Stories
Slash Boxes
Comments

SoylentNews is people

posted by Dopefish on Monday February 24 2014, @03:00AM   Printer-friendly [Skip to comment(s)]
from the flash-alternate-router-firmware-for-protection dept.

janrinok writes "A recent survey carried out by Tripwire, reported by the BBC, claims that "80% of the 25 best-selling routers available on Amazon are vulnerable to compromise". Security researcher Craig Young from Tripwire said exploits had been publicly discussed and published for more than one-third of these devices.

In a separate report, the Internet Storm Center (ISC) warned about a continuing attempt to exploit a vulnerability in 23 separate models of Linksys routers. A worm, called 'The Moon' is compromising Linksys routers and then scans for other potentially vulnerable systems. So far, wrote ISC researcher Johannes Ullrich in his blogpost, it is not clear why the routers are being compromised and what might be done with them. There are hints in the exploit code that the routers will at some point be gathered together into a network of compromised machines. Currently, he added, all the worm was doing was spreading to other Linksys routers.

The reason for the current European concern is a recent large scale attack on home routers in order to gather usernames and passwords for online bank accounts, reported by the Polish Computer Emergency Response Team (CERT) and elsewhere."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by clone141166 on Monday February 24 2014, @03:23AM

    by clone141166 (59) on Monday February 24 2014, @03:23AM (#5484)

    I for one am surprised it has taken this long for larger numbers of home routers to become compromised. I suppose they are not susceptible to the malware-installed-by-the-user attack avenue that computers/tablets/phones are though.

    I have actually been looking for a good fully open source router for a while, but they are tough to find (in Australia at least). At the moment I have been considering just building a mini-ITX, Atom-based PC and putting linux on it to run as the router. Then attaching a consumer ADSL router to it via ethernet, but placing the consumer ADSL router in bridged mode so that it just acts as a transparent modem only.

    Interested to know if anyone else has any working setups for an inexpensive, open source, home DSL router?

    • (Score: 4, Informative) by codersean on Monday February 24 2014, @03:35AM

      by codersean (2738) on Monday February 24 2014, @03:35AM (#5493) Homepage
      Have you looked into pfSense [pfsense.org]? The Netgagte [netgate.com] boxes look pretty sweet. I'm going to be converting an old machine into a pfSense box to try it out and if all goes well then get a Netgate.
    • (Score: 3, Informative) by stormwyrm on Monday February 24 2014, @03:53AM

      by stormwyrm (717) on Monday February 24 2014, @03:53AM (#5505) Journal

      Why an Atom-based PC when a Raspberry Pi or one of the other small ARM-based boards like the Beaglebone Black would do, probably even better? Last time I checked a Raspberry Pi can still beat the Atom in terms of power consumption. Power consumption for a Raspberry Pi is something like 6W even at full tilt, while a mini-ITX Atom-based PC of the type you describe goes to 30 W (see here [outervision.com]). For a device that you want to keep on 24x7x365 this difference adds up to something like 200 kWh per year, which is close to my household's total monthly energy consumption (280 kWh).

      --
      Numquam ponenda est pluralitas sine necessitate.
      • (Score: 2) by clone141166 on Monday February 24 2014, @04:02AM

        by clone141166 (59) on Monday February 24 2014, @04:02AM (#5511)

        I did have a look at Raspberry Pi's, they are fantastic, but I should have specified I was looking for a wired ethernet based solution rather than wireless only. Afaik you can't get Raspberry Pi's with 2 or more ethernet ports? I supposed it could be possible to connect up some sort of USB-based ethernet dongle to obtain more than 1 ethernet port though?

        • (Score: 1) by stormwyrm on Monday February 24 2014, @04:27AM

          by stormwyrm (717) on Monday February 24 2014, @04:27AM (#5534) Journal

          Yeah, I've tried that. Most USB Ethernet dongles should work just fine with the Raspberry Pi. Generally if it will work on x86/amd64 Linux, Raspbian should have no trouble with it.

          --
          Numquam ponenda est pluralitas sine necessitate.
          • (Score: 1) by isostatic on Monday February 24 2014, @07:53AM

            by isostatic (365) on Monday February 24 2014, @07:53AM (#5661) Journal

            I bought 5 pis, with grand intentions of putting them on networks that other devices just couldn't reach.

            Sadly the power connector (mini usb) is just too unreliable. I lost sight of 4 of the 5 pis within 2 months of deployment.

            Now a pi which could power itself off POE, that would be a device worth having.

            As for routers, I'm afraid I don't do open source :( I use mikrotiks. £30 for a wireless device that does PPPoE (via my BT VDSL modem) and OSPF? Not to mention it's use in slightly larger networks where running BGP is handy.

    • (Score: 2, Informative) by dabiged on Monday February 24 2014, @04:00AM

      by dabiged (250) on Monday February 24 2014, @04:00AM (#5509)

      I am in australia and I purchased an Asus RT-N16 router from my local supplier. I am running TomatoUSB by shibby with a bridged modem. Cost me about $150 AUD to setup and it is infinitely better than my old netgear.

      • (Score: 3, Informative) by sibiday fabis on Monday February 24 2014, @03:18PM

        by sibiday fabis (2160) on Monday February 24 2014, @03:18PM (#5864)

        FYI - make sure you have good airflow, it might help prevent capacitor failure on that RT-N16. They are great when they work, but I had two units die of popped caps.

    • (Score: 2, Informative) by Anonymous Coward on Monday February 24 2014, @04:23AM

      by Anonymous Coward on Monday February 24 2014, @04:23AM (#5530)

      You can request to open the box at the computer shop and if it has GNU/Linux on it there will be a small (cheap paper) leaflet with the GNU license in there (Manufacturers should advertise this more openly on their websites anyways -aka- tech specs.)

      Also check-out the alternative firmware sites (WRT, tomato) and if they have firmware version for a specific hardware modem/router chances are that it has GNU/Linux on it already.

      You might want to check out D-link (for ADSL). I'm not saying they are bomb proof but they are one of the few (cheap) manufacturers that have resisted re-branding cheap chinaware -aka- porcelain-firmware like linksys, zyxel, billion etc. do.

      As for a "PPPoE" router I recommend getting a AMD based mainboard and slapping vmware esxi on it. AMD because all 64-bit processors have the virtualization stuff required by esxi.

      you can then try all the open-source router software, each in its own virtual machine .. plus you might try other stuff (webserver, chat server, print server, torrent, tor, email-server etc. etc.) in additional virtual machines ... and easy to nuke if it goes south : )
      Also it is more safe and easy to make a virtual machine then having to flash firmware.

      in conclusion: get a good solid modem, put it in bridge mode and let a REAL computer do the heavy lifting / natting.

      • (Score: 0) by Anonymous Coward on Monday February 24 2014, @04:46AM

        by Anonymous Coward on Monday February 24 2014, @04:46AM (#5541)

        the asus "E35M1-M PRO" uses about 45 watts.
        usb3
        max 8 GB Ram
        2 x pci (!) slots

    • (Score: 5, Informative) by evilviper on Monday February 24 2014, @04:36AM

      by evilviper (1760) on Monday February 24 2014, @04:36AM (#5538) Homepage Journal

      I have actually been looking for a good fully open source router for a while, but they are tough to find (in Australia at least).

      Look at the DD-WRT list of supported models. Even better if the unit has USB:

      http://www.dd-wrt.com/wiki/index.php/USB_storage#C ompatible_units [dd-wrt.com]

      The D-Link DIR-632 was a great deal, selling for $35 on Amazon, trivial to upgrade to DD-WRT, and having a USB port for network attached storage or printer sharing, and 8 wired switch ports. Now that stocks are gone, prices have gone very high... $75 currently. Too bad.

      You can also look for devices preloaded with DD-WRT, like the Buffalo brand.

      DD-WRT is a bit finnicky in the UI department, but it can do anything you'd want... WiFi to wired bridge, WiFi repeater, WiFi AP, static/dynamic, QoS & throttling, SSH, WDS, etc.

      I wouldn't recommend using an old PC, because of power consumption, alone. Never mind size, noise, maintenance, etc.

      --
      Hydrogen cyanide is a delicious and necessary part of the human diet.
      • (Score: 1) by razza on Monday February 24 2014, @10:01PM

        by razza (3196) on Monday February 24 2014, @10:01PM (#6231)

        The main problem always seems to be ADSL support.

      • (Score: 1) by AnythingGoes on Wednesday February 26 2014, @04:47AM

        by AnythingGoes (3345) on Wednesday February 26 2014, @04:47AM (#7115)

        An older netbook like Asus EEE 2G/701, on the other hand, is pretty decent and can be booted from a read-only SD card. The power consumption is less than 15W during normal operations if you turn off the screen. Comes with 3 USB ports too :)

        • (Score: 2) by evilviper on Wednesday February 26 2014, @06:47AM

          by evilviper (1760) on Wednesday February 26 2014, @06:47AM (#7157) Homepage Journal

          An Eee 701 has 100BaseT ethernet, needs even slower USB-ethernet adapters for a second port. Only very slow 802.11g wireless on 2.4Ghz. etc. It'll use far more power than a purpose built router, and costs several times more. And you STILL need an ethernet switch to connect multiple wired devices. It's not a TERRIBLE option, but it's certainly not a good one, either.

          --
          Hydrogen cyanide is a delicious and necessary part of the human diet.
    • (Score: 1) by ls671 on Monday February 24 2014, @06:17AM

      by ls671 (891) on Monday February 24 2014, @06:17AM (#5598) Homepage

      I have been using a linux firewall/router for 15 years. Wireless access is on a dedicated subnet with special rules. I do not mind the power usage (70 watts/ 5$ a month) since that machine is also used as a file server and what not.

      Those cheap routers aren't any good under load anyway. Nat table gets full usually after 1024, hard to do things like traffic shaping for VOIP etc. etc.

      With this setup, you get the full benefits of a full fledged router. As long as you use the machine for something else like a file server, backup server, than forget about the power usage.

      --
      Everything I write is lies, read between the lines.
  • (Score: 5, Interesting) by goathack on Monday February 24 2014, @03:28AM

    by goathack (1992) on Monday February 24 2014, @03:28AM (#5488)

    Is there a comprehensive list of affected models/firmware versions?

    • (Score: 3, Insightful) by randmcnatt on Monday February 24 2014, @03:41AM

      by randmcnatt (671) on Monday February 24 2014, @03:41AM (#5498)
      I've been looking all over Tripwire [tripwire.com] and haven't found anything. I really wish these kind of articles more informative and less sensational. Oh, and if nobody at Tripwire or BBC could figure it out, 80% of 25 is 20. I don't suppose that sounds as ominous, though.
      --
      The Wright brothers were not the first to fly: they were the first to land.
      • (Score: 2, Informative) by lennier on Monday February 24 2014, @04:01AM

        by lennier (2199) on Monday February 24 2014, @04:01AM (#5510)

        It looks like the 80% "research" is paywalled, or at least spamwalled. This page is as close as I could get [tripwire.com], but I'm not giving them my email address just to read a vague assertion.

        --
        Delenda est Beta
        • (Score: 2, Informative) by drgibbon on Monday February 24 2014, @04:33AM

          by drgibbon (74) on Monday February 24 2014, @04:33AM (#5536) Journal

          but I'm not giving them my email address just to read a vague assertion.

          Try this [guerrillamail.com].

          --
          Certified Soylent Fresh!
          • (Score: 3, Informative) by Jerry Smith on Monday February 24 2014, @04:56PM

            by Jerry Smith (379) on Monday February 24 2014, @04:56PM (#5956) Journal

            but I'm not giving them my email address just to read a vague assertion.

            I did.

            1. Don’t enable remote management over the Internet.
            2. Passwords matter.
            3. Don’t use the default IP ranges.
            4. Don’t forget to log out after con- figuring the router.
            5. Turn on encryption and turn off WPS.
            6. Keep the router firmware up-to-date.

            God I felt belittled...

            --
            All those moments will be lost in time, like tears in rain. Time to die.
            • (Score: 2, Interesting) by drgibbon on Tuesday February 25 2014, @01:02AM

              by drgibbon (74) on Tuesday February 25 2014, @01:02AM (#6311) Journal

              Seems to be pretty standard stuff. Is number 3 referring to DHCP ranges?

              --
              Certified Soylent Fresh!
              • (Score: 1) by Jerry Smith on Tuesday February 25 2014, @06:51AM

                by Jerry Smith (379) on Tuesday February 25 2014, @06:51AM (#6439) Journal

                Seems to be pretty standard stuff. Is number 3 referring to DHCP ranges?

                Yep, 84% of the home routers is still default and 45% of the business routers, that's what is says in Fig. 4. That's ALL it says in Fig. 4: a pie chart with yes and no.

                3. Don't use the default IP ranges. Predictable addresses make CSRF attacks easier (Fig. 4). Rather than 192.168.1.1, consider 10.9.8.7 or something else which is not commonly used. This is a simple but effective technique for decreasing the likeli- hood of a successful CSRF attack.

                --
                All those moments will be lost in time, like tears in rain. Time to die.
        • (Score: 2) by janrinok on Monday February 24 2014, @02:41PM

          by janrinok (52) Subscriber Badge on Monday February 24 2014, @02:41PM (#5822) Journal

          As the original poster, I can assure you that there was once a decent page on the end of that link!

          I can only assume that, with the increase in traffic caused by SN (Yippee!), they have tried to 'monetize' the opportunity. Perhaps all that is simply wishful thinking...

          --
          We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
    • (Score: 2, Informative) by JimmyCrackCorn on Monday February 24 2014, @04:04AM

      by JimmyCrackCorn (1495) on Monday February 24 2014, @04:04AM (#5514)

      FTA

      Detecting potentially vulnerable system:

      echo "GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n" | nc routerip 8080

      if you get the XML HNAP output back, then you MAY be vulnerable.

    • (Score: 0) by Anonymous Coward on Monday February 24 2014, @11:18PM

      by Anonymous Coward on Monday February 24 2014, @11:18PM (#6271)

      Something to consider even for routers not on such a list is that some wireless routers have WPS on by default. WPS uses an eight digit PIN that can be cracked with a tool called Reaver. Once cracked, Reaver also tells you the wireless connection password. It took 31 hours on my core-i7 laptop to crack my own WPS PIN, but once cracked, I was also shown my WPA2 password. I'm able to turn WPS off in my gateway (rented from Comcast), but I've read that some routers will not turn the WPS off even though they indicate that it is off in the router settings.

  • (Score: 4, Interesting) by captain normal on Monday February 24 2014, @03:36AM

    by captain normal (2205) on Monday February 24 2014, @03:36AM (#5494)

    There is a possibility that this and many other attacks are from NSA or some other government's spy agency. Just a possibility of course. The other thing is that virtually no one password protects their router. Most people will set a password for access, but leave control of their router's settings and permissions to someone called "admin" or "administration". That probably accounts for the 80% right there.

    --
    “I have not failed. I’ve just found 10,000 ways that won’t work.” Thomas Edison
    • (Score: 5, Funny) by nsa on Monday February 24 2014, @03:42AM

      by nsa (206) on Monday February 24 2014, @03:42AM (#5499)

      There is a possibility that this and many other attacks are from NSA or some other government's spy agency. Just a possibility of course.

      No, it's not us. Trust me.

      • (Score: 1) by aristarchus on Monday February 24 2014, @04:49AM

        by aristarchus (2645) on Monday February 24 2014, @04:49AM (#5544) Journal

        What? The NSA is a user on Soylent News? But wait, they said "trust us". Carry on.

        --
        #Freearistarchus, again!!!!!1!!
    • (Score: 0) by Anonymous Coward on Monday February 24 2014, @04:39AM

      by Anonymous Coward on Monday February 24 2014, @04:39AM (#5539)

      No 3-letter agency paranoia required here.
      people don't know / don't care. if it looks "fancy" it's good!
      they just want to get their pr0n, facebook and youtube anyways.
      you know the ..uhm... 20 room villa with olympic sized swimming poll and tennis court built on a toxic landfill syndrom : )))

    • (Score: 1) by ls671 on Monday February 24 2014, @06:31AM

      by ls671 (891) on Monday February 24 2014, @06:31AM (#5607) Homepage

      I monitor attacks on several servers and most of them are from organized crime or script kiddies. I never could find one special enough for me to think it is coming from who you think it is.

      Then again if who you say was going to get in, maybe I wouldn't even see it coming. Maybe they are already in! I am pretty good at monitoring but I would never ever think that I am unpenetrable. Nevertheless, I would say chances are they aren't in ;-)

      I believe the idea is to work at a higher network level and not take control of private LANs unless there is sufficient reasons to try to do so.

      --
      Everything I write is lies, read between the lines.
    • (Score: 2) by janrinok on Monday February 24 2014, @02:56PM

      by janrinok (52) Subscriber Badge on Monday February 24 2014, @02:56PM (#5834) Journal

      Its true that many do not protect their routers even by the simply changing the default passwords. At least here (France) each router provided by an ISP has a password that is based upon the router's serial number. If you have the device in your hand it is possible to work out (eventually) what the default password will be, although it is not a straightforward read across. There is not a standard userid/password combination that works on all routers of that type.

      I suspect that another reason, hinted at in my first paragraph, is that ISPs (e.g Orange.fr) provide the router and they can access it at any time to update the firmware inside it. No matter how careful they may be, the password for that attack vector could eventually become known, even if only to a few individuals leaving the device vulnerable. Fitting your own privately purchased router causes problems, as the ISP will simply ignore your router if it does not return the correct firmware password (I have tried, and even got a phone call from Orange asking if I was experiencing difficulties). Of course, it is easy to change the admin/user names and passwords, but I have not found a way to identify the ISP's password for my router. I suppose I could put another computer between the telephone cable and the router and sniff it out that way. But, to be fair, I have not seen reports of Orange's routers being vulnerable to any specific attacks.

      Alternatively, perhaps someone will read this and point me in the right direction...?

      --
      We are always looking for new staff in different areas - please volunteer if you have some spare time and wish to help
  • (Score: 5, Interesting) by TheLink on Monday February 24 2014, @04:07AM

    by TheLink (332) on Monday February 24 2014, @04:07AM (#5517) Journal
    The thing is why would so many routers allow remote inbound connections to their external interface by _default_? Most home users don't need that by _default_. UPnP does not need to be enabled by default either.

    Secondly "browser drive by" attacks on the router's internal IP should only work if the user is logged in (which is hardly ever). And if you use session cookies, the window should be a lot smaller (yes I know many use basic auth, ugh).
    • (Score: 5, Informative) by nsa on Monday February 24 2014, @04:25AM

      by nsa (206) on Monday February 24 2014, @04:25AM (#5532)

      The thing is why would so many routers allow remote inbound connections to their external interface by _default_?

      The internal interface also matters. Compromise a single system on the internal network via MITM at the ISP or upstream, or a malicious site visited, and now that barrier to compromise of the router is gone. Compromise the router, and you now have total domination of the rest of the hosts on that network (or at least all of their internet traffic, which usually makes further infiltration a piece of cake).

      The NSA Never Says Anything. The NSA Never Lies [washingtonpost.com]

      • (Score: 1) by TheLink on Monday February 24 2014, @07:04AM

        by TheLink (332) on Monday February 24 2014, @07:04AM (#5629) Journal

        The internal interface also matters.

        Which is why I wrote a second paragraph.

        • (Score: 1) by nsa on Monday February 24 2014, @09:25AM

          by nsa (206) on Monday February 24 2014, @09:25AM (#5696)

          Yes, I too quickly inferred from the word 'drive by' that you were referring to a wifi attack from a vehicle driving by. That said, even if the user is not logged in, the threat surface is still extremely large compared to an external interface filtering out admin access. Your 'should' in that paragraph is also one of those infamous 'should's to dwell on. Beside that, advanced persistent threats[1] in firmware can wait a long time for the user to log into the router.

          [1] Jonathan Corbet - Practical Security for 2014
          "Many of these problems can be explained by the fact that we're dealing with firmware authors, but there is more to it than that: a system's firmware has not traditionally been part of its security model. Suddenly the firmware has been put into an important position of trust, despite the fact that it was not written with that kind of security in mind."

          Again, we at the NSA are sorry for being too hasty delivering a retaliatory salvo to your opinion instead of considering it more carefully. Sorry about that.

          The NSA Never Says Anything.
          The NSA Always Apologizes For Its Mistakes
          The NSA Never Lies [washingtonpost.com]

    • (Score: 1) by chromas on Monday February 24 2014, @09:38AM

      by chromas (34) Subscriber Badge on Monday February 24 2014, @09:38AM (#5700) Journal

      if the user is logged in (which is hardly ever).

      I recently discovered an older Belkin 'router' (F5D8236-4 v2) I commandeered loads up the login page with a bunch of JavaScript variables including some booleans and various IP and MAC addresses plus the login password. The JavaScript is there solely to redirect to the firmware updater which doesn't work. It also forgets how DNS works sometimes.

  • (Score: 5, Insightful) by Popeidol on Monday February 24 2014, @07:26AM

    by Popeidol (35) on Monday February 24 2014, @07:26AM (#5645) Journal

    Most home users encounter updates in the following ways:

    • Updates happen transparently. They're downloaded and installed while you're not using the device, with at most a notice that it's time to reboot.
    • You're notified that updates are available, and you hit accept/reject to install them. You'll be reminded occasionally if you do not accept immediately.
    • You receive a notification an update is available, and a link to where you can manually download the new version.

    As you go down that list, they become easier for you to implement but more effort for the user. The more effort for the user, the less likely the updates will be installed

    At the moment, The update process for many home routers hasn't changed for a decade:

    1. Make a conscious choice to look for an update (maybe your router is a bit buggy, maybe you want to check for new features).
    2. Look at the bottom of your modem for the exact hardware model and google it - remember to get the right revision!
    3. You spend a little while navigating your way through the vendors site to get the right model page and firmware revision. Make sure to read through the release notes, because they sometimes hide a bunch of quirky caveats in there.
    4. Navigate to your routers webpage, and find the 'update' section.
    5. Backup your router settings - there's a decent chance they'll be wiped out.
    6. Upload the firmware you just downloaded from the website, and wait for the router to reboot.

    Silent updates aren't great for critical hardware like routers so let's go with one of the other options: The router web interface has update notifications, nice and obvious. The update page displays some notes about the firmware release and then a big 'update' button. The software handles the version checking, downloads, backups, and rebooting. It keeps a copy of the old software to roll back to if something goes wrong.

    The Netgear I got last year has exactly the same update process as the Netgear I bought a decade ago. The world has changed, user expectations have changed, and it's time for these companies to change along with it.

    • (Score: 2, Insightful) by mojo chan on Monday February 24 2014, @01:25PM

      by mojo chan (266) on Monday February 24 2014, @01:25PM (#5781)

      The problem is how do you get the user to even understand that the router has a web interface, let alone go there regularly to check for update messages. You could do some horrible kind of MITM attack and inject a warning into web sites that the user is viewing, but that isn't an ideal solution. A flashing light on the router wouldn't work because a) there are already lots of flashing lights, b) no-one would know or care what the light meant as long as their internet kept working and c) many people hide their routers away so couldn't see it anyway.

      The only option would seem to be to close off web access and replace it with a warning message until the firmware is updated or the message dismissed. Other internet access would continue normally so as not to break things like OS updates or VOIP.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      • (Score: 5, Interesting) by Popeidol on Monday February 24 2014, @02:46PM

        by Popeidol (35) on Monday February 24 2014, @02:46PM (#5828) Journal

        Yeah, that's the other big problem: People treat the router as a set-and-forget appliance, but they behave as low-power computers. You can't get the security warnings to be too intrusive or people will just replace your product.

        So that leaves a few options, all of which have some serious flaws:

        • Device registration. You register your device to an email when you set it up, and if it's detected to need a security update they notify you. This wouldn't be activated much.
        • The device (very) occasionally hijacks an HTTP request to notify you, maybe even just using 404 responses. This would be VERY unpopular and difficult to distinguish from phishing.
        • The device only notifies you when you actively visit the page. It's not common, so most devices would probably remain unprotected.
        • A protocol is agreed upon for communicating urgent messages from the router to computers on the network. After getting OS level support, it would shortly be used to bombard the user with advertising and useless messages in the way printer software does now.
        • The router automatically installs urgent security updates, but requires manual intervention for anything more.

        The final option is the best balance between intrusiveness and reliability, but would require changing the software release to a model that can push security patches separately. It's quite possible, ubiquiti does it: Their edgemax routers [ubnt.com] are debian/vyatta underneath, so you can add software repos and pull security updates on a schedule without much risk. Unfortunately they're not really home grade.

        If anybody else has a good solution for this, I'd love to hear it. Right now I can set up my family with computers that automatically install updates, regularly scan for malware, back everything up, and phone home to me if something goes urgently wrong - but router updates require manual tracking and intervention.

        • (Score: 1) by etherscythe on Tuesday February 25 2014, @01:03AM

          by etherscythe (937) on Tuesday February 25 2014, @01:03AM (#6312) Journal

          A protocol is agreed upon for communicating urgent messages from the router to computers on the network. After getting OS level support, it would shortly be used to bombard the user with advertising and useless messages in the way printer software does now.

          You mean like the old Net Send feature of Windows which is now defaulted to disabled due to massive spam campaigns years ago? I can see that working actually; it just needs to be like Android notifications where you get some kind of low-impact-but-definitely-visible indication (like hijack HTML pages to add a menubar at the top with a notice) rather than a full-on popup window. It would take users some time to adjust to this level of traffic tampering, but long term seems like the best way to do it IMHO.

          Problem I see with autoupdates is the seemingly arbitrary effects on the end users. Like, my multi-hour-long download from that overseas server that doesn't support resume, which gets cut off and I have to start it over for no apparent good reason (unbeknownst to the user, critical update required a reboot). It would be cool if we could temporarily dump info to a hypervisor to maintain session info between reboots, but that kind of abstraction causes performance/hardware requirement strain, and obviously wouldn't work if some of that code was part of what was being patched.

          --
          "Fake News: anything reported outside of my own personally chosen echo chamber"
    • (Score: 1) by len_harms on Monday February 24 2014, @02:57PM

      by len_harms (1904) on Monday February 24 2014, @02:57PM (#5836) Journal

      Yeah my ASUS router I bought a year or so ago is about the same.

      They have a 'check for updates' on the router webpage. But guess what there *was* a new update out on the ASUS page. For 2 weeks I left it thinking 'oh they will fix it and I will use the easy way'. Nope. Had to manually download and update.

      At that point I went to rmerlin's patches.

      Never thought I would be able to get 25-30MB (not bit) sustained rate thru wireless though. Seriously happy with the router. Good thing I didnt plug in a usb drive... ftp external on by default and no password (seriously?).

      ASUS seems to be moving towards a 1 package recompiled to rule them all. Which I think is a good way to go long term for these guys. This sort of thing will not end well if they slap together new models and then walk away. My old linksys router I bought to get 802.11N had 1 update, ever.

      These guys are slapping linux busybox distros into these things. Linux is pretty good for that but it does get vulins just like many other OS's out there. It does need patches for the packages included.

      This is not just routers either. My TV has a busybox distro in it and has not seen an update in 2 years. The motorola router that connects to TW is a busybox distro and its firmware is ~1-2 years old. The only thing saving us is that they are all ARM/MIPS architectures and each one is a bit different and it is a pain to root each one individually.

  • (Score: 5, Funny) by Thexalon on Monday February 24 2014, @02:17PM

    by Thexalon (636) on Monday February 24 2014, @02:17PM (#5812)

    According to Tripwire, 20% of home routers are *not* vulnerable. That's truly an amazing improvement!

    --
    Alcohol makes the world go round ... and round and round.