Stories
Slash Boxes
Comments

SoylentNews is people

80% of Home Routers Are Vulnerable to Exploitation

posted by Dopefish on Monday February 24 2014, @03:00AM   Printer-friendly
from the flash-alternate-router-firmware-for-protection dept.

janrinok writes "A recent survey carried out by Tripwire, reported by the BBC, claims that "80% of the 25 best-selling routers available on Amazon are vulnerable to compromise". Security researcher Craig Young from Tripwire said exploits had been publicly discussed and published for more than one-third of these devices.

In a separate report, the Internet Storm Center (ISC) warned about a continuing attempt to exploit a vulnerability in 23 separate models of Linksys routers. A worm, called 'The Moon' is compromising Linksys routers and then scans for other potentially vulnerable systems. So far, wrote ISC researcher Johannes Ullrich in his blogpost, it is not clear why the routers are being compromised and what might be done with them. There are hints in the exploit code that the routers will at some point be gathered together into a network of compromised machines. Currently, he added, all the worm was doing was spreading to other Linksys routers.

The reason for the current European concern is a recent large scale attack on home routers in order to gather usernames and passwords for online bank accounts, reported by the Polish Computer Emergency Response Team (CERT) and elsewhere."

 
This discussion has been archived. No new comments can be posted.
80% of Home Routers Are Vulnerable to Exploitation | Log In/Create an Account | Top | 42 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Interesting) by Popeidol on Monday February 24 2014, @02:46PM

    by Popeidol (35) on Monday February 24 2014, @02:46PM (#5828) Journal

    Yeah, that's the other big problem: People treat the router as a set-and-forget appliance, but they behave as low-power computers. You can't get the security warnings to be too intrusive or people will just replace your product.

    So that leaves a few options, all of which have some serious flaws:

    • Device registration. You register your device to an email when you set it up, and if it's detected to need a security update they notify you. This wouldn't be activated much.
    • The device (very) occasionally hijacks an HTTP request to notify you, maybe even just using 404 responses. This would be VERY unpopular and difficult to distinguish from phishing.
    • The device only notifies you when you actively visit the page. It's not common, so most devices would probably remain unprotected.
    • A protocol is agreed upon for communicating urgent messages from the router to computers on the network. After getting OS level support, it would shortly be used to bombard the user with advertising and useless messages in the way printer software does now.
    • The router automatically installs urgent security updates, but requires manual intervention for anything more.

    The final option is the best balance between intrusiveness and reliability, but would require changing the software release to a model that can push security patches separately. It's quite possible, ubiquiti does it: Their edgemax routers [ubnt.com] are debian/vyatta underneath, so you can add software repos and pull security updates on a schedule without much risk. Unfortunately they're not really home grade.

    If anybody else has a good solution for this, I'd love to hear it. Right now I can set up my family with computers that automatically install updates, regularly scan for malware, back everything up, and phone home to me if something goes urgently wrong - but router updates require manual tracking and intervention.

    Starting Score:    1  point
    Moderation   +3  
       Interesting=3, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 1) by etherscythe on Tuesday February 25 2014, @01:03AM

    by etherscythe (937) on Tuesday February 25 2014, @01:03AM (#6312) Journal

    A protocol is agreed upon for communicating urgent messages from the router to computers on the network. After getting OS level support, it would shortly be used to bombard the user with advertising and useless messages in the way printer software does now.

    You mean like the old Net Send feature of Windows which is now defaulted to disabled due to massive spam campaigns years ago? I can see that working actually; it just needs to be like Android notifications where you get some kind of low-impact-but-definitely-visible indication (like hijack HTML pages to add a menubar at the top with a notice) rather than a full-on popup window. It would take users some time to adjust to this level of traffic tampering, but long term seems like the best way to do it IMHO.

    Problem I see with autoupdates is the seemingly arbitrary effects on the end users. Like, my multi-hour-long download from that overseas server that doesn't support resume, which gets cut off and I have to start it over for no apparent good reason (unbeknownst to the user, critical update required a reboot). It would be cool if we could temporarily dump info to a hypervisor to maintain session info between reboots, but that kind of abstraction causes performance/hardware requirement strain, and obviously wouldn't work if some of that code was part of what was being patched.

    --
    "Fake News: anything reported outside of my own personally chosen echo chamber"