Zero-Day Bugs In Numerous Modems/Routers Could Compromise Millions of Users (softpedia.com) 81
An anonymous reader writes: Researchers have discovered a large number of zero-day flaws in 8 routers/modems from 4 manufacturers (ZTE, Huawei, Gemtek, Quanta) that would allow attackers to build a huge botnet by leveraging just a few exploits. Vulnerabilities include remote code execution, firmware rewrites, XSS, and CSRF. All these allow attackers to intercept both HTTP and HTTPS Web traffic, infect computers beyond the modem, intercept SMS messages, and detect the modem's geographical location. After six months, manufacturers have failed to fix the issues.
Openwrt (Score:5, Interesting)
This is why the ability to install secure and Open Source firmware like OpenWrt is so important.
https://openwrt.org/ [openwrt.org]
Re: (Score:2, Funny)
The Chinese will just move the backdoors deeper into the hardware.
We're long passed the point of no return on this one.
Re: (Score:2)
Past.
(I had "We passed the point of no return on this one a long time ago." and just moved shit around. Oopsie doopsie poopsie.)
Re: (Score:2)
Re: (Score:2)
I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?
If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.
Re: (Score:2, Interesting)
Buy a new router. Routers which are supported by the latest OpenWRT release can be bought for less than $20. You don't need a fancy gigabit router on the edge of your home network. I would tell you what to get and where and how much it actually costs, but Google won't let me search US shops, because apparently a search engine should under no circumstances let me search anything outside my area. Fuck this, the internet is dead. Why have a router when the internet is like this. What we need are VPN gateways t
Re: (Score:2)
You don't need a fancy gigabit router on the edge of your home network.
My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.
I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.
I -like- having wifi AP all built into one box, but separating them into two separate boxes would make openwrt easier than I
Re: (Score:2)
I'm still on barrier breaker; my router isn't supported by chaos calmer (yet)?
If there's a flaw in the older version... I'm pretty much in the same boat as any one with default firmware would be.
What hardware do you have that isn't supported?
Re: (Score:2)
What hardware do you have that isn't supported?
Dlink DIR-835
https://wiki.openwrt.org/toh/d... [openwrt.org]
As I wrote elsewhere in the thread:
My internet is currently 120/6; so 100mbps isn't sufficient. I also want my openwrt box to have plenty of ram, cpu, and space, so that I can play with openwrt without worrying too much about running into the limits of the hardware. I have a Dlink dir-835 right now.
I'm open to replacing it with something that will likely be supported by new versions of openwrt sooner than later.
I -like- having wifi AP all built into one box, but if separating them into two separate boxes would make openwrt easier than I'm game to consider it.
Re:Openwrt (Score:4, Insightful)
OpenWRT is really good. I won't buy a router now unless its on the OpenWRT supported hardware list.
Re: (Score:3)
No freakin' way. They should switch to systemd instead.
Re: (Score:2)
So the Router firmware that everyone here coos about actually uses a sucky firewall?
Netfilter != pf.
Typical F/OSS Fail.
So pick another one like http://www.smallwall.org/ [smallwall.org] or http://www.pfsense.org/ [pfsense.org] or whatever. The nice thing about FOSS is choice.
Re: (Score:1)
So the Router firmware that everyone here coos about actually uses a sucky firewall? Netfilter != pf. Typical F/OSS Fail.
So pick another one like http://www.smallwall.org/ [smallwall.org] or http://www.pfsense.org/ [pfsense.org] or whatever. The nice thing about FOSS is choice.
But that's like saying you really only have one choice: Both smallwall and pfsense are simply Derivatives of the now-abandoned (like so many other F/OSS Projects), M0n0wall.
And since smallwall's main focus is "Small and Lean" [smallwall.org], rather than "Robust and Complete", I would think that using it wouldn't be a step "up" in the world of firewall-dom.
As far as pfsense goes, I can't figure out where it lives, since it is considered a Derivative of m0n0wall, but yet it lists pf as a dependancy. So??? Heck, even iOS
Re: (Score:2)
And while it is small and lean, it have the enterprise firewall features you would expect like VPN support.
Re: (Score:3)
As in all of life, it depends. It depends on what you want your router to actually do...
Personally, I use OpenWRT on a couple of WNDR4300's that I picked up off of E-Bay over time, but I went with this router because it was CHEAP and had a VLAN capable switch. Even though I use this device, I'd not suggest it to others because currently the OpenWRT build for it is something you have to do on your own, not that it's hard, it's just time consuming.
But more to your question.. How do you know what hardware i
Re:Openwrt (Score:5, Informative)
So, here's the problem with that:
As well as:
So, the real problem is these modems belong to the telco, you probably can't change the firmware, and the bugs in some cases seem to have been introduced by the telcos.
No amount of open source ANYTHING is going to fix telcos who are providing customers with modified versions of the routers which they've done a poor job of changing.
EVEN if the original companies release fixes, the telcos are likely too lazy/cheap/indifferent to fix the damned things, and users can't exactly swap out the modems.
Shit like this is why companies need to bear some legal responsibility, and why telcos should be barred from modifying equipment for their own purposes -- their desire to brand it or add their own special functionality as often as not leaves users with abandoned devices which can't be fixed.
Any sufficiently advanced incompetence is indistinguishable from malice. And this is some pretty advanced incompetence.
Re: (Score:2)
I strongly suspect in a lot of cases it is a requirement. ISPs tend to just sort of tell you what they're doing and don't much care what you think of it.
Re: (Score:2)
Why not? Are you required to use the ISP's modem and router...?
With Uverse, yes.
With Comcast for static IP addresses, yes. (But you can put your real router behind theirs and turn off NAT.)
A lot of ISPs consider their "customers" personal property.
Re: (Score:2)
Personally, I DON'T run the Telco provided router and I suggest you not use it either. In fact, my ISP sent me a new router just last week and I don't plan to even unwrap it. Go buy your own, load your choice of open source firmware on it and leave the ISP's router in the box.
If you are REQUIRED to run the ISP's router, put your own router *behind* it and hide your whole network from your ISP either by using NAT or have a very strict firewall rule set (or both). (I.E create a DMZ and put your network b
Re: (Score:2)
OpenWRT runs on 3G/4G modems?
Re: (Score:2)
For hackers, maybe.
For the vast majority of the population (myself included) a router is a fire-and-forget thing. It's set up, it works, that's it. I never log in to my router to see if there's a firmware update (even while I faintly remember there is such an option, most people won't realise this at all). I don't get notified that there is a new update, so will have to remember and manually check for it. That just doesn't happen, and I like to play with those devices. Most people are less interested and re
And the cycle begins anew (Score:3)
Cue those calls continuing to fall on deaf ears.
I mean, let's face it, barring something cataclysmic this just ain't going to happen.
Arguably there are trade secrets contained within the firmware, which could be exploited by competitors. Motorola wouldn't want Xoom to find out that a commonly used algorithm for dealing with DOCSIS comms is in fact less efficient than another one they dug up, nullifying their competitive edge. And likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.
Auditable firmware would also expose management controls used by telecoms and ISPs. This would expose their capabilities, and how they work. People wouldn't just know how far reaching these controls are, but also how limited they are. It could raise the specter or nefarious people reverse engineering access to those controls, and doing things they aren't supposed to do. So they're going to fight it too.
Then there are legislative bodies. Auditable firmware could not only expose any backdoors that are currently in use, but expose any they try to implement in the future. So they're going to do what politicians do best and try to sweep the whole thing under the rug.
This leaves us, thankfully, with at least one ally: The FCC, who have said they will not be blocking the use of third party firmware on wireless devices [arstechnica.com], so at least we can still retreat to open sourced firmware wherever possible, instead of relying on others to open up code for us.
Re: (Score:2)
Re: (Score:2)
The problem is that almost everything is going to have some sort of a security problem at some point, so where is the line drawn?
Re: (Score:1)
likewise D-Link wouldn't want you to find out that there's a critical problem with their router that can't be fixed in firmware. So they're going to fight this.
Is D-Link going to fight against customers who open the box and try to use the thing? Because that's how I found out that my D-Link routers had critical problems that couldn't be fixed in firmware (not that D-Link would bother doing so if they could).
Re: (Score:2)
Re: (Score:1)
It's a Pyhrric victory, because I'm not buying their fucking shit anymore, and neither is anyone in my sphere of influence (work, friends, family, neighbors, etc.).
They don't exactly have a stranglehold on the market, yet they behave like there are no alternatives. The only more egregious example of "Nah, fuck you, customer." I've seen was with OCZ. We all know how that turned out.
Re: (Score:2)
Pretty sure Comcast has a remote management interface so they can turn on and off that Xfinity Wifi access point. Or so you can customize your Wifi access point via an app on your phone [xfinity.com].
Your telecom/ISP may not have full access to any hardware you own, but there's still hardware you rent, and publishing the source of the firmware for that is something I doubt they would want.
Re: (Score:2)
Re: (Score:2)
Huawei makes a cellular wireless router modem that i was just supporting for a customer last week. Cost like $400 bucks, takes a sim card and i was getting like 80mbps over LTE network. This is for a contractor who works in the field out of their truck. So they are out there, even if they arent as common in the consumer arena as netgear or linksys.
Re: (Score:2)
Huawei supply a lot of ISPs with routers in the UK ; TalkTalk, amongst others.
Fuck technology (Score:1)
Re: (Score:2)
LOL .. in Soviet Russia, technology fucks you!!
And everywhere else in the world.
Re: (Score:2)
All hail the wall wart (Score:2)
More and more I tend to think the number one protector of consumer and small business gateways is the wall wart, which predictably fails every 2-5 years, giving the appearance of a new device being needed, thus another temporary improvement in security. I suspect that one day, a clever malware maker will figure out how to grab voltage and current in the device and inform the users a new power supply is required.
Personally, I run pfSense on an Atom board with numerous NICs.
All Chinese? (Score:2)
Re: (Score:2)
As an IT professional this is why I always stress using Cisco equipment for home networking equipment. A good example is the Cisco RV325 router, or the Cisco RV180W for wireless that are both strong in design, and reasonably priced for home use.
But apparently you can't use punctuation [newegg.com] in the router's password.
Re: (Score:1)
Liability is Coming (Score:2)
"After six months, manufacturers have failed to fix the issues."
That kind of crap will eventually cause Congress to enact legislation to make manufacturers liable for unpatched vulnerabilities.
Re: (Score:2)
No reference to upgrades (Score:3)
HTTPS interception (Score:2)
Re: (Score:2)
TFA tells about intercepting HTTPS. How does a modem-router flaw allow that, since HTTPS is an end to end protection?
It allows you to capture the encrypted packets. :) Of course, some of that encryption is trivially easy to crack, but not all. Shhh... Your are spoiling the article.