machine, but that works just fine. (Fiber with a ONT, usually involves adding a VLAN and the do PPPoE over the VLAN)
        • by pnutjam (523990)
          Try that with IP-tv, like Uverse. I have to allow their router to function, but I tell it to passthrough my router on the external address. It usually forgets the configuration every couple of months and I have to reset it, lots of fun.
      • Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic.

        I'm sure all of the encrypted SSL traffic between me and 80% of my web browsing will be incredibly useful to these malicious attackers.

      • by pnutjam (523990)
        Nothing a vpn won't fix

        Oh, your router can't act as a vpn client? Guess you should check out pfsense.
        • by Cederic (9623)

          Of course it can. Why would I need pfsense when I have a cheap efficient dedicated device with gig ethernet and twin 450Mbps wifi links?

    • For people who have an old working computer around and a place to set it up, know how to install FreeBSD (and cope with any driver issues, etc.), and how to configure it. That's a very small segment of the population.

      It would be really nice to have the vast majority of the population immune from being hacked into, and that's just not going to happen with FreeBSD installations. Most people are going to buy whatever router they're told, and leave it in whatever configuration it's in when installed (or af

  • ISP Provided? (Score:1, Interesting)

    If your ISP provides you an insecure router and your credit card numbers are subsequently stolen, whose fault is it? Especially when these routers are only configurable via your ISP?
    • Re:ISP Provided? (Score:5, Insightful)

      by JJJJust (908929) <JJJJust@NOSPAm.gmail.com> on Wednesday April 17, 2013 @10:38PM (#43479303)

      Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

      It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

      • by goombah99 (560566)

        Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

        It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

        Most people use dynamic addressing and delegate the DNS lookup to the router. This means Https or any of the other things you mentioned are useless as security measures.

        • Simply falsifying DNS won't do it - you can't impersonate an https site without a cert. Easiest way I see would be to intercept logins to non-https sites, and rely on the user reusing passwords.

          • by DarkOx (621550)

            you can't impersonate an https site without a cert.

            Maybe. The recent browser releases have taken a step to improve the situation by remembering if they used https for a host before and doing it by default the next time but its not 100%.

            Consider:
            You type thinkgeek.com in your url bar. You don't specify the protocol because only those of us slashdot readers understand the risks inherent in not doing so bother and your browser decides to use plain http. An important omission was made but no typo. I intercept your clear text 80 traffic and rather than th

      • In an ideal world software vendors wouldn't put users in a position of choosing between trusting their internet connection and not getting the software. Certification authorities would make damn sure they were issuing certificates to the right entity. Credit card companies would move away from a system where the dominent way of making an online payment is to give the vendor a code that lets them take unlimited money from your account. Users would directly enter the https url or at least carefully check the

        • by JJJJust (908929)

          In an ideal world software vendors wouldn't put users in a position of choosing between trusting their internet connection and not getting the software.

          Most of the majors have a system for buying game cards in a physical store. If the user prefers convenience, that's on them.

          Credit card companies would move away from a system where the dominent way of making an online payment is to give the vendor a code that lets them take unlimited money from your account

          Credit card companies used to do this via one-time virtual card numbers. For the most part, the user found it inconvenient and didn't use it.

    • by sinij (911942)
      I see where you went wrong. You are trusting the same guys that try to oversell and under-deliver all while trying to legislate away competition to be technically competent and deliver you a secure router. What makes you think this time will be any different?
    • by epyT-R (613989)

      It's the fault of the person who stole your information...or at least it should be. Today's over litigious society probably disagrees.

    • I don't think there's a single person or legal entity "at fault" here. It's a combination of multiple factors. First of all, your credit card company uses a proven flawed security model. Second of all, you should have been more careful with those numbers yourself, since it's a proven flawed system. Third of all, yes, your ISP can be found negligent for not adequately testing the equipment they provided to you. They can blame it on their manufacturer, but if they haven't tested the equipment they should be f
    • by synapse7 (1075571)
      It is always our fault, when was the last time you saw an isp take fault for anything.
  • by servognome (738846) on Wednesday April 17, 2013 @10:30PM (#43479231)
    They hacked 13 Solar & Heliospheric Observatory routers.

    Yes I did go to the actual article, but got bored after reading the headline.
  • by juventasone (517959) on Wednesday April 17, 2013 @10:45PM (#43479345)

    Comprosing cheap routers is a topic that has been covered on Slashdot many times before. In every previous article, they've required that remote administration be enabled on the router, which is generally never a default setting. This report states, "tested with out-of-the-box configuration settings". Really? Yikes.

  • Easy to mitigate. (Score:5, Insightful)

    by viperidaenz (2515578) on Wednesday April 17, 2013 @11:12PM (#43479469)

    They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

    • Re: (Score:3, Interesting)

      by animaal (183055)

      They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

      I'm scratching my head here - why would an address like 192.168.1.1 be a problem? It's only an internal IP address. An attack from the outside would come through the external IP address. Once they've breached the router, surely it'd be simple to find internal addresses anyway?

      (Really hoping I don't have to re-address my stuff!)

      • by viperidaenz (2515578) on Thursday April 18, 2013 @04:52AM (#43480619)

        Because its cross-site-request-forgery.

        If you're logged in to your router and you go to another website that has an image tag with a url of "http://192.168.1.1/admin/enable-remote-login" or submits a form using javascript off to 192.168.1.1 then they've effectively made that request from inside your local network via your browser.

        If there is an exploit that enables remote admin then not only has the attacker now enabled remote admin on your router but they have your external IP address to exploit because you made the request...

        I'm disappointed in the Slashdot moderators for giving this +4 Insightful. It was a good question though.

        • I am a moderator who gave him a +1 for that question. It will be undone, of course, because I posted in this thread. It was a good question that I wanted an answer to. Now that it got up to +4, someone answered it. If it was still sitting at Score:1 where it was before I gave it mod points, would anyone have bothered to answer?

          I'm disappointed in the parent poster for dissing the moderation system because it worked as intended.

  • I wonder how DD-WRT stacks up.
    • by Anonymous Coward

      I wonder how DD-WRT stacks up.

      It bothers me that the "Latest stable release" on DD-WRT's website still refers to a version (10020) which is vulnerable to a remote code execution discovered in 2009. You must be running a version marked as "development" to be secure from the bug, which is bad marketing.

  • dont fuck around

    • don't mess around, don't fool around, don't look around and don't back down!

      /oblig ninety pound wuss reference. emoviolence that fueled those 18 hour coding sessions in my youth!
  • Confirmed case here (Score:5, Interesting)

    by xyourfacekillerx (939258) on Thursday April 18, 2013 @02:06AM (#43480057)

    My parents' ISP issued router came down with a case of malware. The ISP kept putting them into walled-garden claiming botnet activity, and after months and months of this, I intervened. upon my investigation (which also took months) and thanks to their reluctant but cooperative security team, we determined it was not the only connected device that had the malware, but the router itself. And only because I "hacked" into it at some point and observed the malware in action, and reported my results back to the ISP. I thought my method (though it required some circumvention) was an intentional feature of the router. I didn't realize it was a vulnerability. Not at the time. I mean how do they remotely configure your router while on call or live chat with them? How can they expect me to think I can't do the same thing myself?

  • Darren Kitchen: "There's not a consumer demand for security; it's not a feature that will sell it."

    PfSense: "Speak of the devil and he shall appear."
    • by Wilf_Brim (919371)
      I disagree. There is a demand for security, at least among some a certain set of consumers. The current problem is that apparently none of the commercially available routers appear to be worth anything when it comes to security. Every time an article like this appears on /. I keep looking for some recommendations as to what to do. And I never find anything. The only recommendation I did find was from Mr. Kitchen, about using an old computer and smoothwall. Well, first, physically that wouldn't work (t
  • Just exploit thousands of them to create new tor exit nodes.
  • Endian firewall is robust and relatively easy for an average technical end user to implement.
  • Only idiot, moron, democrat, socialist, communist, progressive folks use a hackable router or firewall! They really are just that dumb! Look at how they vote!
  • Look at the summary chart in the article. [securityevaluators.com]

    With the exception of two Belkin routers, the victim must have an active management session open at the time of attack and the victim must be tricked into clicking a malicious link that leverages the open management session. This renders this "vulnerability" as highly unlikely. Most people do not open management sessions after initial router setup.

    Not surprisingly, this article is full of hyperbole and the likelihood of actual router takeover is minimal to infinitesi

<< WAIT >>

Working...