Bugs In Belkin Routers Allow DNS Spoofing, Credential Theft 48
Trailrunner7 writes: The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers. The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren't any practical workarounds for them. "DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control," the advisory says.
good news (Score:5, Funny)
Good news: an upgrade is available. Bad news: it is a hardware upgrade.
Bugs? (Score:2)
Bugs? In a Belkin product? Say it ain't so!
Re: (Score:1)
Re: (Score:1)
Now that's a little unfair. The chance of the suspect being black is largely based on region. As we all know, black suspects rarely appear on national news, regardless of what heinous crimes they may commit. Only in the most scandalous and shocking cases do we see them reported nationally.
National stats: black males are around 7% of the population. They are charged with 50% of the murders. Even if half of all those charges are dropped (theyre not), they are disproportionately violent. Mostly against other blacks.
Re: (Score:2)
That's because whites get a job working for the store and -then- they steal from it.
Re: (Score:2)
Just upgrade to DD-WRT or OpenWRT. Who still uses manufacturer-provided router firmware anyway?
Re:good news (Score:5, Informative)
(Potentionally) Not for long... [hackaday.com]
Re: (Score:2)
I don't understand why manufacturers insist on bundling their own crappy firmware anyway...
It always has less features than dd-wrt, costs them money to develop and maintain (which they then try to minimize, thus making the firmware even worse), and generates bad publicity when their corner cutting invariably comes back to bite them in the ass through security holes and bad publicity...
They would all be much better off just bundling dd-wrt and using the money they would have spent on development to contribut
Re: (Score:2)
Re: (Score:2)
You're forgetting about Buffalo. They have a whole line of routers running DD-WRT from the factory.
Re: good news (Score:1)
Re: (Score:2)
If you do start such a company, you'll be competing against Buffalo. They use DD-WRT firmware.
http://www.buffalotech.com/pro... [buffalotech.com]
Re: (Score:2)
I don't get why manufactures don't just don't put effort into getting OpenWRT, or DDWRT on their routers since it seems like it would be less effort than maintaining their own shit pile of code. For those few consumers who care it would make their lives easier while the vast number of general user wouldn't know the difference.
Re: (Score:3)
Probably due to NDAs they have with component manufacturers.
Who cares (Score:2)
If you care enough to compromise the upstream WAN the router is fucked anyway.
A semi workaround (Score:1)
Turn off all automatic upgrades. Do it manually, verifying the source in the process.
Re: (Score:2)
Even if you ignore the fact that this "sentence" has no verb, it still isn't clear what you mean. Are you saying that there's no way to set the router up so that it doesn't require a password (good) or that you can't set it to require a password (bad)?
Is there an uptick? (Score:1)
There was just a vulnerability reported not long ago on Slashdot and another one was just a few weeks before that as I recall. Is there an uptick in crappy code or is there just more eyeballs on routers now than there used to be?
Re: (Score:1)
The whole IoT is going to be grand, isn't it?
Sounds like what we need (Score:2)
is a firewall for the firewall.
I just don't understand how people who design commodity networking gear can be so bad at network security.
I am by no means a network expert, but it seems as though some of these things are just common sense....
- Don't have ports open to the Internet ("stealth" or otherwise) by default
- Don't use unencrypted protocols... period
- Don't enable wireless by default
Seems like just doing those things our routers would be a lot safer than they are now.
Re: (Score:2)
Really? Pick any of the following:
Lazy, incompetent, cheap, unaccountable, indifferent, greedy
Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.
At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy,
Re: (Score:2)
Right now, companies have no liability for writing products with shit security. So on pretty much a daily basis we hear about products with shit security.
At this point I mostly assume any consumer technology which is designed to connect to a network is riddled with security holes. Because companies are lazy, incompetent, cheap, unaccountable, indifferent, and greedy.
It's a company's **job** to be greedy. Their sole purpose is to make money, so anything that detracts from that is by definition a bad thing.
T
Re: (Score:2)
But surely if the product starts to function in a degraded manor because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...
Re: (Score:2)
But surely if the product starts to function in a degraded manor [sic] because it was pwned due to bad security, this affects the manufacturer too when people don't buy that product any more because it is crap...
That's not a problem for two reasons:
1) People are stupid. They'll just buy another one, blame "the hackers", etc.
2) Even if the company's reputation gets dragged through the mud, it won't matter because the CEO will have already left with his golden parachute. The only thing that's important is t
Re: (Score:2)
The thing is, they don't necessarily need to be that good at network security. They can write the crappiest code in the world but it doesn't take a genius to create a simple iptables rule to block all new incoming traffic. Or to use HTTPS when checking for new firmware. The little Linux distro they are probably using (because they are cheap) has this functionality. No extra coding or time required.
It seems to me that if you have the knowledge to design the hardware, you know networking.... where is the disc
Re: (Score:2)
Was I unclear?
Lazy, incompetent, cheap, unaccountable, indifferent, greedy
Choose any of the above. It really is that simple.
Re: (Score:2)
I just don't understand how people who design commodity networking gear can be so bad at network security.
I am by no means a network expert, but it seems as though some of these things are just common sense....
To you maybe, but not to a manager.
- Don't have ports open to the Internet ("stealth" or otherwise) by default
But then their back doors won't work.
- Don't use unencrypted protocols... period
But then some idiot customers will complain.
- Don't enable wireless by default
But this makes it easy for idiot c
Re: (Score:2)
is a firewall for the firewall.
I just don't understand how people who design commodity networking gear can be so bad at network security.
Another response to your inquiry handles the cynical/pragmatic answer, but there's another half to it: Unfortunately, 'commodity networking gear' has to work for the same type of people who install 'flashlight' apps on their phones that require access to contacts and GPS. If you and I had our druthers, SOHO routers would ship with DD-WRT or PFSense out of the box...but unfortunately, these boxes get sold at Wal-Mart...to the kinds of people who buy routers at Wal-Mart.
I am by no means a network expert, but it seems as though some of these things are just common sense....
Pull 100 people off the sidewalk and as
Re: (Score:2)
- Don't have ports open to the Internet ("stealth" or otherwise) by default
Okay. And precisely how do you expect Skype to work? FaceTime? Windows Update? POP/IMAP e-mail? watch all that traffic shuffle over 80 and 443, thus making 'ports' useless...or the applications, in the short term. Saying 'screw FaceTime' is a guaranteed way to ensure that people blame the router, and replace it with something basically mirroring what the router does now.
I meant this from the perspective of the router itself. All too often routers have remote management turned or ports that appear filtered to a scan but are really just waiting for a "magic packet" in order to initiate a remote console.
- Don't use unencrypted protocols... period
That's beyond the scope of responsibilities for a router. With respect to the greater internet, kindly inform me why Windows/Android/iOS Updates need to be encrypted...or Netflix streams (DRM notwithstanding)...or a dozen other kinds of data that are high volume and don't have security requirements...there's no need to waste CPU cycles on them.
Again, from the perspective of the router. When you go to check for new firmware, use encrypted protocols.
- Don't enable wireless by default
A wireless router that ships with wireless disabled...you must be delusional. Remember, there are a whole lot of laptops being sold now that don't have wired capabilities...and cell phones and tablets don't have them at all. People buy routers explicitly for this purpose, and disabling it by default is a guaranteed way to ensure that people return them saying "it doesn't work", the high rate of returns making the entire retail chain roll their eyes, the brand getting a bad reputation, and being suicide for the product. No. Netgear has this right - ship it with a unique WPA2 password, by default, written on the bottom of the router. That is how the wireless problem is, for all practical purposes, solved.
Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion, or do as you suggest, ena
Re: (Score:2)
Yes, I amend my statement. Either ship with wireless disabled but then provide a CD that will set everything up for the user in a secure fashion
A CD??? What is someone who only has iPads and iPhones supposed to do with a CD? Or what about someone whose laptop doesn't have an optical drive (which is a lot of them these days)?
Next, you're going to suggest they ship with a floppy disk.
Someday no 3rd party firmware (Score:1)
Saw this posted
http://hackaday.com/2015/08/31... [hackaday.com]
It is for 5GHz but if they can get away with 5Ghz why not 2.4
So if that ever happens, I may become a criminal, flashing my own router to protect myself.
Re: (Score:2)
2. Get PCIe > miniPCIe adapter with antennas included ~$25
3. Get wifi card that supports AP mode: $30-100 depending on how much you want to spend.
There, for as low as $150 you have a device that can run whatever OS you want and will have far better routing performance than a crappy home router (their CPUs are so awful that they need NAT accel hardware to NAT at line speeds). The only thing
My Belkin router is spamming me... (Score:2)
Re: (Score:2)
That's always the first thing I think of when I hear "Belkin". I haven't bought any of their products over the last 12 years. I didn't know many people still did, I'm a little surprised they're still making things with their brand on them.
I asked Belkin about a similar issue (Score:2)