Routers Pose Biggest Security Threat To Home Networks 264
Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?"
If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
Has any work been done on.. (Score:5, Interesting)
Pentesting the custom firmwares from projects like OpenWRT/DD-WRT/Tomato etc?
opensource firmwares not perfect either (Score:2, Interesting)
I bet everyone is busy writing smug comments about closed source firmwares, but let's not forget that DD-WRT have had a similar bug. http://www.xtremesystems.org/forums/showthread.php?230880-Massive-DD-WRT-Security-Hole-%28Unauthenticated-Root-Control-Possible%29
Why I buy apple airports (Score:5, Interesting)
I don't actually know if it matters or not but I prefer Apple over other wireless routers because it's so damn braindead easy to keep them patched. Apple just pushes out firmware updates (rarely). Every other router I've owned it was a struggle to figure out if it needed a patch, how to do it. Moreover it was a source of worry even when there wasn't a problem which alone was worth any relatively small cost differential.
Re:PFsense (Score:4, Interesting)
I really liked pfSense but when I used it long ago it was very buggy. It may be time for me to give it another try. However, if you're familiar with the Cisco IOS CLI, Vyatta is another solution. I plan to set up a small low power box to be my router and only use my Linksys Router/AP combo (flashed with DD-WRT) as an access point. It gives you far more options in terms of management, and if you happen to seed a lot of Linux ISOs you don't have to worry about filling up the memory with the routing table.
Custom Router (Score:5, Interesting)
I have replaced it with a small Debian box with dual NICS, and bought a 24port switch from TPLINK. It was the best decision I have ever made. Perfect reliability, complete control, via IPTABLES. I've got auto blocking of malicious ips trying to hit my ssh or port scanning me via DenyHosts and PSAD.
A couple other custom scripts and DNSMASQ, dhclient, snort, and python, and I have all the other services and features I want, and ONLY the services and features I want.
Re:PFsense (Score:4, Interesting)
Yeah, I've been running that stuff for years after getting frustrated with commercial routers. Has been extremely stable.
Of course, being lazy I got it in appliance form from this place:
http://www.applianceshop.eu/in... [applianceshop.eu]
"Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing."
Ultimately it's a matter of (perhaps misguided) trust...
Re:dd-wrt?? (Score:5, Interesting)
First you have to find the right build of DD-WRT. This involves totally ignoring the router database, which, as one person's website put it, is either massively out of date at best, and *WRONG* at worst, liable to brick your router.
And if you join the support forum, you discover people talking about their "favorite" builds, something in over 30 years in the field I've *NEVER* heard of. And they don't have formal releases, and regression tests seem to be mostly dependent upon the lead developers.
Two months of fighting this, and debricking my router 2? 3? times, and I found one that did what I needed (that was to actually serve as a print server for a USB printer, as well as routing).. I have no idea how, or if, I'll be able to upgrade.....
mark, sr. sysadmin, Linux/Unix
Re:dd-wrt?? (Score:4, Interesting)
DD WRT has a history of GPL violations, so anyone who's cool doesn't use it!
Is it really any better? (Score:4, Interesting)
This is an honest question.
Is there any penetration testing or statistics that suggests that dd-wrt and the likes are more secure, or is this an it-runs-Linux-so-it-must-be-good knee-jerk assumption?
I used to run dd-wrt on a router some years ago and liked it feature-wise and performance-wise. However, my confidence in its security took a pretty big hit when I read about this gaping security hole [cxsecurity.com] in 2009. It's the kind of issue that makes you doubt that some of the developers really know what they are doing.