SoylentNews is people
SoylentNews
Millions Of Home Wi-Fi Routers Are Likely Vulnerable To Unpatched Linux Security Exploits
If you're reading this article from home, it's likely that you're connected to a consumer-grade Wi-Fi router, either wirelessly or via hard wired Ethernet. And if that's the case, you should probably take this time to upgrade your router's firmware ASAP. That is if an update is even available from the manufacturer.
We say this because the Fraunhofer Institute for Communication (FKIE) in Germany recently performed test of 127 home routers, to probe them for their resistance to security threats. Of the routers the researchers tested, 91 percent of them were found to be running some version of embedded Linux, which isn't surprising.
What was surprising, however, was that the researchers found that not a single router was free of security flaws. In fact, it was discovered that many of these routers were actually susceptible to hundreds of known security vulnerabilities.
Reference:
Peter Weidenbach, Johannes vom Dorp. Home Router Security Report 2020 (pdf), FKIE
(Score: 5, Insightful) by canopic jug on Tuesday July 07 2020, @03:32PM (12 children)
Maybe a much gooder idea would be to put the government in charge of router firmware and security updates. If you want the job done left right.
The government could, in principle, mandate conditions that require or favor OpenWRT [openwrt.org] by vendors, but that would tread on someone's toes and therefore cannot happen. Instead, politicians would just turn around and outsource to the biggest current campaign donor or their partner(s). I guess that would be Bill these days, especially if you count his "charity" foundation or all the donations from his business partners.
That said, I agree with the AC that OpenWRT is the way to go. Even though the intersection of supported hardware and what is available in the big box stores is quite small, upon checking there always does seem to be a models few at each store that would work. The problem comes in when you start dealing with ISP add-ons like IPTV and other crap.
The security problems with the routers are caused by the underlying problem which is that the vendors are allowed to treat their products as proprietary even though they are not proprietary. Legally, the licensing for the kernel and much of the user space upon which their products depend is GPL and thus Free Software. Although required to, the vendors never release their code, even when requested. The Linux Foundation is part of that problem these days. Despite the name it is about advancing the interests of its members within the kernel code base rather than promoting and advancing Linux among the members. As a result, the Linux Foundation treats its software as Open Source rather than Copyleft which the vendors in turn treat as plain old proprietary software. That helps absolutely no one, not even the vendor. Yes, they may feel like they're getting over on someone but the reality is that, as the article shows, they end up quickly with either maintaining their own fork / mini distro or else foisting abandonware on the customers. If the vendors could just get the zero sum gamers out of their companies, or at least under control, they could set set up with a win-win-win situation by adopting and contributing to OpenWRT. They could focus on the hardware. The software would stay up to date and not tarnish the brand through unpatched holes. The customers would get a more polished system because the return on effort with the software would be much higher.
Really in this day and age, software is a commodity and it only wastes everybody's time and money (including the vendors themselves) to pretend otherwise like is happening in the article.
Money is not free speech. Elections should not be auctions.
(Score: 5, Interesting) by DannyB on Tuesday July 07 2020, @03:47PM (11 children)
Google will fab 100 chips for free?
What if we had an inexpensive, open source device, not unlike a Raspberry PI, that had just the right hardware to work as a good router. Then imagine if there were a software package that when put on an SD card, made a turn key router that any idiot could use? Such a device would need a couple of LEDs and a couple of push buttons. This device should also be available in a standard enclosed consumer friendly case. The idea is to make this so simple that any computer power user could burn the SD card, order the device and be good to go.
But that's crazy talk. Java induced Dementia is the new medical term.
The lower I set my standards the more accomplishments I have.
(Score: 2) by PiMuNu on Tuesday July 07 2020, @04:18PM (6 children)
> Then imagine if there were a software package that when put on an SD card, made a turn key router
But what happens when it doesn't get software/firmware updates?
(Score: 2) by RS3 on Tuesday July 07 2020, @04:31PM (5 children)
Pure fantasy-land, I know, but I dream of a world where something is actually fully debugged and finished before it's shipped. No update needed ever.
(Score: 2) by DannyB on Tuesday July 07 2020, @05:54PM (1 child)
But . . . consider things that get updates, and have been around forever . . .
* car radios and infotainment
* television sets
* phones
* pocket calculators
* thermostats
* doorbells
* pet feeders
* personal music player devices (with auto-reverse!)
How could a product ever be made goodfully enough to be fit for sale at the time you buy it?
The lower I set my standards the more accomplishments I have.
(Score: 2) by RS3 on Tuesday July 07 2020, @07:02PM
Oh DannyB, you almost got me!! My sarcasm detector was having an afternoon siesta.
You forgot bidets!! They've been getting hacked by the black ops. What a mess.
They're just grooming us for the final complete takeover by the machines.
(Score: 0) by Anonymous Coward on Tuesday July 07 2020, @06:25PM (1 child)
Are they done finding all the flaws in 10+ year old hardware (spectre, meltdown)? Once we get secure hardware we can get back to writing a secure OS for it.
I project finishing this secure OS, maybe with a secure program to run on it, sometime next century. Hope we still have 110AC to run the secure ATX power supply for our secure Pentium.
(Score: 3, Interesting) by RS3 on Tuesday July 07 2020, @07:17PM
It's complicated- not really hardware, but there have been some interesting pure hardware vulnerabilities (Rowhammer, RAMbleed, and a few others that are considered pretty low impact.) Problems are mostly in CPU firmware. You can argue that the hardware allows the vulnerability, but at some point, that's the purpose of hardware- to do the work that the firmware/software instructs it to, right? Do away with all RAM cache, branch prediction, etc., and you'll be much safer, but you'll wish for that old '486 back (which might not be a bad thing at this point...)
Actually, as I'm typing this on a computer powered by a ~10 year old CPU, Intel isn't bothering to update 10 year old CPUs. What little firmware updates they've released, it's up to the infernal computer / motherboard manufacturers to update BIOS (that can load CPU firmware). I'm not aware of a way to update CPU firmware from Windows (but I'd love to learn if someone knows.)
Linux kernel loads CPU firmware where/when the updates are available, plus the kernel has many mitigations, but not all.
Check yours here (for Linux): (SN code made incorrect links of these- leaving off the parameters. Tch tch.)
# "https://github.com/speed47/spectre-meltdown-checker"
# "git clone https://github.com/speed47/spectre-meltdown-checker.git" [github.com]
# or "wget https://meltdown.ovh [meltdown.ovh] -O spectre-meltdown-checker.sh"
# or "curl -L https://meltdown.ovh [meltdown.ovh] -o spectre-meltdown-checker.sh"
(Score: 2) by PiMuNu on Wednesday July 08 2020, @08:57AM
> Pure fantasy-land, I know
Yes, it is. There has been *no* personal computer made in the last decade without an exploit - thanks to exploits found in Intel et al hardware.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 07 2020, @04:42PM (2 children)
The Raspberry Pi 4 is quite adequate as an OpenWRT router, except that you need an add on USB3 Ethernet adapter because it only has one port. But now that it's got PCIe instead of USB2 as its system bus, the performance is good enough. It's not open source, though.
(Score: 2) by canopic jug on Tuesday July 07 2020, @05:13PM (1 child)
That's just for wireless. It works well in that context, but there is only a single gigabit Ethernet port on those things. It would be great to have some open hardware for building wired network appliances with 8, 12, 16, and 24 gigabit Ethernet ports, and maybe even a fibre connection or two. Maybe MIPS or Octeon or similar would work for that, but not ARM. I don't suppose that the Raspberry Pi Foundation could be hired for that because ARM is not appropriate for networking. However, maybe if Bunnie Huang could be hired, then a kickstarter or similar could be launched to collect the funds for the salary and other capital he would need to design or supervise the design of open hardware for networking and hand it off to Google for prototyping.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by takyon on Wednesday July 08 2020, @01:24AM
https://soylentnews.org/~takyon/journal/5549 [soylentnews.org]
This is not what you are looking for, but it's an "SBC" (technically not since the memory is in DIMMs) with 2x 2.5 GbE, which might be all you really need.
Plug the internet or other source into one port, and any dumb switch with several ports into the other, and you have something potentially useful. If there is a version with 2x 10 GbE instead, then the scheme would support even more intensive use.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @01:03AM
Get an SBC. Preferably one with pci-e (mini, m2, etc.). Get a wireless card for that pcie slot that has good support from hostapd. Install Debian or some other distro with the necessary packages in its repos. Install hostapd and nftables. Write a simple fw ruleset. Turn ip forwarding on. Config hostapd.
You now have a router + AP that will receive updates until you no longer care about running the hardware.
It doesn't take that much time. The most time I've spent on these sorts of projects is figuring out what wireless card brand/models contain the chipset that I want.
If you don't care about wireless, you can be up and routing within minutes of finishing the OS install.