Routers Pose Biggest Security Threat To Home Networks 264
Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?"
If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
dd-wrt?? (Score:5, Informative)
PFsense (Score:5, Informative)
I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.
http://www.pfsense.org/ [pfsense.org]
Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.
Re:dd-wrt?? (Score:5, Informative)
DD-WRT is based on the open source OpenWRT, but DD-WRT itself is proprietary.
Sigh - what the heck ... (Score:3, Informative)
I feel that all those links to WRT/PFSense/M0N0Wall/Tomato/etc are kind of redundant.
Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.
Re:Sigh - what the heck ... (Score:4, Informative)
Re:Sigh - what the heck ... (Score:4, Informative)
So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall?
So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.
UPnP is simply insane from a security standpoint. Random applications should not be opening random ports without explicit permission.
Re:dd-wrt?? (Score:5, Informative)
Re:Sigh - what the heck ... (Score:5, Informative)
What am I missing?
Again, used to be that the most common way for a Ubuntu machine to get pwned was for the user to install VNC with UPnP enabled. They only wanted to connect over their LAN, but VNC went and opened a UPnP port, and... oops.
Every new port opened on the router is a potential new security hole.
Re:PFsense (Score:5, Informative)
I second that. PFSense is rock solid and comes with a lot of features. Dual wan, vpn, you name it.
Just as lazy... also got mine from applianceshop.eu.
Re:Sigh - what the heck ... (Score:4, Informative)
Got to love competition mandated by law.
In my area, 15 minutes from the closest city which has about 60.000 inhabitants, I have about 20 providers competing on fiber, cable and copper. You can also toss in a few 4g providers that sell broadband you can carry around. :) /62 ipv6 prefix.
I settled for fiber 100/100 with tv and phone for $100 a month. It's not the cheapest, but I'm hooked on the speed
They also provide ipv6 and "bridge mode routers" with a fixed ipv4 address for my own router and a
We used to have a public telephone company called Telenor, but after it became private it came with the catch that all competitors can buy capacity from them at cost + investment write-offs. It's been working wonders.