from the flash-alternate-router-firmware-for-protection dept.
janrinok writes "A recent survey carried out by Tripwire, reported by the BBC, claims that "80% of the 25 best-selling routers available on Amazon are vulnerable to compromise". Security researcher Craig Young from Tripwire said exploits had been publicly discussed and published for more than one-third of these devices.
In a separate report, the Internet Storm Center (ISC) warned about a continuing attempt to exploit a vulnerability in 23 separate models of Linksys routers. A worm, called 'The Moon' is compromising Linksys routers and then scans for other potentially vulnerable systems. So far, wrote ISC researcher Johannes Ullrich in his blogpost, it is not clear why the routers are being compromised and what might be done with them. There are hints in the exploit code that the routers will at some point be gathered together into a network of compromised machines. Currently, he added, all the worm was doing was spreading to other Linksys routers.
The reason for the current European concern is a recent large scale attack on home routers in order to gather usernames and passwords for online bank accounts, reported by the Polish Computer Emergency Response Team (CERT) and elsewhere."
(Score: 5, Interesting) by clone141166 on Monday February 24 2014, @03:23AM
I for one am surprised it has taken this long for larger numbers of home routers to become compromised. I suppose they are not susceptible to the malware-installed-by-the-user attack avenue that computers/tablets/phones are though.
I have actually been looking for a good fully open source router for a while, but they are tough to find (in Australia at least). At the moment I have been considering just building a mini-ITX, Atom-based PC and putting linux on it to run as the router. Then attaching a consumer ADSL router to it via ethernet, but placing the consumer ADSL router in bridged mode so that it just acts as a transparent modem only.
Interested to know if anyone else has any working setups for an inexpensive, open source, home DSL router?
(Score: 4, Informative) by codersean on Monday February 24 2014, @03:35AM
(Score: 3, Informative) by stormwyrm on Monday February 24 2014, @03:53AM
Why an Atom-based PC when a Raspberry Pi or one of the other small ARM-based boards like the Beaglebone Black would do, probably even better? Last time I checked a Raspberry Pi can still beat the Atom in terms of power consumption. Power consumption for a Raspberry Pi is something like 6W even at full tilt, while a mini-ITX Atom-based PC of the type you describe goes to 30 W (see here [outervision.com]). For a device that you want to keep on 24x7x365 this difference adds up to something like 200 kWh per year, which is close to my household's total monthly energy consumption (280 kWh).
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by clone141166 on Monday February 24 2014, @04:02AM
I did have a look at Raspberry Pi's, they are fantastic, but I should have specified I was looking for a wired ethernet based solution rather than wireless only. Afaik you can't get Raspberry Pi's with 2 or more ethernet ports? I supposed it could be possible to connect up some sort of USB-based ethernet dongle to obtain more than 1 ethernet port though?
(Score: 1) by stormwyrm on Monday February 24 2014, @04:27AM
Yeah, I've tried that. Most USB Ethernet dongles should work just fine with the Raspberry Pi. Generally if it will work on x86/amd64 Linux, Raspbian should have no trouble with it.
Numquam ponenda est pluralitas sine necessitate.
(Score: 1) by isostatic on Monday February 24 2014, @07:53AM
I bought 5 pis, with grand intentions of putting them on networks that other devices just couldn't reach.
Sadly the power connector (mini usb) is just too unreliable. I lost sight of 4 of the 5 pis within 2 months of deployment.
Now a pi which could power itself off POE, that would be a device worth having.
As for routers, I'm afraid I don't do open source :( I use mikrotiks. £30 for a wireless device that does PPPoE (via my BT VDSL modem) and OSPF? Not to mention it's use in slightly larger networks where running BGP is handy.
(Score: 2, Informative) by dabiged on Monday February 24 2014, @04:00AM
I am in australia and I purchased an Asus RT-N16 router from my local supplier. I am running TomatoUSB by shibby with a bridged modem. Cost me about $150 AUD to setup and it is infinitely better than my old netgear.
(Score: 3, Informative) by sibiday fabis on Monday February 24 2014, @03:18PM
FYI - make sure you have good airflow, it might help prevent capacitor failure on that RT-N16. They are great when they work, but I had two units die of popped caps.
(Score: 2, Informative) by Anonymous Coward on Monday February 24 2014, @04:23AM
You can request to open the box at the computer shop and if it has GNU/Linux on it there will be a small (cheap paper) leaflet with the GNU license in there (Manufacturers should advertise this more openly on their websites anyways -aka- tech specs.)
Also check-out the alternative firmware sites (WRT, tomato) and if they have firmware version for a specific hardware modem/router chances are that it has GNU/Linux on it already.
You might want to check out D-link (for ADSL). I'm not saying they are bomb proof but they are one of the few (cheap) manufacturers that have resisted re-branding cheap chinaware -aka- porcelain-firmware like linksys, zyxel, billion etc. do.
As for a "PPPoE" router I recommend getting a AMD based mainboard and slapping vmware esxi on it. AMD because all 64-bit processors have the virtualization stuff required by esxi.
you can then try all the open-source router software, each in its own virtual machine .. plus you might try other stuff (webserver, chat server, print server, torrent, tor, email-server etc. etc.) in additional virtual machines ... and easy to nuke if it goes south : )
Also it is more safe and easy to make a virtual machine then having to flash firmware.
in conclusion: get a good solid modem, put it in bridge mode and let a REAL computer do the heavy lifting / natting.
(Score: 0) by Anonymous Coward on Monday February 24 2014, @04:46AM
the asus "E35M1-M PRO" uses about 45 watts.
usb3
max 8 GB Ram
2 x pci (!) slots
(Score: 5, Informative) by evilviper on Monday February 24 2014, @04:36AM
Look at the DD-WRT list of supported models. Even better if the unit has USB:
http://www.dd-wrt.com/wiki/index.php/USB_storage#C ompatible_units [dd-wrt.com]
The D-Link DIR-632 was a great deal, selling for $35 on Amazon, trivial to upgrade to DD-WRT, and having a USB port for network attached storage or printer sharing, and 8 wired switch ports. Now that stocks are gone, prices have gone very high... $75 currently. Too bad.
You can also look for devices preloaded with DD-WRT, like the Buffalo brand.
DD-WRT is a bit finnicky in the UI department, but it can do anything you'd want... WiFi to wired bridge, WiFi repeater, WiFi AP, static/dynamic, QoS & throttling, SSH, WDS, etc.
I wouldn't recommend using an old PC, because of power consumption, alone. Never mind size, noise, maintenance, etc.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 1) by razza on Monday February 24 2014, @10:01PM
The main problem always seems to be ADSL support.
(Score: 1) by AnythingGoes on Wednesday February 26 2014, @04:47AM
An older netbook like Asus EEE 2G/701, on the other hand, is pretty decent and can be booted from a read-only SD card. The power consumption is less than 15W during normal operations if you turn off the screen. Comes with 3 USB ports too :)
(Score: 2) by evilviper on Wednesday February 26 2014, @06:47AM
An Eee 701 has 100BaseT ethernet, needs even slower USB-ethernet adapters for a second port. Only very slow 802.11g wireless on 2.4Ghz. etc. It'll use far more power than a purpose built router, and costs several times more. And you STILL need an ethernet switch to connect multiple wired devices. It's not a TERRIBLE option, but it's certainly not a good one, either.
Hydrogen cyanide is a delicious and necessary part of the human diet.
(Score: 1) by ls671 on Monday February 24 2014, @06:17AM
I have been using a linux firewall/router for 15 years. Wireless access is on a dedicated subnet with special rules. I do not mind the power usage (70 watts/ 5$ a month) since that machine is also used as a file server and what not.
Those cheap routers aren't any good under load anyway. Nat table gets full usually after 1024, hard to do things like traffic shaping for VOIP etc. etc.
With this setup, you get the full benefits of a full fledged router. As long as you use the machine for something else like a file server, backup server, than forget about the power usage.
Everything I write is lies, including this sentence.
(Score: 5, Interesting) by goathack on Monday February 24 2014, @03:28AM
Is there a comprehensive list of affected models/firmware versions?
(Score: 3, Insightful) by randmcnatt on Monday February 24 2014, @03:41AM
The Wright brothers were not the first to fly: they were the first to land.
(Score: 2, Informative) by lennier on Monday February 24 2014, @04:01AM
It looks like the 80% "research" is paywalled, or at least spamwalled. This page is as close as I could get [tripwire.com], but I'm not giving them my email address just to read a vague assertion.
Delenda est Beta
(Score: 2, Informative) by drgibbon on Monday February 24 2014, @04:33AM
Try this [guerrillamail.com].
Certified Soylent Fresh!
(Score: 3, Informative) by Jerry Smith on Monday February 24 2014, @04:56PM
I did.
1. Don’t enable remote management over the Internet.
2. Passwords matter.
3. Don’t use the default IP ranges.
4. Don’t forget to log out after con- figuring the router.
5. Turn on encryption and turn off WPS.
6. Keep the router firmware up-to-date.
God I felt belittled...
All those moments will be lost in time, like tears in rain. Time to die.
(Score: 2, Interesting) by drgibbon on Tuesday February 25 2014, @01:02AM
Seems to be pretty standard stuff. Is number 3 referring to DHCP ranges?
Certified Soylent Fresh!
(Score: 1) by Jerry Smith on Tuesday February 25 2014, @06:51AM
Yep, 84% of the home routers is still default and 45% of the business routers, that's what is says in Fig. 4. That's ALL it says in Fig. 4: a pie chart with yes and no.
3. Don't use the default IP ranges. Predictable addresses make CSRF attacks easier (Fig. 4). Rather than 192.168.1.1, consider 10.9.8.7 or something else which is not commonly used. This is a simple but effective technique for decreasing the likeli- hood of a successful CSRF attack.
All those moments will be lost in time, like tears in rain. Time to die.
(Score: 2) by janrinok on Monday February 24 2014, @02:41PM
As the original poster, I can assure you that there was once a decent page on the end of that link!
I can only assume that, with the increase in traffic caused by SN (Yippee!), they have tried to 'monetize' the opportunity. Perhaps all that is simply wishful thinking...
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 2, Informative) by JimmyCrackCorn on Monday February 24 2014, @04:04AM
FTA
Detecting potentially vulnerable system:
echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080
if you get the XML HNAP output back, then you MAY be vulnerable.
(Score: 0) by Anonymous Coward on Monday February 24 2014, @11:18PM
Something to consider even for routers not on such a list is that some wireless routers have WPS on by default. WPS uses an eight digit PIN that can be cracked with a tool called Reaver. Once cracked, Reaver also tells you the wireless connection password. It took 31 hours on my core-i7 laptop to crack my own WPS PIN, but once cracked, I was also shown my WPA2 password. I'm able to turn WPS off in my gateway (rented from Comcast), but I've read that some routers will not turn the WPS off even though they indicate that it is off in the router settings.
(Score: 4, Interesting) by captain normal on Monday February 24 2014, @03:36AM
There is a possibility that this and many other attacks are from NSA or some other government's spy agency. Just a possibility of course. The other thing is that virtually no one password protects their router. Most people will set a password for access, but leave control of their router's settings and permissions to someone called "admin" or "administration". That probably accounts for the 80% right there.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 5, Funny) by nsa on Monday February 24 2014, @03:42AM
No, it's not us. Trust me.
(Score: 1) by aristarchus on Monday February 24 2014, @04:49AM
What? The NSA is a user on Soylent News? But wait, they said "trust us". Carry on.
(Score: 0) by Anonymous Coward on Monday February 24 2014, @04:39AM
No 3-letter agency paranoia required here. ..uhm... 20 room villa with olympic sized swimming poll and tennis court built on a toxic landfill syndrom : )))
people don't know / don't care. if it looks "fancy" it's good!
they just want to get their pr0n, facebook and youtube anyways.
you know the
(Score: 1) by ls671 on Monday February 24 2014, @06:31AM
I monitor attacks on several servers and most of them are from organized crime or script kiddies. I never could find one special enough for me to think it is coming from who you think it is.
Then again if who you say was going to get in, maybe I wouldn't even see it coming. Maybe they are already in! I am pretty good at monitoring but I would never ever think that I am unpenetrable. Nevertheless, I would say chances are they aren't in ;-)
I believe the idea is to work at a higher network level and not take control of private LANs unless there is sufficient reasons to try to do so.
Everything I write is lies, including this sentence.
(Score: 2) by janrinok on Monday February 24 2014, @02:56PM
Its true that many do not protect their routers even by the simply changing the default passwords. At least here (France) each router provided by an ISP has a password that is based upon the router's serial number. If you have the device in your hand it is possible to work out (eventually) what the default password will be, although it is not a straightforward read across. There is not a standard userid/password combination that works on all routers of that type.
I suspect that another reason, hinted at in my first paragraph, is that ISPs (e.g Orange.fr) provide the router and they can access it at any time to update the firmware inside it. No matter how careful they may be, the password for that attack vector could eventually become known, even if only to a few individuals leaving the device vulnerable. Fitting your own privately purchased router causes problems, as the ISP will simply ignore your router if it does not return the correct firmware password (I have tried, and even got a phone call from Orange asking if I was experiencing difficulties). Of course, it is easy to change the admin/user names and passwords, but I have not found a way to identify the ISP's password for my router. I suppose I could put another computer between the telephone cable and the router and sniff it out that way. But, to be fair, I have not seen reports of Orange's routers being vulnerable to any specific attacks.
Alternatively, perhaps someone will read this and point me in the right direction...?
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 5, Interesting) by TheLink on Monday February 24 2014, @04:07AM
Secondly "browser drive by" attacks on the router's internal IP should only work if the user is logged in (which is hardly ever). And if you use session cookies, the window should be a lot smaller (yes I know many use basic auth, ugh).
(Score: 5, Informative) by nsa on Monday February 24 2014, @04:25AM
The internal interface also matters. Compromise a single system on the internal network via MITM at the ISP or upstream, or a malicious site visited, and now that barrier to compromise of the router is gone. Compromise the router, and you now have total domination of the rest of the hosts on that network (or at least all of their internet traffic, which usually makes further infiltration a piece of cake).
The NSA Never Says Anything. The NSA Never Lies [washingtonpost.com]
(Score: 1) by TheLink on Monday February 24 2014, @07:04AM
Which is why I wrote a second paragraph.
(Score: 1) by nsa on Monday February 24 2014, @09:25AM
Yes, I too quickly inferred from the word 'drive by' that you were referring to a wifi attack from a vehicle driving by. That said, even if the user is not logged in, the threat surface is still extremely large compared to an external interface filtering out admin access. Your 'should' in that paragraph is also one of those infamous 'should's to dwell on. Beside that, advanced persistent threats[1] in firmware can wait a long time for the user to log into the router.
[1] Jonathan Corbet - Practical Security for 2014
"Many of these problems can be explained by the fact that we're dealing with firmware authors, but there is more to it than that: a system's firmware has not traditionally been part of its security model. Suddenly the firmware has been put into an important position of trust, despite the fact that it was not written with that kind of security in mind."
Again, we at the NSA are sorry for being too hasty delivering a retaliatory salvo to your opinion instead of considering it more carefully. Sorry about that.
The NSA Never Says Anything.
The NSA Always Apologizes For Its Mistakes
The NSA Never Lies [washingtonpost.com]
(Score: 1) by chromas on Monday February 24 2014, @09:38AM
I recently discovered an older Belkin 'router' (F5D8236-4 v2) I commandeered loads up the login page with a bunch of JavaScript variables including some booleans and various IP and MAC addresses plus the login password. The JavaScript is there solely to redirect to the firmware updater which doesn't work. It also forgets how DNS works sometimes.
(Score: 5, Insightful) by Popeidol on Monday February 24 2014, @07:26AM
Most home users encounter updates in the following ways:
As you go down that list, they become easier for you to implement but more effort for the user. The more effort for the user, the less likely the updates will be installed
At the moment, The update process for many home routers hasn't changed for a decade:
Silent updates aren't great for critical hardware like routers so let's go with one of the other options: The router web interface has update notifications, nice and obvious. The update page displays some notes about the firmware release and then a big 'update' button. The software handles the version checking, downloads, backups, and rebooting. It keeps a copy of the old software to roll back to if something goes wrong.
The Netgear I got last year has exactly the same update process as the Netgear I bought a decade ago. The world has changed, user expectations have changed, and it's time for these companies to change along with it.
(Score: 2, Insightful) by mojo chan on Monday February 24 2014, @01:25PM
The problem is how do you get the user to even understand that the router has a web interface, let alone go there regularly to check for update messages. You could do some horrible kind of MITM attack and inject a warning into web sites that the user is viewing, but that isn't an ideal solution. A flashing light on the router wouldn't work because a) there are already lots of flashing lights, b) no-one would know or care what the light meant as long as their internet kept working and c) many people hide their routers away so couldn't see it anyway.
The only option would seem to be to close off web access and replace it with a warning message until the firmware is updated or the message dismissed. Other internet access would continue normally so as not to break things like OS updates or VOIP.
const int one = 65536; (Silvermoon, Texture.cs)
(Score: 5, Interesting) by Popeidol on Monday February 24 2014, @02:46PM
Yeah, that's the other big problem: People treat the router as a set-and-forget appliance, but they behave as low-power computers. You can't get the security warnings to be too intrusive or people will just replace your product.
So that leaves a few options, all of which have some serious flaws:
The final option is the best balance between intrusiveness and reliability, but would require changing the software release to a model that can push security patches separately. It's quite possible, ubiquiti does it: Their edgemax routers [ubnt.com] are debian/vyatta underneath, so you can add software repos and pull security updates on a schedule without much risk. Unfortunately they're not really home grade.
If anybody else has a good solution for this, I'd love to hear it. Right now I can set up my family with computers that automatically install updates, regularly scan for malware, back everything up, and phone home to me if something goes urgently wrong - but router updates require manual tracking and intervention.
(Score: 1) by etherscythe on Tuesday February 25 2014, @01:03AM
You mean like the old Net Send feature of Windows which is now defaulted to disabled due to massive spam campaigns years ago? I can see that working actually; it just needs to be like Android notifications where you get some kind of low-impact-but-definitely-visible indication (like hijack HTML pages to add a menubar at the top with a notice) rather than a full-on popup window. It would take users some time to adjust to this level of traffic tampering, but long term seems like the best way to do it IMHO.
Problem I see with autoupdates is the seemingly arbitrary effects on the end users. Like, my multi-hour-long download from that overseas server that doesn't support resume, which gets cut off and I have to start it over for no apparent good reason (unbeknownst to the user, critical update required a reboot). It would be cool if we could temporarily dump info to a hypervisor to maintain session info between reboots, but that kind of abstraction causes performance/hardware requirement strain, and obviously wouldn't work if some of that code was part of what was being patched.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 1) by len_harms on Monday February 24 2014, @02:57PM
Yeah my ASUS router I bought a year or so ago is about the same.
They have a 'check for updates' on the router webpage. But guess what there *was* a new update out on the ASUS page. For 2 weeks I left it thinking 'oh they will fix it and I will use the easy way'. Nope. Had to manually download and update.
At that point I went to rmerlin's patches.
Never thought I would be able to get 25-30MB (not bit) sustained rate thru wireless though. Seriously happy with the router. Good thing I didnt plug in a usb drive... ftp external on by default and no password (seriously?).
ASUS seems to be moving towards a 1 package recompiled to rule them all. Which I think is a good way to go long term for these guys. This sort of thing will not end well if they slap together new models and then walk away. My old linksys router I bought to get 802.11N had 1 update, ever.
These guys are slapping linux busybox distros into these things. Linux is pretty good for that but it does get vulins just like many other OS's out there. It does need patches for the packages included.
This is not just routers either. My TV has a busybox distro in it and has not seen an update in 2 years. The motorola router that connects to TW is a busybox distro and its firmware is ~1-2 years old. The only thing saving us is that they are all ARM/MIPS architectures and each one is a bit different and it is a pain to root each one individually.
(Score: 5, Funny) by Thexalon on Monday February 24 2014, @02:17PM
According to Tripwire, 20% of home routers are *not* vulnerable. That's truly an amazing improvement!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.