Millions Of Home Wi-Fi Routers Are Likely Vulnerable To Unpatched Linux Security Exploits
If you're reading this article from home, it's likely that you're connected to a consumer-grade Wi-Fi router, either wirelessly or via hard wired Ethernet. And if that's the case, you should probably take this time to upgrade your router's firmware ASAP. That is if an update is even available from the manufacturer.
We say this because the Fraunhofer Institute for Communication (FKIE) in Germany recently performed test of 127 home routers, to probe them for their resistance to security threats. Of the routers the researchers tested, 91 percent of them were found to be running some version of embedded Linux, which isn't surprising.
What was surprising, however, was that the researchers found that not a single router was free of security flaws. In fact, it was discovered that many of these routers were actually susceptible to hundreds of known security vulnerabilities.
Reference:
Peter Weidenbach, Johannes vom Dorp. Home Router Security Report 2020 (pdf), FKIE
(Score: 3, Funny) by Anonymous Coward on Tuesday July 07 2020, @03:02PM (32 children)
Or you should install OpenWRT. If you can't install it on your router, then get a router it does work with. You will be immune to almost all vulnerabilities, and the ones you aren't immune to will probably have a patch available by the time you hear about the problem.
(Score: 0, Offtopic) by DannyB on Tuesday July 07 2020, @03:04PM (27 children)
Maybe a much gooder idea would be to put the government in charge of router firmware and security updates. If you want the job done
leftright.To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 4, Funny) by choose another one on Tuesday July 07 2020, @03:14PM (7 children)
Maybe let them finish with doing pandemic management right first...
(Score: 4, Informative) by DannyB on Tuesday July 07 2020, @03:20PM (6 children)
I thought they had finished that and the USA was Number One! MAGA!!!
I eagerly await the government to help us with our home technology issues. And everything. Like a benevolent older male sibling.
How To Free Up Port 53, Used By systemd-resolved [linuxuprising.com]
(systemd-resolved listening on port 53 by default. In case you want to run your own DNS server, you can't)
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Funny) by choose another one on Tuesday July 07 2020, @04:21PM (5 children)
> I thought they had finished that and the USA was Number One! MAGA!!!
Not on per-capita death rate, and everyone knows having more cases is only down to more testing...
Still, credit where it's due, USA is definitely heading up the league table, some way to go before you catch the likes of France/Spain/Italy/UK though.
Keep those masks off, breathe deep and keep those parties and protests going and you should be in good shape for a winning surge come Autumn...
(Score: 2) by HiThere on Tuesday July 07 2020, @08:14PM (4 children)
If the US isn't number one on the per capita COVID death rate, then who is?
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by choose another one on Tuesday July 07 2020, @09:45PM (2 children)
According to https://www.worldometers.info/coronavirus/ [worldometers.info] top 5 as of today is:
1 San Marino 1,238
2 Belgium 843
3 Andorra 673
4 UK 654
5 Spain 607
Numbers are deaths / 1m population. USA comes in at number 9 with 404.
(Score: 2) by HiThere on Wednesday July 08 2020, @03:27AM
That's interesting. I'd forgotten about Belgium, and didn't know about San Marino, but the reports from Britain have been putting the US at more deaths/capita than them...and those weren't by people saying good things about the government.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by driverless on Wednesday July 08 2020, @09:48AM
What about Vatican City, the only country with 2.1 popes per square kilometer?
(Score: 2) by Grishnakh on Wednesday July 08 2020, @12:21AM
As the other poster pointed out with a link, USA is #9 currently in per-capita deaths, and we're #13 in per-capita infections. For infections, we might pass Peru soon, or Panama might pass us. We're easily far behind Qatar (#1 at over 3.5% of the population being infected; we're only at 0.94%). However, infection rate doesn't correlate well with deaths: Qatar might have a huge number of infections, but they only have 134 deaths, or 48 per 1 million (compared to our 405 per 1M). Most likely, Qatar has done a better job with testing early on.
The more important number is the death rate, where we're #9, and slowly rising. We're still behind France, Sweden, Italy, Spain, UK, and Belgium, but those countries' death rates have mostly fallen to very low numbers now, whereas our rate is now rising again. However, if you're worried about the USA looking too incompetent, fear not: Brazil, Chile, and Peru are all racing ahead, and will probably catch up with us before long.
The only place where USA is absolutely #1 is with the absolute number of cases, which is now about 3.1M. But as the #3 most-populated country on the planet, with 331M people, this shouldn't be too big a surprise. Most other countries have a fraction of our population, so of course their absolute numbers are going to be lower (though Brazil is trying really hard to beat us, with almost 1.7M cases now).
(Score: 3, Funny) by The Mighty Buzzard on Tuesday July 07 2020, @03:28PM (5 children)
Shit, man, you owe me a new sarcasm detector.
My rights don't end where your fear begins.
(Score: 3, Funny) by DannyB on Tuesday July 07 2020, @03:40PM (4 children)
Older sarcasm detectors need to be upgraded. New sarcasm detectors must be manufactured to higher standards for today's modern sarcasm generators.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by RS3 on Tuesday July 07 2020, @04:27PM
Sorry, your older model is unsupported. We recommend you upgrade to a new supported model we'll lease you the rights to use.
(Score: 2) by The Mighty Buzzard on Tuesday July 07 2020, @04:55PM (1 child)
True. Makes perfect sense that the ones manufactured by the Boomers aren't going to be as rugged as the ones manufactured by us Gen-X types.
My rights don't end where your fear begins.
(Score: 2) by RS3 on Tuesday July 07 2020, @06:40PM
The boomers knew you Gen-Xers would need something to keep you occupied and out of trouble. You notice they keep stocking lakes and streams with fish. I'm not wrong.
(Score: 0) by Anonymous Coward on Tuesday July 07 2020, @06:20PM
Older sarcasm detectors work just fine with the addition of alcohol.
(Score: 5, Insightful) by canopic jug on Tuesday July 07 2020, @03:32PM (12 children)
Maybe a much gooder idea would be to put the government in charge of router firmware and security updates. If you want the job done left right.
The government could, in principle, mandate conditions that require or favor OpenWRT [openwrt.org] by vendors, but that would tread on someone's toes and therefore cannot happen. Instead, politicians would just turn around and outsource to the biggest current campaign donor or their partner(s). I guess that would be Bill these days, especially if you count his "charity" foundation or all the donations from his business partners.
That said, I agree with the AC that OpenWRT is the way to go. Even though the intersection of supported hardware and what is available in the big box stores is quite small, upon checking there always does seem to be a models few at each store that would work. The problem comes in when you start dealing with ISP add-ons like IPTV and other crap.
The security problems with the routers are caused by the underlying problem which is that the vendors are allowed to treat their products as proprietary even though they are not proprietary. Legally, the licensing for the kernel and much of the user space upon which their products depend is GPL and thus Free Software. Although required to, the vendors never release their code, even when requested. The Linux Foundation is part of that problem these days. Despite the name it is about advancing the interests of its members within the kernel code base rather than promoting and advancing Linux among the members. As a result, the Linux Foundation treats its software as Open Source rather than Copyleft which the vendors in turn treat as plain old proprietary software. That helps absolutely no one, not even the vendor. Yes, they may feel like they're getting over on someone but the reality is that, as the article shows, they end up quickly with either maintaining their own fork / mini distro or else foisting abandonware on the customers. If the vendors could just get the zero sum gamers out of their companies, or at least under control, they could set set up with a win-win-win situation by adopting and contributing to OpenWRT. They could focus on the hardware. The software would stay up to date and not tarnish the brand through unpatched holes. The customers would get a more polished system because the return on effort with the software would be much higher.
Really in this day and age, software is a commodity and it only wastes everybody's time and money (including the vendors themselves) to pretend otherwise like is happening in the article.
Money is not free speech. Elections should not be auctions.
(Score: 5, Interesting) by DannyB on Tuesday July 07 2020, @03:47PM (11 children)
Google will fab 100 chips for free?
What if we had an inexpensive, open source device, not unlike a Raspberry PI, that had just the right hardware to work as a good router. Then imagine if there were a software package that when put on an SD card, made a turn key router that any idiot could use? Such a device would need a couple of LEDs and a couple of push buttons. This device should also be available in a standard enclosed consumer friendly case. The idea is to make this so simple that any computer power user could burn the SD card, order the device and be good to go.
But that's crazy talk. Java induced Dementia is the new medical term.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by PiMuNu on Tuesday July 07 2020, @04:18PM (6 children)
> Then imagine if there were a software package that when put on an SD card, made a turn key router
But what happens when it doesn't get software/firmware updates?
(Score: 2) by RS3 on Tuesday July 07 2020, @04:31PM (5 children)
Pure fantasy-land, I know, but I dream of a world where something is actually fully debugged and finished before it's shipped. No update needed ever.
(Score: 2) by DannyB on Tuesday July 07 2020, @05:54PM (1 child)
But . . . consider things that get updates, and have been around forever . . .
* car radios and infotainment
* television sets
* phones
* pocket calculators
* thermostats
* doorbells
* pet feeders
* personal music player devices (with auto-reverse!)
How could a product ever be made goodfully enough to be fit for sale at the time you buy it?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by RS3 on Tuesday July 07 2020, @07:02PM
Oh DannyB, you almost got me!! My sarcasm detector was having an afternoon siesta.
You forgot bidets!! They've been getting hacked by the black ops. What a mess.
They're just grooming us for the final complete takeover by the machines.
(Score: 0) by Anonymous Coward on Tuesday July 07 2020, @06:25PM (1 child)
Are they done finding all the flaws in 10+ year old hardware (spectre, meltdown)? Once we get secure hardware we can get back to writing a secure OS for it.
I project finishing this secure OS, maybe with a secure program to run on it, sometime next century. Hope we still have 110AC to run the secure ATX power supply for our secure Pentium.
(Score: 3, Interesting) by RS3 on Tuesday July 07 2020, @07:17PM
It's complicated- not really hardware, but there have been some interesting pure hardware vulnerabilities (Rowhammer, RAMbleed, and a few others that are considered pretty low impact.) Problems are mostly in CPU firmware. You can argue that the hardware allows the vulnerability, but at some point, that's the purpose of hardware- to do the work that the firmware/software instructs it to, right? Do away with all RAM cache, branch prediction, etc., and you'll be much safer, but you'll wish for that old '486 back (which might not be a bad thing at this point...)
Actually, as I'm typing this on a computer powered by a ~10 year old CPU, Intel isn't bothering to update 10 year old CPUs. What little firmware updates they've released, it's up to the infernal computer / motherboard manufacturers to update BIOS (that can load CPU firmware). I'm not aware of a way to update CPU firmware from Windows (but I'd love to learn if someone knows.)
Linux kernel loads CPU firmware where/when the updates are available, plus the kernel has many mitigations, but not all.
Check yours here (for Linux): (SN code made incorrect links of these- leaving off the parameters. Tch tch.)
# "https://github.com/speed47/spectre-meltdown-checker"
# "git clone https://github.com/speed47/spectre-meltdown-checker.git" [github.com]
# or "wget https://meltdown.ovh [meltdown.ovh] -O spectre-meltdown-checker.sh"
# or "curl -L https://meltdown.ovh [meltdown.ovh] -o spectre-meltdown-checker.sh"
(Score: 2) by PiMuNu on Wednesday July 08 2020, @08:57AM
> Pure fantasy-land, I know
Yes, it is. There has been *no* personal computer made in the last decade without an exploit - thanks to exploits found in Intel et al hardware.
(Score: 1, Interesting) by Anonymous Coward on Tuesday July 07 2020, @04:42PM (2 children)
The Raspberry Pi 4 is quite adequate as an OpenWRT router, except that you need an add on USB3 Ethernet adapter because it only has one port. But now that it's got PCIe instead of USB2 as its system bus, the performance is good enough. It's not open source, though.
(Score: 2) by canopic jug on Tuesday July 07 2020, @05:13PM (1 child)
That's just for wireless. It works well in that context, but there is only a single gigabit Ethernet port on those things. It would be great to have some open hardware for building wired network appliances with 8, 12, 16, and 24 gigabit Ethernet ports, and maybe even a fibre connection or two. Maybe MIPS or Octeon or similar would work for that, but not ARM. I don't suppose that the Raspberry Pi Foundation could be hired for that because ARM is not appropriate for networking. However, maybe if Bunnie Huang could be hired, then a kickstarter or similar could be launched to collect the funds for the salary and other capital he would need to design or supervise the design of open hardware for networking and hand it off to Google for prototyping.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by takyon on Wednesday July 08 2020, @01:24AM
https://soylentnews.org/~takyon/journal/5549 [soylentnews.org]
This is not what you are looking for, but it's an "SBC" (technically not since the memory is in DIMMs) with 2x 2.5 GbE, which might be all you really need.
Plug the internet or other source into one port, and any dumb switch with several ports into the other, and you have something potentially useful. If there is a version with 2x 10 GbE instead, then the scheme would support even more intensive use.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @01:03AM
Get an SBC. Preferably one with pci-e (mini, m2, etc.). Get a wireless card for that pcie slot that has good support from hostapd. Install Debian or some other distro with the necessary packages in its repos. Install hostapd and nftables. Write a simple fw ruleset. Turn ip forwarding on. Config hostapd.
You now have a router + AP that will receive updates until you no longer care about running the hardware.
It doesn't take that much time. The most time I've spent on these sorts of projects is figuring out what wireless card brand/models contain the chipset that I want.
If you don't care about wireless, you can be up and routing within minutes of finishing the OS install.
(Score: 3, Interesting) by Anonymous Coward on Tuesday July 07 2020, @03:30PM (1 child)
Hey, sometimes those vulnerabilities are what you need [github.com].
(Score: 3, Interesting) by DannyB on Tuesday July 07 2020, @03:49PM
Also applies to commercial security cameras.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Interesting) by Anonymous Coward on Tuesday July 07 2020, @11:59PM
Openwrt has gotten so bloated that current versions won't even run on most common routers any more.
(Score: 1, Informative) by Anonymous Coward on Wednesday July 08 2020, @11:00AM
Until they tell you that current version requires FIVE TIMES more CPU and RAM than a small home server "because ... you" - as recently with TP-Links. Why the hell they push these requirements so absurdly high, I don't know. A similar Linux form manufacturer works well. HTTP Server is not an explanation, I can write a HTTP Server on an AVR with 32kB of Flash and 2kB of RAM and for a configuration window you don't need a full distribution of Apache.
Or when it will not start because WLAN LED device is in the other ID on bus (had this with numerous DLinks). And source for the module which hanged a whole system is of course unavailable as it is a blob pushed into FW image. I finally patched it in the blob, by disassembling it, and of course this commit cannot be pulled... "because ... you".
(Score: 3, Funny) by Lagg on Tuesday July 07 2020, @04:09PM (3 children)
DD-WRT v3.0-r36330 std (07/16/18)
I really hate doing unnecessary flashes, but if there's a chance someone can get root on it or something like that I'd rather bite the bullet. It seems like article and paper are more talking about the shit OEM stuff that hasn't been updated since the router itself was released. Like the ones that take a year to fix a bug on the port forward setup page. I can't see any specific exploits of concern in my super-fast read through of the stuff beyond obvious problems with key strength. Seems like more general kernel auditing.
http://lagg.me [lagg.me] 🗿
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday July 07 2020, @04:59PM (2 children)
Probably, yes. I'm entirely too lazy to look over every kernel security fix over the past couple years and see if any of them could realistically affect something that runs no more than a router does but it's far from impossible or even unlikely.
My rights don't end where your fear begins.
(Score: 2) by Lagg on Tuesday July 07 2020, @06:07PM
Good point. I should really know better about asking that question given the sheer kernel churn these days. I swear 3.0 was an ML injoke until reality caught up.
Might as well pull the bandaid real quick. If I stop posting going into next day: Bricked it.
http://lagg.me [lagg.me] 🗿
(Score: 2) by jasassin on Tuesday July 07 2020, @09:42PM
There's probably going to be a few new vulnerabilities added the way the Linux devs shoot so much code out their ass. FWIW I'd be more concerned about the gaping WPS hole on almost every router. HINT: Disable WPS on your routers ASAP!
With airgeddon [github.com] I was able to acquire a WiFi password, via a WPS vulnerability, in about 10 seconds. No need to crack WPA2.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2, Funny) by Anonymous Coward on Tuesday July 07 2020, @05:09PM (2 children)
They're trying to get you to install SystemD
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @01:12AM (1 child)
You're so clever--what a funny joke!
(Score: 0) by Anonymous Coward on Wednesday July 08 2020, @01:43AM
Back to your cave, Lennart.