Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Worms Software Wireless Networking Hardware

Routers Pose Biggest Security Threat To Home Networks 264

Posted by Unknown Lamer
from the but-it's-a-firewall dept.
Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?" If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.
This discussion has been archived. No new comments can be posted.

Routers Pose Biggest Security Threat To Home Networks

Comments Filter:
  • dd-wrt?? (Score:5, Informative)

    by neo8750 (566137) <zepski.zepski@net> on Wednesday February 19, 2014 @10:18AM (#46286059) Homepage
    http://www.dd-wrt.com/site/ind... [dd-wrt.com] Why not right?
    • Re:dd-wrt?? (Score:5, Informative)

      by Anonymous Coward on Wednesday February 19, 2014 @10:22AM (#46286093)

      DD-WRT is based on the open source OpenWRT, but DD-WRT itself is proprietary.

    • Re:dd-wrt?? (Score:5, Informative)

      by WRD-EasyTomato (2774739) on Wednesday February 19, 2014 @10:54AM (#46286489)
      Or try EasyTomato [easytomato.org] or any of the other Tomato variants (Toastman, Shibby, etc.). Super easy to install, has a pretty and easy to use interface, and it's all open source.
    • If you have a home router, is it protected if it is behind the router built into many DSL or Cable modems? Your ISP may be protecting your firewall router by placing it behind another firewall router in your modem.

      A quick test to see if this may apply to you. view your router's status page and look at the IP address of the WAN connection. If the WAN connection is a 196.168.x.x number then your modem has a router too. Has anyone pen tested your modem router?

      • by msauve (701917)
        Some devices may indeed be behind carrier NAT and be assigned RFC 1918 addresses. But that's more likely for mobile connections, and very unlikely for home DSL/cable ones - it would break all sorts of things because you have no control over inbound NAT.

        Also, you most certainly meant "192.168...". 196.168.x.x are public IP addresses. If a carrier were to use private IP space, they'd be much more likely to use 10. addresses.
    • Re:dd-wrt?? (Score:5, Insightful)

      by unixisc (2429386) on Wednesday February 19, 2014 @12:39PM (#46287743)
      How exactly does an average consumer put things like DD-WRT, or OpenWRT, or Tomato, or pFsense or m0n0wall on a router?
    • Re:dd-wrt?? (Score:5, Interesting)

      by whitroth (9367) <whitroth&5-cent,us> on Wednesday February 19, 2014 @12:48PM (#46287825) Homepage

      First you have to find the right build of DD-WRT. This involves totally ignoring the router database, which, as one person's website put it, is either massively out of date at best, and *WRONG* at worst, liable to brick your router.

      And if you join the support forum, you discover people talking about their "favorite" builds, something in over 30 years in the field I've *NEVER* heard of. And they don't have formal releases, and regression tests seem to be mostly dependent upon the lead developers.

      Two months of fighting this, and debricking my router 2? 3? times, and I found one that did what I needed (that was to actually serve as a print server for a USB printer, as well as routing).. I have no idea how, or if, I'll be able to upgrade.....

                mark, sr. sysadmin, Linux/Unix

      • by jxander (2605655)

        Two months of fighting this, and debricking my router 2? 3? times, and I found one that did what I needed (that was to actually serve as a print server for a USB printer, as well as routing).. I have no idea how, or if, I'll be able to upgrade.....

        mark, sr. sysadmin, Linux/Unix

        Just FYI. If you can "debrick" something, than it's not bricked.

    • Re:dd-wrt?? (Score:4, Interesting)

      by SkunkPussy (85271) on Wednesday February 19, 2014 @01:14PM (#46288123) Journal

      DD WRT has a history of GPL violations, so anyone who's cool doesn't use it!

    • by Alef (605149) on Wednesday February 19, 2014 @01:50PM (#46288509)

      This is an honest question.

      Is there any penetration testing or statistics that suggests that dd-wrt and the likes are more secure, or is this an it-runs-Linux-so-it-must-be-good knee-jerk assumption?

      I used to run dd-wrt on a router some years ago and liked it feature-wise and performance-wise. However, my confidence in its security took a pretty big hit when I read about this gaping security hole [cxsecurity.com] in 2009. It's the kind of issue that makes you doubt that some of the developers really know what they are doing.

  • by Anonymous Coward on Wednesday February 19, 2014 @10:19AM (#46286071)

    Pentesting the custom firmwares from projects like OpenWRT/DD-WRT/Tomato etc?

  • PFsense (Score:5, Informative)

    by johneee (626549) on Wednesday February 19, 2014 @10:20AM (#46286077)

    I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.

    http://www.pfsense.org/ [pfsense.org]

    Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.

    • Re:PFsense (Score:4, Interesting)

      by Spazztastic (814296) <[moc.liamg] [ta] [citsatzzaps]> on Wednesday February 19, 2014 @10:27AM (#46286161)

      I really liked pfSense but when I used it long ago it was very buggy. It may be time for me to give it another try. However, if you're familiar with the Cisco IOS CLI, Vyatta is another solution. I plan to set up a small low power box to be my router and only use my Linksys Router/AP combo (flashed with DD-WRT) as an access point. It gives you far more options in terms of management, and if you happen to seed a lot of Linux ISOs you don't have to worry about filling up the memory with the routing table.

      • I highly recommend the Ubiquiti EdgeMax Router lite. It's 99 bucks and runs a variant of Vyatta. Great little product.

        • Thanks, I may look into this. It'll be cheaper less expensive than the one I had originally spec'd out on Newegg.

      • by johneee (626549)

        If I remember correctly, I tried Vyatta, and because I don't know IOS, I flamed out trying to configure it.

        PFSense was only marginally more difficult than OpenWRT, so it kind of suited my level of expertise.

        With it being on a VM, it means that I have one box that is my router, file server, media server, and experimentation box all in one, which is convenient for me.

        It does mean that the hypervisor is - in theory - exposed to the net, but since it never communicates externally except through the router softw

        • There's a learning curve with Vyatta but once you catch on it's pretty easy. There's also plenty of guides online that'll get you started and a very friendly community.

          I didn't like the web interface of pfSense, and at the time of using it I was still pretty green with the Linux CLI so using that wasn't as much of an option. From what I can see there have been improvements, plus it's also been 7~ years since I used it, so I might give it a shot in a VM.

    • Re:PFsense (Score:4, Interesting)

      by Xenna (37238) on Wednesday February 19, 2014 @10:49AM (#46286409)

      Yeah, I've been running that stuff for years after getting frustrated with commercial routers. Has been extremely stable.

      Of course, being lazy I got it in appliance form from this place:
      http://www.applianceshop.eu/in... [applianceshop.eu]

      "Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing."

      Ultimately it's a matter of (perhaps misguided) trust...

  • by Anonymous Coward

    I bet everyone is busy writing smug comments about closed source firmwares, but let's not forget that DD-WRT have had a similar bug. http://www.xtremesystems.org/forums/showthread.php?230880-Massive-DD-WRT-Security-Hole-%28Unauthenticated-Root-Control-Possible%29

  • by goombah99 (560566) on Wednesday February 19, 2014 @10:22AM (#46286105)

    I don't actually know if it matters or not but I prefer Apple over other wireless routers because it's so damn braindead easy to keep them patched. Apple just pushes out firmware updates (rarely). Every other router I've owned it was a struggle to figure out if it needed a patch, how to do it. Moreover it was a source of worry even when there wasn't a problem which alone was worth any relatively small cost differential.

    • by Anonymous Coward on Wednesday February 19, 2014 @10:36AM (#46286281)
      Apple is the next thing to godliness. Praise Apple. I wish I was an Apple. Eat me.

      [NO CARRIER]
      • by jythie (914043) on Wednesday February 19, 2014 @11:04AM (#46286601)
        Eh, to be fair, this is something they are doing right and a lot of manufacturers are not. Techie types sometimes freak out over being automatically patched with who knows what, but for the vast majority of users (including techie types), it is a good strategy.
        • It's a terrible strategy for any technical person. New bugs can be introduced. For a techie type, being able to test out new updates prior to rolling them into production is a must.

          • by syzler (748241)
            And number of techie types that actually manage consumer grade routers for businesses, I would guess, is an extremely small cross section of techie types. Most businesses that actually employ a technician probably use at least something along the lines of a Juniper SRX as the public router. The point still stands, that automatic firewall updates is a good idea for the vast majority of consumers and techie types (just not in their professional arena). I must confess, that I have been using the Apple base
          • You realize, of course, that you don't have to update. It just notifies you. I like that little feature of the Apple routers (and OS X and iOS). Given that Apple, like every other vendor on this planet at least, pushes out updates that occasionally break things (Hi Microsoft!), I don't upgrade the moment the patch is available. I wait a week or so unless there is some overwhelming reason like some nasty exploit.

            Yes, it's not perfect. No, nobody is perfect. As has been mentioned on this thread and coun

  • by udippel (562132) on Wednesday February 19, 2014 @10:27AM (#46286149)

    I feel that all those links to WRT/PFSense/M0N0Wall/Tomato/etc are kind of redundant.
    Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.
     

    • by drinkypoo (153816) <martin.espinoza@gmail.com> on Wednesday February 19, 2014 @10:34AM (#46286265) Homepage Journal

      Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

      So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

      • by Imagix (695350) on Wednesday February 19, 2014 @10:40AM (#46286321)
        IPv6.
      • Re: (Score:3, Funny)

        by Anonymous Coward
        Well, speaking on behalf of other posters here - you are probably supposed to spend all of your time configuring some linuxy version of iptables or some such on a custom router. Then you won't have to worry because you won't have time to play your game...
        • by idontgno (624372)

          Then you won't have to worry because you won't have time to play your game...

          Nah. You've just changed the game you're playing.

          XD

          I'm not sure how you win "iptables", but I'm not real sure how you win a lot of the games out there, so it's probably similar.

      • by 0123456 (636235) on Wednesday February 19, 2014 @10:52AM (#46286443)

        So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall?

        So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.

        UPnP is simply insane from a security standpoint. Random applications should not be opening random ports without explicit permission.

        • by clarkn0va (807617) <apt.get@gAAAmail.com minus threevowels> on Wednesday February 19, 2014 @11:22AM (#46286839) Homepage

          Mod parent up. UPnP is insecure by design. It's very purpose is to take security and control out of the hands of the user, and put it squarely in the hands of whatever happens to be running on your network.

          It's too bad that most people don't understand enough about network security to configure their own router, and a double shame that the kludge we call NAT has further broken network applications, but convenient "workarounds" like UPnP could only ever lead to problems like the summary lays out.

        • by drinkypoo (153816)

          So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.

          You don't know me very well. If I am to remote into Windows I use RDP, and if I permit it at all it's only to the local network. And for all my statements that network transparency is irrelevant to most X users, if I want to remote Unix, I'll use an ssh tunnel. Sure, uPnP is a minefield for novices. But for me, it's immensely useful. Also, on Windows XP or later, VNC won't just magically open up your machine. Windows will ask you if you want to permit network connections to VNC, and it's up to you to decide

      • by udippel (562132)

        While your logic looks okay at a first glance, it doesn't at a second.

        When a government has thousands of enraged citizens running towards the government building to set those on fire and loot them, some machine guns might be the means of choice. Though it ought to have been considered by the government du jour, what the reaction of the public will be, with the introduction of strict austerity measures, as well as jus primae noctis?

        There is no fundamental reason, really, to have 1000 games opening 1000 diffe

        • by drinkypoo (153816)

          There is no fundamental reason, really, to have 1000 games opening 1000 different ports for endless protocols on a home router.

          In a perfect world, all of those games would communicate using the best possible protocol, and all communications would be cleared through a central facility. Problem is, "best" can be defined in many ways. Thus, we have all games using the same underlying protocol, but then building protocol on top of protocol in order to carry out their communications in the way that makes the most sense to the developers (or whoever drew up the architecture at the time, which might have been a schizophrenic hive-mind of

      • by tlhIngan (30335)

        Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

        So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

        Suffice it to say, most games don't need UP

      • by devman (1163205)
        I play a lot of online games. I have had UPnP disabled on every network gateway I've owned precisely because it is ridiculously insecure. I have yet to find one that doesn't work properly with UPnP disabled. The only exception to this is when I was running a CS:GO server awhile back I had create port forwarding rules so clients could connect, but setting up dedicated servers on residential networks isn't something non-advanced users do.
      • NAT should setup a rule to allow your machine to get packets as long as you send some packets there first. Unless your game machine is acting as a game server and getting packets from many host, it should just work. Otherwise, you could/should setup a port forward to your internal machine.

      • Configuring port forwarding is trivial on virtually any firewall, so yes, that's what you need to do if you want security.

      • by Ksevio (865461)
        Well there's the old NAT-PMP [wikipedia.org], though not many support that. The real answer is IPv6, but then the game needs to support it and all the players.

        Some games can do NAT hole punching.
      • by nestler (201193)

        Use static DHCP on your DHCP server and a UDP port forward. Your IP won't change (due to static DHCP which always gives the same IP address to a given Ethernet address) so it should never need to be updated. This is pretty straight forward with Tomato firmware.

    • by harrkev (623093)

      What is the problem with UPnp??? From what I understand, UPnP works like this:

      1) All devices inside the local network are considered "trusted"

      2) Trusted devices can poke holes in the firewall pointing only back to themselves.

      Assuming that UPnP is implemented properly, and assuming that an attacker is on the outside of the local network, there is nothing for an attacker to grab on to. Now, if an attacker is on the INSIDE of your LAN, then you are already boned.

      What am I missing?

  • by andyring (100627) on Wednesday February 19, 2014 @10:27AM (#46286153) Homepage

    Yes, this is /. We can upgrade our router firmware or install other firmware. Joe Sixpack cannot.

    The blame for this should be laid squarely at the feet of the router manufacturers. IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:

    1. Be open and forthcoming about bugs found in their router software
    2. By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.
    3. Tell this to their customers in plain English or $localLanguage on the product packaging. And NOT in fine print. Make it very obviously noticeable to the purchaser. This can and should be a signifiant selling point, really. If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

    • by JDG1980 (2438906) on Wednesday February 19, 2014 @10:37AM (#46286295)

      By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.

      The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

      • by mcrbids (148650) on Wednesday February 19, 2014 @12:07PM (#46287427) Journal

        The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

        Sure, that's why you sign your updates with decent (open source!) cryptography and embed your public key into the router's firmware.

        • by JDG1980 (2438906)

          Sure, that's why you sign your updates with decent (open source!) cryptography and embed your public key into the router's firmware.

          Yes, but if the people writing the factory firmware were that competent, routers wouldn't need updates every week to remain secure.

          How many show-stopper bugs are found in the open source firmwares? How many in firewalls like m0n0wall [m0n0.ch]?

          The underlying problem is that 99% of electronics firmware is crap. This isn't limited to routers – the hardware design is usually the pri

    • by Grishnakh (216268)

      The blame for this should be laid squarely at the feet of the router manufacturers.

      Ok, what good is that going to do? So a bunch of people get their home routers hacked, and you point the finger at the router mfgrs. Why should they care? What are you going to do about it? Declare that you're not going to buy from them any more? Haha, like they care; their customer base isn't Slashdot users, it's regular Joe Schmoes who don't read Slashdot or tech news, and just buy whatever the Best Buy salesman or Com

    • by msauve (701917)
      "By default, routers should ship with automatic firmware updates enabled"

      Let us know how that works out. [slashdot.org]
  • "Reuters Pose Biggest Security Threat To Home Networks"

    • by Sarten-X (1102295)

      I did my time in end-user support. I've been the one that's has to explain to Granny that she doesn't need to panic every time sees a new horror story on the news.

      Reuters may not be the biggest security threat, but they're certainly one of the biggest threats to sanity.

    • by bobbied (2522392)

      "Reuters Pose Biggest Security Threat To Home Networks"

      Problem is that they also are the biggest boon to computer security since the network was invented. I look back with less than fond memories of having my mother's windows box connected directly to the internet w/o any kind of firewall or even a NAT between her and the wild west. Oh those where the days!

      I'd much rather have even a flawed router between her machine and the bad guys. Even if they can compromise the router, that's at least one more step they have to go though, making her lowly Windows' box

  • I resisted wireless as long as I could because of this very issue. I can turn on my computer and see a dozen networks, and I live in the suburbs. Unfortunately, convenience and devices I wanted to use finally required it (can't use an iPad without wireless), so I caved a few years ago. Thankfully, I learned long, long a go that if I didn't want something on the Internet, I didn't let it near an Internet connected computer. I have an old laptop I use for personal things that is not connected to any inter
    • by ledow (319597)

      Which is one of the reasons that I treat wireless networks as hostile in my home, and you have to log in via VPN even if you're connected to my wireless.

      It's not hard. If you don't trust wireless, and you don't trust the Internet, treat them as the same thing.

      I've gamed and accessed my home network using OpenVPN on every client (over wireless and remote) for as long as I've had wireless. No extra ping on any half-decent hardware, utter security and who cares if - as in my case - WEP is flawed and then rep

    • by Grishnakh (216268)

      You sound totally paranoid. If you want to be quite reasonably secure and have WiFi, all you have to do is make sure you're using WPA2 encryption. Better yet, make sure you're using an alternative firmware like OpenWRT or DD-WRT, and keep WPS and uPnP off no matter what you use.

      I don't think I've even heard of someone getting their WiFi hacked when WPA or WPA2 was being used; people only get their home WiFi "hacked" when they either use no security whatsoever, or WEP (WEP is trivial to hack). And even th

    • Don't forget to hard disable the microphone on the laptop if it has one. There is a malware that can communicate using high frequency sound, from a networked machine to un-networked one. Of course both machines have to be infected. Probably with a virus attached to a file of the networked box.
      • Don't forget to hard disable the microphone on the laptop if it has one. There is a malware that can communicate using high frequency sound, from a networked machine to un-networked one.

        I think that is about as likely as getting molested by a unicorn.

        Seriously folks, I'm all for reasonable amounts of security but this sort of thing is just hide under the bed paranoia.

    • by timeOday (582209)
      Sure, lose sleep over the notion of somebody parking on your street to crack your WEP and snag your HTTPS streams for offline analysis.

      Meanwhile 70 million credit card numbers were stolen from Target.

  • design goals that emphasize usability over security

    I wonder why usability was able to sell more than security? Hmm. Let's think about that.

    Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP.

    Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.

    • by 0123456 (636235)

      Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.

      Considering UPnP is broken by design, that's not really an improvement. Replacing a security hole in the router by a hundred apps that want their own ports to expose their own security holes to the Internet doesn't help much.

  • Commercial, closed-source products just tend to have these problems and it's pie-in-the-sky to wish for a vendor to produce a secure product. If you want it secure, probably your best bet is an open source, open hardware mini server (like cubieboard or Raspberry Pi) and you're going to have to learn to do it yourself.
  • Custom Router (Score:5, Interesting)

    by shellster_dude (1261444) on Wednesday February 19, 2014 @10:47AM (#46286401)
    After I found that my ASUS RT-15U was running telnet with a default password, open to the world which I couldn't kill or change the password on, I swore of embedded device routers.

    I have replaced it with a small Debian box with dual NICS, and bought a 24port switch from TPLINK. It was the best decision I have ever made. Perfect reliability, complete control, via IPTABLES. I've got auto blocking of malicious ips trying to hit my ssh or port scanning me via DenyHosts and PSAD.

    A couple other custom scripts and DNSMASQ, dhclient, snort, and python, and I have all the other services and features I want, and ONLY the services and features I want.
  • Forgive me if I'm wrong, but wasn't OpenWrt based on this same firmware? Or is this bug with the VxWorks-based firmware that Linksys later switched to?

    • by Minwee (522556)

      Forgive me if I'm wrong, but wasn't OpenWrt based on this same firmware? Or is this bug with the VxWorks-based firmware that Linksys later switched to?

      OpenWRT is a Linux distribution designed for routers. It often uses kernel modules provided by manufacturers such as Linksys, but is not a clone of the entire system.

      You could also follow the first link in the summary [sans.edu], which describes the bug and has this to say:

      "Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."

  • by bzipitidoo (647217) <bzipitidoo@yahoo.com> on Wednesday February 19, 2014 @10:57AM (#46286511) Journal

    The default password, when it is the same default password across all units of the same model or even the same manufacturer, is easy to exploit. Any website can send the user's browser some code that instructs it to attempt to log in via the user's router's web interface with the default password. It works because the user's browser is behind the firewall and therefore "trusted". Once logged in, it's trivial to reconfigure the router to open up all kinds of holes. Harder but still doable is getting the router to host and run malware itself.

    The admin password is the first thing I change on a new router. Manufacturers who still don't individualize the factory set password are responsible for a lot of these problems.

    • That would have to rely on said browser having an exploitable XSS vulnerability to work, however.
    • Manufacturers who still don't individualize the factory set password are responsible for a lot of these problems.

      Isn't that all of them? I'd love to know which manufacturers (if any) actually individualize the passwords.

  • If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.

    If only it supported routers with built-in ADSL (which was the dealbreaker last time I looked at DD-WRT - and it took me some digging to discover that was why none of the routers I wanted to use it on).

    If that's since been fixed - and supports a router I can actually buy somewhere - then mod me happy.

    Personally, I could put together a low-power Linux box, get an ADSL modem, an ethernet switch, wireless access point (sounds like Belinksysco crap would be just as big a liability in WAP-only or modem-only mo

  • by bobbied (2522392) on Wednesday February 19, 2014 @11:09AM (#46286677)

    So this article is saying that routers are *bad* things for security right? Not so fast...

    In my view, having a router, even an imperfect one, between you and the internet is a *GOOD* thing for security. Yes, routers might be security risks, but NOT having them is even WORSE of a risk.

    Does *anybody* out there remember what it used to be like? It wasn't that long ago that the standard internet connection was for ONE machine and used a PPP connection that pretty much put your Windows (mostly) box directly on the internet. When all this got started, we didn't even have software firewalls. Imagine having a windows 95 box with all the standard services on a routeable IP address. It WAS extremely risky. I remember having unsolicited popups coming up all the time and bothering me with all manner of advertisements. It was a mess and security was extremely lacking.

    But then we have the dawn of consumer's using routers and doing all the same exploits became harder because of the NAT. Then routers added stateless firewalls, then state-full firewalls and closed many of the avenues used by the "bad guys" to gain control of your system.

    Consumer grade routers have been a HUGE boon to network security in the consumer world. Do they have flaws? Many do, but their contribution to overall security is worth more to me than the risks they may pose. Give me a router, even a flawed one, over nothing. Making the bad guys work harder is a good thing for security, and a flawed router does that.

    It's not that we shouldn't be discussing how routers should be made more secure. Obviously we want them to improve. It's just that we cannot loose sight of how far we've come BECAUSE of these things.

    • by hAckz0r (989977)
      What is the one thing worse than having a Bot on your desktop machine? Having a stealth Bot controlling your network, having access to all your hosts, playing man-in-the-middle for all your "secure" SSL/TLS banking and credit-card connections. Andy you have no clue that it is even there. At least when you get a Bot on your local desktop machine you will have clues that something is spinning CPU and taking up disk space, if you are smart enough to notice those things. When a bot controls and sees everything,
      • by ttucker (2884057)
        Besides spying on you, the router its self could likely be used in a botnet as well. Think, origination of DDOS attacks, sending spam, anonymous hop for criminal activity (with your name on it).
  • the biggest security threat to computers is the user. users improperly configure things, wont take security precautions (like using weak passwords) and will outright download viruses/malware. far too many users are not competent enough to tell the difference of a real popup window and a website claiming they have a virus and they need to install their trojan horse immediately.

  • by BUL2294 (1081735) on Wednesday February 19, 2014 @11:22AM (#46286837)
    I seriously doubt that Belkin will put out firmware updates for all the old $50 Linksys router models they inherited support for--instead opting to push users to buy replacement models they otherwise wouldn't need. The likely answer is NO--even with a class-action lawsuit. (In all actuality, a 2006-era 2.4GHz 802.11G WPA2 router is still more than plenty for the crappy broadband speeds available in North America...)

    This is what scares me about the Internet of Things when it comes to long-life appliances that you could own/use for decades... How long will manufacturers (many of whom have 0 experience so far with connecting their products to anything but a power cable) continue to support these devices? Ultimately, government regulation may be required in this space. God knows I wouldn't want my IoT refrigerator to get "bricked" (a really heavy, big brick!) after 20 years because the manufacturer went under & the fridge couldn't phone home... Or worse, because someone found a backdoor that had been in place for all models in use for 9 years before my model was developed...
    • by ttucker (2884057)
      I have been thinking this about the internet of things as well. Then when they roll out IPv6 we can put all of our extremely dated hardware directly on the internet!
    • This sort of issue is why the Free Software Foundation was created. It wasn't because Stallman had some kind of political agenda, it's because he wanted to fix the driver for his printer, but couldn't because it was proprietary. The "Internet of Things" has the exact same problem, and the exact same solution.

  • Is an Ubuntu machine with three NICs. The firewall is configured with the Shorewall utility. It only needs to be rebooted for kernel updates.
  • by Lumpy (12016) on Wednesday February 19, 2014 @11:49AM (#46287179) Homepage

    there are options for more secure but they fight the hardware hackers instead of embracing them. If they would reach out to the communities and work with them or PAY these groups like OpenWRT to write their firmware they would end up with a better product.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...