Forgot your password?
typodupeerror
Worms Software Wireless Networking Hardware

Routers Pose Biggest Security Threat To Home Networks 264

Posted by Unknown Lamer
from the but-it's-a-firewall dept.
Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?" If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
This discussion has been archived. No new comments can be posted.

Routers Pose Biggest Security Threat To Home Networks

Comments Filter:
  • by andyring (100627) on Wednesday February 19, 2014 @11:27AM (#46286153) Homepage

    Yes, this is /. We can upgrade our router firmware or install other firmware. Joe Sixpack cannot.

    The blame for this should be laid squarely at the feet of the router manufacturers. IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:

    1. Be open and forthcoming about bugs found in their router software
    2. By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.
    3. Tell this to their customers in plain English or $localLanguage on the product packaging. And NOT in fine print. Make it very obviously noticeable to the purchaser. This can and should be a signifiant selling point, really. If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

  • by compro01 (777531) on Wednesday February 19, 2014 @11:33AM (#46286239)

    The important difference being that bug was fixed, as opposed to being left wide open forevermore.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday February 19, 2014 @11:34AM (#46286265) Homepage Journal

    Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

    So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

  • by JDG1980 (2438906) on Wednesday February 19, 2014 @11:37AM (#46286295)

    By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.

    The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

  • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday February 19, 2014 @11:52AM (#46286457) Homepage Journal

    Incentive to pressure your ISP to support a well over a decade old technology, going on two decades.

    I have no viable alternatives. The ISP I'm using now is the best of three shitty options. I live in the USA, did you think I lived in the first world or something?

  • by Minwee (522556) <dcr@neverwhen.org> on Wednesday February 19, 2014 @12:00PM (#46286547) Homepage

    In fact, it was even fixed for devices which are no longer in production with no need for the original vendor to even still be in business. Open source is funny that way.

  • by jythie (914043) on Wednesday February 19, 2014 @12:02PM (#46286567)
    If your product can not be reasonably or safely configured by its target market, then while it is tempting to blame the individuals, it is the manufacturer who has failed.
  • by jythie (914043) on Wednesday February 19, 2014 @12:04PM (#46286601)
    Eh, to be fair, this is something they are doing right and a lot of manufacturers are not. Techie types sometimes freak out over being automatically patched with who knows what, but for the vast majority of users (including techie types), it is a good strategy.
  • by jandrese (485) <kensama@vt.edu> on Wednesday February 19, 2014 @12:08PM (#46286655) Homepage Journal
    A home router that is not by default secure on it's WAN side is defective.
  • by Minwee (522556) <dcr@neverwhen.org> on Wednesday February 19, 2014 @12:09PM (#46286671) Homepage

    What is the problem with UPnp??

    All devices inside the local network are considered "trusted"

    I really think you just answered your own question there.

  • by bobbied (2522392) on Wednesday February 19, 2014 @12:09PM (#46286677)

    So this article is saying that routers are *bad* things for security right? Not so fast...

    In my view, having a router, even an imperfect one, between you and the internet is a *GOOD* thing for security. Yes, routers might be security risks, but NOT having them is even WORSE of a risk.

    Does *anybody* out there remember what it used to be like? It wasn't that long ago that the standard internet connection was for ONE machine and used a PPP connection that pretty much put your Windows (mostly) box directly on the internet. When all this got started, we didn't even have software firewalls. Imagine having a windows 95 box with all the standard services on a routeable IP address. It WAS extremely risky. I remember having unsolicited popups coming up all the time and bothering me with all manner of advertisements. It was a mess and security was extremely lacking.

    But then we have the dawn of consumer's using routers and doing all the same exploits became harder because of the NAT. Then routers added stateless firewalls, then state-full firewalls and closed many of the avenues used by the "bad guys" to gain control of your system.

    Consumer grade routers have been a HUGE boon to network security in the consumer world. Do they have flaws? Many do, but their contribution to overall security is worth more to me than the risks they may pose. Give me a router, even a flawed one, over nothing. Making the bad guys work harder is a good thing for security, and a flawed router does that.

    It's not that we shouldn't be discussing how routers should be made more secure. Obviously we want them to improve. It's just that we cannot loose sight of how far we've come BECAUSE of these things.

  • by BUL2294 (1081735) on Wednesday February 19, 2014 @12:22PM (#46286837)
    I seriously doubt that Belkin will put out firmware updates for all the old $50 Linksys router models they inherited support for--instead opting to push users to buy replacement models they otherwise wouldn't need. The likely answer is NO--even with a class-action lawsuit. (In all actuality, a 2006-era 2.4GHz 802.11G WPA2 router is still more than plenty for the crappy broadband speeds available in North America...)

    This is what scares me about the Internet of Things when it comes to long-life appliances that you could own/use for decades... How long will manufacturers (many of whom have 0 experience so far with connecting their products to anything but a power cable) continue to support these devices? Ultimately, government regulation may be required in this space. God knows I wouldn't want my IoT refrigerator to get "bricked" (a really heavy, big brick!) after 20 years because the manufacturer went under & the fridge couldn't phone home... Or worse, because someone found a backdoor that had been in place for all models in use for 9 years before my model was developed...
  • by clarkn0va (807617) <apt.get@gm a i l . c om> on Wednesday February 19, 2014 @12:22PM (#46286839) Homepage

    Mod parent up. UPnP is insecure by design. It's very purpose is to take security and control out of the hands of the user, and put it squarely in the hands of whatever happens to be running on your network.

    It's too bad that most people don't understand enough about network security to configure their own router, and a double shame that the kludge we call NAT has further broken network applications, but convenient "workarounds" like UPnP could only ever lead to problems like the summary lays out.

  • by Lumpy (12016) on Wednesday February 19, 2014 @12:49PM (#46287179) Homepage

    there are options for more secure but they fight the hardware hackers instead of embracing them. If they would reach out to the communities and work with them or PAY these groups like OpenWRT to write their firmware they would end up with a better product.

  • by mcrbids (148650) on Wednesday February 19, 2014 @01:07PM (#46287427) Journal

    The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

    Sure, that's why you sign your updates with decent (open source!) cryptography and embed your public key into the router's firmware.

  • Re:dd-wrt?? (Score:5, Insightful)

    by unixisc (2429386) on Wednesday February 19, 2014 @01:39PM (#46287743)
    How exactly does an average consumer put things like DD-WRT, or OpenWRT, or Tomato, or pFsense or m0n0wall on a router?

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming

Working...