×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Routers Pose Biggest Security Threat To Home Networks

Unknown Lamer posted about 2 months ago | from the but-it's-a-firewall dept.

Worms 264

Nerval's Lobster writes "The remote-access management flaw that allowed TheMoon worm to thrive on Linksys routers is far from the only vulnerability in that particular brand of hardware, though it might be simpler to call all home-based wireless routers gaping holes of insecurity than to list all the flaws in those of just one vendor. An even longer list of Linksys (and Cisco and Netgear) routers were identified in January as having a backdoor built into the original versions of their firmware in 2005 and never taken out. Serious as those flaws are, they don't compare to the list of vulnerabilities resulting from an impossibly complex mesh of sophisticated network services that make nearly every router aimed at homes or small offices an easy target for attack, according to network-security penetration- and testing services. For example, wireless routers (especially home routers owned by technically challenged consumers) are riddled with security holes stemming from design goals that emphasize usability over security, which often puts consumers at risk from malware or attacks on devices they don't know how to monitor, but through which flow all their personal and financial information via links to online banking, entertainment, credit cards and even direct connections to their work networks, according to a condemnation of the Home Network Administration Protocol from Tenable Network Security. Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP. Is there any way to fix this target-rich environment?" If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

264 comments

dd-wrt?? (4, Informative)

neo8750 (566137) | about 2 months ago | (#46286059)

http://www.dd-wrt.com/site/ind... [dd-wrt.com] Why not right?

Re:dd-wrt?? (5, Informative)

Anonymous Coward | about 2 months ago | (#46286093)

DD-WRT is based on the open source OpenWRT, but DD-WRT itself is proprietary.

Re:dd-wrt?? (5, Informative)

WRD-EasyTomato (2774739) | about 2 months ago | (#46286489)

Or try EasyTomato [easytomato.org] or any of the other Tomato variants (Toastman, Shibby, etc.). Super easy to install, has a pretty and easy to use interface, and it's all open source.

Re:dd-wrt?? (1)

Technician (215283) | about 2 months ago | (#46287231)

If you have a home router, is it protected if it is behind the router built into many DSL or Cable modems? Your ISP may be protecting your firewall router by placing it behind another firewall router in your modem.

A quick test to see if this may apply to you. view your router's status page and look at the IP address of the WAN connection. If the WAN connection is a 196.168.x.x number then your modem has a router too. Has anyone pen tested your modem router?

Has any work been done on.. (5, Interesting)

Anonymous Coward | about 2 months ago | (#46286071)

Pentesting the custom firmwares from projects like OpenWRT/DD-WRT/Tomato etc?

Wow... misconfigured devices are insecure? (0, Funny)

Anonymous Coward | about 2 months ago | (#46286073)

Misconfigured devices are insecure? Who'd a thunk it.

I'd vote that end users pose the biggest security threat to home networks, anyway.

Re:Wow... misconfigured devices are insecure? (4, Insightful)

jythie (914043) | about 2 months ago | (#46286567)

If your product can not be reasonably or safely configured by its target market, then while it is tempting to blame the individuals, it is the manufacturer who has failed.

Re:Wow... misconfigured devices are insecure? (4, Insightful)

jandrese (485) | about 2 months ago | (#46286655)

A home router that is not by default secure on it's WAN side is defective.

Re:Wow... misconfigured devices are insecure? (0)

Anonymous Coward | about 2 months ago | (#46286797)

Sometimes you are stuck with whatever the ISP forces upon you. e.g. Modem + router combos *rentals only* with router functions that cannot be turned off.
Enjoy your double NAT.

There are *no* open source alternatives for modem + router gateway combos either because of the non-free nature of the modem binary blob even if your ISP gives you the choice of buying the modem from them.

Re:Wow... misconfigured devices are insecure? (0)

Anonymous Coward | about 2 months ago | (#46286921)

The type of network I am talking about is Cable or VSDL where the ISP has to approve your modem before it would be on the network.

Re:Wow... misconfigured devices are insecure? (1)

Anonymous Coward | about 2 months ago | (#46287233)

The failure is the whole notion that computers and technology should be "easy" for people to set up. Nobody insists that electrical circuits be designed for end users to be able to install and configure, nobody insists that plumbing be made so that every home user can just buy a garbage disposal and hook it up correctly themselves. Why in the hell do we think routers and computers should be easy. They aren't, and they never will be. It's complicated technology and if you don't understand it, you're going to fuck it up. That holds true no matter what we're talking about. So, in summary, not only is it "tempting" to blame the users, but it's appropriate.

PFsense (4, Informative)

johneee (626549) | about 2 months ago | (#46286077)

I have PFSense running on a virtual server, which I recommend to anyone. Perhaps not on the virtual server... it kind of adds a layer of complication that most people probably wouldn't care for, but it works well enough.

http://www.pfsense.org/ [pfsense.org]

Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing.

Re:PFsense (3, Interesting)

Spazztastic (814296) | about 2 months ago | (#46286161)

I really liked pfSense but when I used it long ago it was very buggy. It may be time for me to give it another try. However, if you're familiar with the Cisco IOS CLI, Vyatta is another solution. I plan to set up a small low power box to be my router and only use my Linksys Router/AP combo (flashed with DD-WRT) as an access point. It gives you far more options in terms of management, and if you happen to seed a lot of Linux ISOs you don't have to worry about filling up the memory with the routing table.

Re:PFsense (2)

FictionPimp (712802) | about 2 months ago | (#46286807)

I highly recommend the Ubiquiti EdgeMax Router lite. It's 99 bucks and runs a variant of Vyatta. Great little product.

Re:PFsense (1)

Spazztastic (814296) | about 2 months ago | (#46287167)

Thanks, I may look into this. It'll be cheaper less expensive than the one I had originally spec'd out on Newegg.

Re:PFsense (2)

johneee (626549) | about 2 months ago | (#46286827)

If I remember correctly, I tried Vyatta, and because I don't know IOS, I flamed out trying to configure it.

PFSense was only marginally more difficult than OpenWRT, so it kind of suited my level of expertise.

With it being on a VM, it means that I have one box that is my router, file server, media server, and experimentation box all in one, which is convenient for me.

It does mean that the hypervisor is - in theory - exposed to the net, but since it never communicates externally except through the router software, it has basically no attack surface, so it shouldn't be too much of an issue. (he said hopefully) \

Re:PFsense (1)

Spazztastic (814296) | about 2 months ago | (#46287243)

There's a learning curve with Vyatta but once you catch on it's pretty easy. There's also plenty of guides online that'll get you started and a very friendly community.

I didn't like the web interface of pfSense, and at the time of using it I was still pretty green with the Linux CLI so using that wasn't as much of an option. From what I can see there have been improvements, plus it's also been 7~ years since I used it, so I might give it a shot in a VM.

Re:PFsense (3, Interesting)

Xenna (37238) | about 2 months ago | (#46286409)

Yeah, I've been running that stuff for years after getting frustrated with commercial routers. Has been extremely stable.

Of course, being lazy I got it in appliance form from this place:
http://www.applianceshop.eu/in... [applianceshop.eu]

"Hopefully no huge flaw comes out on that without me noticing. That would be embarrassing."

Ultimately it's a matter of (perhaps misguided) trust...

Re:PFsense (4, Informative)

carnivore302 (708545) | about 2 months ago | (#46286653)

I second that. PFSense is rock solid and comes with a lot of features. Dual wan, vpn, you name it.

Just as lazy... also got mine from applianceshop.eu.

opensource firmwares not perfect either (2, Interesting)

Anonymous Coward | about 2 months ago | (#46286101)

I bet everyone is busy writing smug comments about closed source firmwares, but let's not forget that DD-WRT have had a similar bug. http://www.xtremesystems.org/forums/showthread.php?230880-Massive-DD-WRT-Security-Hole-%28Unauthenticated-Root-Control-Possible%29

Re:opensource firmwares not perfect either (4, Insightful)

compro01 (777531) | about 2 months ago | (#46286239)

The important difference being that bug was fixed, as opposed to being left wide open forevermore.

Re:opensource firmwares not perfect either (5, Insightful)

Minwee (522556) | about 2 months ago | (#46286547)

In fact, it was even fixed for devices which are no longer in production with no need for the original vendor to even still be in business. Open source is funny that way.

Re:opensource firmwares not perfect either (0)

Anonymous Coward | about 2 months ago | (#46286577)

"Open source" is not ATTEMPTING perfection any more than science is attempting truth. The peer review is everything.

Why I buy apple airports (4, Interesting)

goombah99 (560566) | about 2 months ago | (#46286105)

I don't actually know if it matters or not but I prefer Apple over other wireless routers because it's so damn braindead easy to keep them patched. Apple just pushes out firmware updates (rarely). Every other router I've owned it was a struggle to figure out if it needed a patch, how to do it. Moreover it was a source of worry even when there wasn't a problem which alone was worth any relatively small cost differential.

Re:Why I buy apple airports (4, Funny)

Anonymous Coward | about 2 months ago | (#46286281)

Apple is the next thing to godliness. Praise Apple. I wish I was an Apple. Eat me.

[NO CARRIER]

Re:Why I buy apple airports (4, Insightful)

jythie (914043) | about 2 months ago | (#46286601)

Eh, to be fair, this is something they are doing right and a lot of manufacturers are not. Techie types sometimes freak out over being automatically patched with who knows what, but for the vast majority of users (including techie types), it is a good strategy.

Re:Why I buy apple airports (1)

dreamchaser (49529) | about 2 months ago | (#46287149)

It's a terrible strategy for any technical person. New bugs can be introduced. For a techie type, being able to test out new updates prior to rolling them into production is a must.

Sigh - what the heck ... (3, Informative)

udippel (562132) | about 2 months ago | (#46286149)

I feel that all those links to WRT/PFSense/M0N0Wall/Tomato/etc are kind of redundant.
Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.
 

Re:Sigh - what the heck ... (3, Insightful)

drinkypoo (153816) | about 2 months ago | (#46286265)

Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

Re:Sigh - what the heck ... (3, Informative)

Imagix (695350) | about 2 months ago | (#46286321)

IPv6.

Re:Sigh - what the heck ... (0)

drinkypoo (153816) | about 2 months ago | (#46286353)

Neither my ISP nor any game I can think of actually supports IPv6. So you want me to pay for a tunnel, too? Because I'm not going to try to game over a free tunnel.

Re:Sigh - what the heck ... (3, Funny)

Imagix (695350) | about 2 months ago | (#46286419)

Incentive to pressure your ISP to support a well over a decade old technology, going on two decades.

Re:Sigh - what the heck ... (4, Insightful)

drinkypoo (153816) | about 2 months ago | (#46286457)

Incentive to pressure your ISP to support a well over a decade old technology, going on two decades.

I have no viable alternatives. The ISP I'm using now is the best of three shitty options. I live in the USA, did you think I lived in the first world or something?

Re:Sigh - what the heck ... (3, Funny)

Anonymous Coward | about 2 months ago | (#46286323)

Well, speaking on behalf of other posters here - you are probably supposed to spend all of your time configuring some linuxy version of iptables or some such on a custom router. Then you won't have to worry because you won't have time to play your game...

Re:Sigh - what the heck ... (3, Informative)

0123456 (636235) | about 2 months ago | (#46286443)

So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall?

So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.

UPnP is simply insane from a security standpoint. Random applications should not be opening random ports without explicit permission.

Re:Sigh - what the heck ... (4, Insightful)

clarkn0va (807617) | about 2 months ago | (#46286839)

Mod parent up. UPnP is insecure by design. It's very purpose is to take security and control out of the hands of the user, and put it squarely in the hands of whatever happens to be running on your network.

It's too bad that most people don't understand enough about network security to configure their own router, and a double shame that the kludge we call NAT has further broken network applications, but convenient "workarounds" like UPnP could only ever lead to problems like the summary lays out.

Re:Sigh - what the heck ... (1)

drinkypoo (153816) | about 2 months ago | (#46287259)

So go for convenience over security. But don't then complain when you install VNC on your PC and it automatically opens a port allowing everyone on the Internet to access it, and you didn't bother to set a password so your PC is now pwned by the first script kiddy who scans your router.

You don't know me very well. If I am to remote into Windows I use RDP, and if I permit it at all it's only to the local network. And for all my statements that network transparency is irrelevant to most X users, if I want to remote Unix, I'll use an ssh tunnel. Sure, uPnP is a minefield for novices. But for me, it's immensely useful. Also, on Windows XP or later, VNC won't just magically open up your machine. Windows will ask you if you want to permit network connections to VNC, and it's up to you to decide what to do about it. You can, in fact, configure the windows firewall to only permit connections from your local network. This is the default for most services on Vista and later.

uPnP is a wonderful source of opportunities for malicious hackers, but given some awareness of network security it need not in fact actually present a usable attack vector. My lady, my only user, is smart enough to ask me what to do if she gets a prompt she doesn't recognize. This puts her above, by far, the vast majority of non-power users.

Re:Sigh - what the heck ... (2)

udippel (562132) | about 2 months ago | (#46286497)

While your logic looks okay at a first glance, it doesn't at a second.

When a government has thousands of enraged citizens running towards the government building to set those on fire and loot them, some machine guns might be the means of choice. Though it ought to have been considered by the government du jour, what the reaction of the public will be, with the introduction of strict austerity measures, as well as jus primae noctis?

There is no fundamental reason, really, to have 1000 games opening 1000 different ports for endless protocols on a home router. Strange enough, one can invite the whole world, chat with billions of people, even tell every other citizen of this world whatsapp, and needs only http. Just to give an example.
Do not support the laziness of game coders.

A firewall that can be configured arbitrarily by user applications on their request is about the worst hack possible to connect securely to another network.

Re:Sigh - what the heck ... (1)

drinkypoo (153816) | about 2 months ago | (#46287325)

There is no fundamental reason, really, to have 1000 games opening 1000 different ports for endless protocols on a home router.

In a perfect world, all of those games would communicate using the best possible protocol, and all communications would be cleared through a central facility. Problem is, "best" can be defined in many ways. Thus, we have all games using the same underlying protocol, but then building protocol on top of protocol in order to carry out their communications in the way that makes the most sense to the developers (or whoever drew up the architecture at the time, which might have been a schizophrenic hive-mind of whoever wandered by at the time and contributed some code) at the time. And all of those communications are cleared through the peer to peer network stack, which I then have the convenience of using with uPnP. Which, if you think about it, is just dynamic routing on a tiny scale. And if I wanted to, I could in fact protect uPnP cryptologically so that no unauthorized hosts could make requests, and I could diddle the daemon to refuse requests I didn't think it should be approving. But in practice, I'm just not having those kind of problems because I'm making other intelligent decisions.

A firewall that can be configured arbitrarily by user applications on their request is about the worst hack possible to connect securely to another network.

It's not arbitrary, it's not allowed to just forward anything to anywhere.

Re:Sigh - what the heck ... (1)

tlhIngan (30335) | about 2 months ago | (#46286983)

Sufficient to understand, that the underlying concept of UPnP is an abomination; a sick and distorted concept that deserves nothing less than an immediate death sentence, and to be buried along with The Funniest Joke In The World; never to be resurrected again.

So how do you propose that my game on a machine on NAT arranges to receive UDP through the firewall? I'm supposed to manually configure firewall rules for each game? And then change them all if my IP changes?

Suffice it to say, most games don't need UPnP nor special firewall configuration.

Thanks to techniques like STUN, NAT traversal is made simple. For the most part, most NATs appear as "STUN Open" which mean a little trickery on the developer ensures two NATs can connect to each other. Of course, it requires an external matchmaking server, but those tend to be used anyhow for discovery.

I know I never had to do anything on my router (other than disable UPnP and all that) and I still can play via PSN and Xbox Live, and Steam, etc.

And I haven't had to touch firewall port settings in ages - usually just at the beginning to map in services like SSH and whatnot.

IPv6

Sorry, IPv6 isn't magic. In fact, you're probably going to run into even MORE connectivity issues with IPv6 than IPv4+NAT. Why? Because guess what? Practically all IPv6 endpoints are going to be firewalled by a gateway device. So you still have to create firewall rules (oh, and good luck when the IP changes either by prefix or when it's auto-generated!) to let your game/etc pass. And we'll be back to the same old troubles of spending hours debugging because someone's firewall isn't behaving.

So I'm guessing we're still going to need STUN to get through IPv6 firewalling.

And that's the problem with IPv6 - you still end up with the same headaches, multiplied because debugging is now made much harder (you can ping your IPv6 gateway? Good. That means absolutely zip because it could be using the default link-local route and address over the global prefix).

IPv4+NAT is nasty, but it works, and is easily understood compared to IPv6. NAT also has the nice side effect of isolating internal network addressing from external, so should prefixes and such change, nothing bad happens and things don't need sudden reconfiguration because of it (firewall settings ossify - if your prefix hasn't changed in a couple of years, when it does and things break, it's a huge PITA to re-find where everything is again).

Of course, those arguing for "purity" of IPv6 probably hold back development of stuff like NAT-PT and other things that could've had us on IPv6 years earlier.

Re:Sigh - what the heck ... (1)

devman (1163205) | about 2 months ago | (#46286991)

I play a lot of online games. I have had UPnP disabled on every network gateway I've owned precisely because it is ridiculously insecure. I have yet to find one that doesn't work properly with UPnP disabled. The only exception to this is when I was running a CS:GO server awhile back I had create port forwarding rules so clients could connect, but setting up dedicated servers on residential networks isn't something non-advanced users do.

NAT should allow the packets, if you send packets (1)

Marrow (195242) | about 2 months ago | (#46287025)

NAT should setup a rule to allow your machine to get packets as long as you send some packets there first. Unless your game machine is acting as a game server and getting packets from many host, it should just work. Otherwise, you could/should setup a port forward to your internal machine.

Re:NAT should allow the packets, if you send packe (0)

Anonymous Coward | about 2 months ago | (#46287235)

True, but in my days of playing Starcraft and Warcraft 3, connecting to Battle.net and hosting a multiplayer map resulted in your computer to begin listening for new connections on a port. I had to configure port forwarding to allow connections to come through. Technically, this would be a game server in a sense, but it's example of something even a casual gamer/user would do.

Re:Sigh - what the heck ... (2)

dreamchaser (49529) | about 2 months ago | (#46287183)

Configuring port forwarding is trivial on virtually any firewall, so yes, that's what you need to do if you want security.

Re:Sigh - what the heck ... (0)

Anonymous Coward | about 2 months ago | (#46287267)

Yes. You're supposed to know how routing works if you want to administer a secure router.

Re:Sigh - what the heck ... (1)

harrkev (623093) | about 2 months ago | (#46286469)

What is the problem with UPnp??? From what I understand, UPnP works like this:

1) All devices inside the local network are considered "trusted"

2) Trusted devices can poke holes in the firewall pointing only back to themselves.

Assuming that UPnP is implemented properly, and assuming that an attacker is on the outside of the local network, there is nothing for an attacker to grab on to. Now, if an attacker is on the INSIDE of your LAN, then you are already boned.

What am I missing?

Re:Sigh - what the heck ... (4, Informative)

0123456 (636235) | about 2 months ago | (#46286521)

What am I missing?

Again, used to be that the most common way for a Ubuntu machine to get pwned was for the user to install VNC with UPnP enabled. They only wanted to connect over their LAN, but VNC went and opened a UPnP port, and... oops.

Every new port opened on the router is a potential new security hole.

Re:Sigh - what the heck ... (1)

udippel (562132) | about 2 months ago | (#46286647)

Reality. What users have in their PCs is not "Trusted Computing" - well, well, I know this is what the monopolist told everyone. But it surely isn't.
If all the applications running on a PC were actually trusted, a firewall would not be necessary (aside from the odd closure of ports offering internal content only, like 137-139, 3306, etc.; and this can be done by static rules).
No serious firewall can allow any user to reconfigure it.

Re:Sigh - what the heck ... (4, Insightful)

Minwee (522556) | about 2 months ago | (#46286671)

What is the problem with UPnp??

All devices inside the local network are considered "trusted"

I really think you just answered your own question there.

Re:Sigh - what the heck ... (1)

jandrese (485) | about 2 months ago | (#46286691)

Wasn't the problem something like a script injection attack on a webpage can open up any random port on your router?

Re:Sigh - what the heck ... (1)

xvan (2935999) | about 2 months ago | (#46286939)

No, unless you have java or another shit like that... I can't think why a browser would need to open a listening port.

Re:Sigh - what the heck ... (1)

clarkn0va (807617) | about 2 months ago | (#46286907)

if an attacker is on the INSIDE of your LAN, then you are already boned.

What am I missing?

There are varying degrees of boned. UPnP lets the black hat turn a small exploit into a big one.

Assuming that UPnP is implemented properly

Well yes, there's that too. [grc.com]

What it's not about (4, Insightful)

andyring (100627) | about 2 months ago | (#46286153)

Yes, this is /. We can upgrade our router firmware or install other firmware. Joe Sixpack cannot.

The blame for this should be laid squarely at the feet of the router manufacturers. IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:

1. Be open and forthcoming about bugs found in their router software
2. By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.
3. Tell this to their customers in plain English or $localLanguage on the product packaging. And NOT in fine print. Make it very obviously noticeable to the purchaser. This can and should be a signifiant selling point, really. If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

Re:What it's not about (5, Insightful)

JDG1980 (2438906) | about 2 months ago | (#46286295)

By default, routers should ship with automatic firmware updates enabled. This should be difficult to disable and robust enough that it'll *just work* with no user intervention.

The problem is that this kind of automatic update process can be a security hole in and of itself. If there is a way for a remote system to send updates to the router's firmware, then there is the potential for a malicious user to spoof the update and send their own custom-crafted exploit code.

Re:What it's not about (1)

Anonymous Coward | about 2 months ago | (#46286459)

Also I have disabled features on my router because of holes. Yet keep an older version of firmware (new one fixes the holes) for the sole reason that they seem to have monkeyed up the range in the wireless part...

Re:What it's not about (1)

xvan (2935999) | about 2 months ago | (#46286995)

Oh, if we just had something that allowed us to authenticate the update origin.

Re:What it's not about (0)

Anonymous Coward | about 2 months ago | (#46287309)

Something like a person administering their own router.

Re:What it's not about (1)

Anonymous Coward | about 2 months ago | (#46286379)

"We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

That's funny. I probably wouldn't even consider buying a router that's going to randomly change its behavior on me without my explicit intervention. I don't want to wake up one morning and have to spend half the day figuring out why my router suddenly isn't routing traffic the same way it was before.

Re:What it's not about (1)

Anonymous Coward | about 2 months ago | (#46286407)

My thoughts exactly. "Easily upgradeable?" Have you seen the installation instructions for OpenWRT? It's fraught with stern warnings about ensuring your firmware version matches your router version and making sure you select the right version based on nvram, processor speed, etc. And it gives all kinds of warnings about bricking your router if you screw this step up. Easy to handle for us, not for your mom and pop.

Re:What it's not about (1)

Minwee (522556) | about 2 months ago | (#46286723)

That's right. Installing an OpenWRT release made for a D-Link DIR 825 on a Linksys E3200 would be a bad thing. So would installing the official D-Link firmware.

If both manufacturers were to produce updates their own hardware, instead of kicking a device to the curb and then never releasing an update again until they receive a court order requiring them to, then this wouldn't be a problem.

Re:What it's not about (1)

Grishnakh (216268) | about 2 months ago | (#46286697)

The blame for this should be laid squarely at the feet of the router manufacturers.

Ok, what good is that going to do? So a bunch of people get their home routers hacked, and you point the finger at the router mfgrs. Why should they care? What are you going to do about it? Declare that you're not going to buy from them any more? Haha, like they care; their customer base isn't Slashdot users, it's regular Joe Schmoes who don't read Slashdot or tech news, and just buy whatever the Best Buy salesman or Comcast representative tells them to buy. Moreover, Joe Sixpacks have a long history of never blaming mfgrs for security problems, and instead laying the blame squarely at the feet of "the hackers", as if that's going to do any good.

IMHO, here's what Linksys/Cisco/Netgear/etc/etc/etc/ should do, at the very least:

Why should they? What are you going to do if they don't? Give them a bad reputation? They already have a lousy reputation among Slashdot-folk, and it isn't hurting them any.

1. Be open and forthcoming about bugs found in their router software

Why? This will just make their products look bad to the Joe Sixpacks. Better to keep it quiet.

2. By default, routers should ship with automatic firmware updates enabled.

I'm not sure why they don't do this already, but it's probably because there's a chance something can go wrong with a firmware update, resulting in a bricked device; better to just ignore the problem and let the device run with an old, known-good firmware, because then Joe Sixpack will see that it's working and not blame the mfgr.

If I'm at BestBuy/WalMart/etc. and see one router boldly telling me "We care about your security! To protect you and your data, this router will check weekly with $manufacturer and update itself to give you the most secure Internet experience possible." And it's sitting next to another router that says no such thing, I'd buy the one that will keep me safe.

This is a pretty good point, and again I'm not sure why they don't do it already. I think someone else in this discussion said that Apple's routers actually do this.

I read the headline as: (1)

RogueWarrior65 (678876) | about 2 months ago | (#46286155)

"Reuters Pose Biggest Security Threat To Home Networks"

Re:I read the headline as: (1)

Sarten-X (1102295) | about 2 months ago | (#46286271)

I did my time in end-user support. I've been the one that's has to explain to Granny that she doesn't need to panic every time sees a new horror story on the news.

Reuters may not be the biggest security threat, but they're certainly one of the biggest threats to sanity.

Re:I read the headline as: (1)

bobbied (2522392) | about 2 months ago | (#46286411)

"Reuters Pose Biggest Security Threat To Home Networks"

Problem is that they also are the biggest boon to computer security since the network was invented. I look back with less than fond memories of having my mother's windows box connected directly to the internet w/o any kind of firewall or even a NAT between her and the wild west. Oh those where the days!

I'd much rather have even a flawed router between her machine and the bad guys. Even if they can compromise the router, that's at least one more step they have to go though, making her lowly Windows' box all that safer from the script kiddies... Nothing is really going to fix a determined attacker, except turning everything off and locking it away. Now if I can just keep her from downloading all that coupon printing garbage or letting the grand kids install their infected games...

That's why I resisted as long as I could... (1)

AudioEfex (637163) | about 2 months ago | (#46286169)

I resisted wireless as long as I could because of this very issue. I can turn on my computer and see a dozen networks, and I live in the suburbs. Unfortunately, convenience and devices I wanted to use finally required it (can't use an iPad without wireless), so I caved a few years ago. Thankfully, I learned long, long a go that if I didn't want something on the Internet, I didn't let it near an Internet connected computer. I have an old laptop I use for personal things that is not connected to any internet whatsoever, and if I need to move files it's on a burned, finalized CD. Sure, it can still be read semi-remotely if someone wants to invest in that magnetic scanning tech that can read what data you are writing to your hard drive, but a) I don't have anything that would be THAT valuable to anyone, and b) if someone was going to use that on me, I've got far greater things to worry about.

Re:That's why I resisted as long as I could... (1)

ledow (319597) | about 2 months ago | (#46286351)

Which is one of the reasons that I treat wireless networks as hostile in my home, and you have to log in via VPN even if you're connected to my wireless.

It's not hard. If you don't trust wireless, and you don't trust the Internet, treat them as the same thing.

I've gamed and accessed my home network using OpenVPN on every client (over wireless and remote) for as long as I've had wireless. No extra ping on any half-decent hardware, utter security and who cares if - as in my case - WEP is flawed and then replaced with flawed WPA and then replaced again?

Re:That's why I resisted as long as I could... (1)

Grishnakh (216268) | about 2 months ago | (#46286815)

You sound totally paranoid. If you want to be quite reasonably secure and have WiFi, all you have to do is make sure you're using WPA2 encryption. Better yet, make sure you're using an alternative firmware like OpenWRT or DD-WRT, and keep WPS and uPnP off no matter what you use.

I don't think I've even heard of someone getting their WiFi hacked when WPA or WPA2 was being used; people only get their home WiFi "hacked" when they either use no security whatsoever, or WEP (WEP is trivial to hack). And even then, people only "hack" them so they can get free internet access, or maybe send funny stuff to your WiFi printer, not so they can search through all your files. Think about it: the only way to hack WiFi is to be physically on-site. How many people are going to drive around from neighborhood to neighborhood looking for WiFi networks to hack from their van, so that they can then try to hack into your computer from there (several orders of magnitude more difficult a task)? No one is going to go to all that effort so they can look at your pr0n collection. The really serious hackers are doing it from eastern Europe and Russia, and they come in through your regular internet connection; WiFi is irrelevant here. And the information they're after is likely your banking information, and since it's impossible to access your bank's online services from an old laptop that isn't connected to the internet, that isn't helping you either.

Re:That's why I resisted as long as I could... (1)

pjbgravely (751384) | about 2 months ago | (#46286893)

Don't forget to hard disable the microphone on the laptop if it has one. There is a malware that can communicate using high frequency sound, from a networked machine to un-networked one. Of course both machines have to be infected. Probably with a virus attached to a file of the networked box.

ipcop (0)

Anonymous Coward | about 2 months ago | (#46286205)

Inline with the PFSense comment, i'm running IpCop. It's arguably less maintained than pfs, but it does the job and likely stays off the radar due to the small user base. It'll also run on virtually any old machine you have lying around, so there's really no need to virtualize (other than a few saved watts / ft).

design goals that emphasize usability over securit (1)

jader3rd (2222716) | about 2 months ago | (#46286235)

design goals that emphasize usability over security

I wonder why usability was able to sell more than security? Hmm. Let's think about that.

Meanwhile, a January 2013 study from Rapid7 found 40 million to 50 million network-enabled devices, including nearly all home routers, were vulnerable to exploits using UPnP.

Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.

Re:design goals that emphasize usability over secu (1)

0123456 (636235) | about 2 months ago | (#46286485)

Man, and I can't get my home router to do UPnP. It's bad that UPnP allows for the configuration of the router to come from a machine outside of the network, but that should get fixed and UPnP should be able to start behaving like it is designed to.

Considering UPnP is broken by design, that's not really an improvement. Replacing a security hole in the router by a hundred apps that want their own ports to expose their own security holes to the Internet doesn't help much.

POT (Personal Open Terminal) non-threatening (0)

Anonymous Coward | about 2 months ago | (#46286283)

with millions of suspected users all online at once 24/7 it's hard to resist wondering what the need to beak in is about?

No Shit (-1)

Anonymous Coward | about 2 months ago | (#46286303)

The part of a "home network" that is connected to the 'net is the biggest threat? Next you'll tell me the part of a gun where bullets come out is the most dangerous bit of it.

What a fucking waste of an article

Sadly, no . . . (1)

Kimomaru (2579489) | about 2 months ago | (#46286349)

Commercial, closed-source products just tend to have these problems and it's pie-in-the-sky to wish for a vendor to produce a secure product. If you want it secure, probably your best bet is an open source, open hardware mini server (like cubieboard or Raspberry Pi) and you're going to have to learn to do it yourself.

lighten our load give until it stops hurting (-1)

Anonymous Coward | about 2 months ago | (#46286381)

free sister megan rice & the innocent stem cells. never a better time to consider our advantages in relation to momkind & our constant starting from scratch history of hysteria..... (r)evolutionary movements help prevent spiritual constipation which is nearly always fatal for us unwitting semi-innocent unchosens..

Slashdot only allows anonymous users to post 10 times per day (more or less, depending on moderation).

Custom Router (4, Interesting)

shellster_dude (1261444) | about 2 months ago | (#46286401)

After I found that my ASUS RT-15U was running telnet with a default password, open to the world which I couldn't kill or change the password on, I swore of embedded device routers.

I have replaced it with a small Debian box with dual NICS, and bought a 24port switch from TPLINK. It was the best decision I have ever made. Perfect reliability, complete control, via IPTABLES. I've got auto blocking of malicious ips trying to hit my ssh or port scanning me via DenyHosts and PSAD.

A couple other custom scripts and DNSMASQ, dhclient, snort, and python, and I have all the other services and features I want, and ONLY the services and features I want.

Re:Custom Router (0)

Anonymous Coward | about 2 months ago | (#46286531)

If that was literally the best decision you ever made, you either make bad decisions or have no sense of proportion.

Re:Custom Router (1)

udippel (562132) | about 2 months ago | (#46286829)

Don't overdo the 'Interesting' here, my dear mods!
It doesn't look like a role model to replace some - agreed - s***ty router. While I'm a Linux person, Debian is not necessarily the distro of choice. There are other, specialised, Linux- and BSD-based solutions that run on maybe even smaller hardware; and therefore much more energy-efficient.
A 24-port router is nothing of a 'must' here, neither. And TP-Link wouldn't be the switch of choice for me anyway.
"couple custom scripts", what the heck, we need a solution for everyone, not only for nerds and geeks!

Reasonable, okay, useful, okay, but very much of a singular solution.

OpenWrt? (1)

Millennium (2451) | about 2 months ago | (#46286503)

Forgive me if I'm wrong, but wasn't OpenWrt based on this same firmware? Or is this bug with the VxWorks-based firmware that Linksys later switched to?

Re:OpenWrt? (1)

Minwee (522556) | about 2 months ago | (#46286865)

Forgive me if I'm wrong, but wasn't OpenWrt based on this same firmware? Or is this bug with the VxWorks-based firmware that Linksys later switched to?

OpenWRT is a Linux distribution designed for routers. It often uses kernel modules provided by manufacturers such as Linksys, but is not a clone of the entire system.

You could also follow the first link in the summary [sans.edu] , which describes the bug and has this to say:

"Only routers running stock firmware are vulnerable. OpenWRT is not vulnerable to this issue."

A big hole is the default password (2)

bzipitidoo (647217) | about 2 months ago | (#46286511)

The default password, when it is the same default password across all units of the same model or even the same manufacturer, is easy to exploit. Any website can send the user's browser some code that instructs it to attempt to log in via the user's router's web interface with the default password. It works because the user's browser is behind the firewall and therefore "trusted". Once logged in, it's trivial to reconfigure the router to open up all kinds of holes. Harder but still doable is getting the router to host and run malware itself.

The admin password is the first thing I change on a new router. Manufacturers who still don't individualize the factory set password are responsible for a lot of these problems.

Re:A big hole is the default password (1)

udippel (562132) | about 2 months ago | (#46286885)

Totally agreed, but one trouble here: It is not 'conducive' to have non-standard default passwords.!

Just imagine, Tom, Dick and Harry buying routers. How does a manufacturer distribute the individual password? And make sure, that it is not thrown away, or misplaced, or torn or worn off? I already see the light of a class action suit filed by some dim-wit when the latter can not get her router back to life after a reset!!

Re:A big hole is the default password (0)

Anonymous Coward | about 2 months ago | (#46287123)

Print it right on the box -- physical security is definitely beyond the manufacturer's control, and not much of an issue for these devices. If you want, use the serial number or the ethernet MAC address that are ALREADY printed on the box.

Re:A big hole is the default password (0)

Anonymous Coward | about 2 months ago | (#46287107)

An easy method to avoid the default password would be that the router
(a) doesn't contain a default password,
(b) denies all connections to the internet before the user has set a password,
(c) until that time redirects any http request to an internal page where you can set your password.

If only... (1)

itsdapead (734413) | about 2 months ago | (#46286563)

If only there were an easily upgradeable open source router operating system to which vendors could add support for their hardware leaving long term maintenance to a larger community.

If only it supported routers with built-in ADSL (which was the dealbreaker last time I looked at DD-WRT - and it took me some digging to discover that was why none of the routers I wanted to use it on).

If that's since been fixed - and supports a router I can actually buy somewhere - then mod me happy.

Personally, I could put together a low-power Linux box, get an ADSL modem, an ethernet switch, wireless access point (sounds like Belinksysco crap would be just as big a liability in WAP-only or modem-only mode) but (a) that's replacing 1 always-on box with 2-3 always-on boxes (b) there's the non-zero chance that I could screw up and (c) it doesn't really help joe public who need a reliable, secure plug-and-go box.

Any trustworthy all-in-one ADSL Modem/Routers/WAPs out there?

Usability? (1)

Cosmotic (60372) | about 2 months ago | (#46286591)

I dispute the posts assertion that home routers are designed for usability. The interfaces for home routers are typically confusing, slow, awkward, undocumented, ugly, not discoverer, poorly conveying, and inconsistent.

Re:Usability? (1)

WRD-EasyTomato (2774739) | about 2 months ago | (#46286729)

I think some are getting better as they try to have routers act as more of a hub of the house (lot of $$ to be made there). The interfaces will get better too as people are accustomed to smartphones and will stop tolerating the interfaces we've seen in the past. We made EasyTomato [easytomato.org] JUST to have a better interface and be easier to use (mainly for access control and bandwidth management.) EasyTomato is only a step in the right direction and it's only a matter of time before routers are a lot more pleasant to use.

But Routers are good things! (4, Insightful)

bobbied (2522392) | about 2 months ago | (#46286677)

So this article is saying that routers are *bad* things for security right? Not so fast...

In my view, having a router, even an imperfect one, between you and the internet is a *GOOD* thing for security. Yes, routers might be security risks, but NOT having them is even WORSE of a risk.

Does *anybody* out there remember what it used to be like? It wasn't that long ago that the standard internet connection was for ONE machine and used a PPP connection that pretty much put your Windows (mostly) box directly on the internet. When all this got started, we didn't even have software firewalls. Imagine having a windows 95 box with all the standard services on a routeable IP address. It WAS extremely risky. I remember having unsolicited popups coming up all the time and bothering me with all manner of advertisements. It was a mess and security was extremely lacking.

But then we have the dawn of consumer's using routers and doing all the same exploits became harder because of the NAT. Then routers added stateless firewalls, then state-full firewalls and closed many of the avenues used by the "bad guys" to gain control of your system.

Consumer grade routers have been a HUGE boon to network security in the consumer world. Do they have flaws? Many do, but their contribution to overall security is worth more to me than the risks they may pose. Give me a router, even a flawed one, over nothing. Making the bad guys work harder is a good thing for security, and a flawed router does that.

It's not that we shouldn't be discussing how routers should be made more secure. Obviously we want them to improve. It's just that we cannot loose sight of how far we've come BECAUSE of these things.

Re:But Routers are good things! (1)

hAckz0r (989977) | about 2 months ago | (#46286919)

What is the one thing worse than having a Bot on your desktop machine? Having a stealth Bot controlling your network, having access to all your hosts, playing man-in-the-middle for all your "secure" SSL/TLS banking and credit-card connections. Andy you have no clue that it is even there. At least when you get a Bot on your local desktop machine you will have clues that something is spinning CPU and taking up disk space, if you are smart enough to notice those things. When a bot controls and sees everything, while giving no indication, and you have no AV or utilities on embedded hardware to diagnose the problem, then you have a REAL problem.

Yes, having a router is better than having no router, but only if YOU still own it. Once the bad guys p0wn it then it is no longer your friend.

Re:But Routers are good things! (1)

ttucker (2884057) | about 2 months ago | (#46287095)

Besides spying on you, the router its self could likely be used in a botnet as well. Think, origination of DDOS attacks, sending spam, anonymous hop for criminal activity (with your name on it).

this is just wrong (1)

Gravis Zero (934156) | about 2 months ago | (#46286813)

the biggest security threat to computers is the user. users improperly configure things, wont take security precautions (like using weak passwords) and will outright download viruses/malware. far too many users are not competent enough to tell the difference of a real popup window and a website claiming they have a virus and they need to install their trojan horse immediately.

So, will a 2005-era routers get a firmware update? (4, Insightful)

BUL2294 (1081735) | about 2 months ago | (#46286837)

I seriously doubt that Belkin will put out firmware updates for all the old $50 Linksys router models they inherited support for--instead opting to push users to buy replacement models they otherwise wouldn't need. The likely answer is NO--even with a class-action lawsuit. (In all actuality, a 2006-era 2.4GHz 802.11G WPA2 router is still more than plenty for the crappy broadband speeds available in North America...)

This is what scares me about the Internet of Things when it comes to long-life appliances that you could own/use for decades... How long will manufacturers (many of whom have 0 experience so far with connecting their products to anything but a power cable) continue to support these devices? Ultimately, government regulation may be required in this space. God knows I wouldn't want my IoT refrigerator to get "bricked" (a really heavy, big brick!) after 20 years because the manufacturer went under & the fridge couldn't phone home... Or worse, because someone found a backdoor that had been in place for all models in use for 9 years before my model was developed...

Re:So, will a 2005-era routers get a firmware upda (1)

ttucker (2884057) | about 2 months ago | (#46287119)

I have been thinking this about the internet of things as well. Then when they roll out IPv6 we can put all of our extremely dated hardware directly on the internet!

My router (1)

ttucker (2884057) | about 2 months ago | (#46287019)

Is an Ubuntu machine with three NICs. The firewall is configured with the Shorewall utility. It only needs to be rebooted for kernel updates.

The fault of the device makers... (3, Insightful)

Lumpy (12016) | about 2 months ago | (#46287179)

there are options for more secure but they fight the hardware hackers instead of embracing them. If they would reach out to the communities and work with them or PAY these groups like OpenWRT to write their firmware they would end up with a better product.

Re:The fault of the device makers... (-1)

Anonymous Coward | about 2 months ago | (#46287311)

You're being made a fool of here http://slashdot.org/comments.p... [slashdot.org] . Reply to this using your registered user account here on slashdot http://games.slashdot.org/comm... [slashdot.org] since even I by this point suspect you are doing what apk said in you applying minus moderation to his posts beneath yours he did and not proving him wrong on your part. Only minus mods and running from you. If you run we all know you did it and apk was right and has you caught red handed.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...