The problem that Dan Geer pointed out at his NSA talk [1] isn't that they have some surface level vulns, it's that they are mostly all running linux from 5 years ago and rarely get security updates. Home routers are insecure by default. The problem is that even if your home router gets hacked and bricked, you go to BestBuy or Newegg to buy a new router and they are all running the same old broken OS by default - not including the questionable services and awful vendor-created software included (ie Asus cloud management software with 5x CVEs).
So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
The router manufacturers really need to step up here. And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
I'm curious if the gov will ever pressure these companies for better security, although they seem to prefer insecure-by-default.
There are better options. There are custom firmwares available such as Tomato, OpenWRT, FreeWRT and DDWRT. These all have more dedicated developers issuing regular updates and are generally more secure, current and feature complete than the original firmwares. Many of these are open source and have active communities even. Problem is that these all require some technical knowledge to install. Some are pretty simple though and can be installed once by a semi-technical person then left alone. But that's not enough for mass adoption.
What we need is more manufacturers simply to give up on developing router firmware and simply pay the devs on these quality projects to do the work for them. They've proven their dedication and can surely adapt to new hardware with relative ease. Some router manufacturers are already doing this. I know at least Buffalo was for some time.
And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
This is a pretty active market already. It's called "Unified Threat Management" by the analyst firms. Keep your support up-to-date and they (ought to) take care of keeping the latest firmware on the device for you. Here are a bunch: http://mosaicsecurity.com/categories/68-unified-threat-manag...
> So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
That's just plain old FUD, nothing new under the sun!
I realize this is not a very constructive comment, but the fact of the matter is that some people in the information security business likes these types of extravagant displays of "this is the end of the world as we know it!"
Not many SOHO-routers have capabilities exposed to the outside world.
I mean, yes, it would be nice if the world was a safer place, but it's all about risk management, and risk is a factor of probability and cost, and the probability level here is very low.
> home routers get hacked and wiped in a mass attack against a country
Who would want to do that, I wonder. I mean, it's not a one-click process, on that scale, diversity will be an important factor (FW and HW versions, manufacturers, OpenWRT and stuff).
It seems to me that this would require a lot of effort and the result will be questionable. What will be achieved by this?
I think if someone cares about security, they've already flashed DD-WRT by now and those who don't... well, router (in)security will not stop their systems from being overtaken.
With their renewed public stance on privacy and security, do Apple AirPorts have any better track-record regarding router security, or do they suffer from the same types of flaws?
First of all, a Linux box from 10 years ago is no less or more secure than Linux box from 2 days ago. I'm positive I could put a Linux 2.2 box on the Internet today and it'd never get hacked.
Second, your hypothetical mass attack would be easy to fix. Reinstall Windows on your malwared-up desktop, buy a new router, plug them both in, and update the router using approved vendor sites. There's no WAN hacks and the client machine wouldn't have any malware on it, so it could update safely.
The router manufacturers just need to disable all remote administration features and require a USB or CAT5 "admin port" to access setup functionality. Honestly, a bare-bones firewall with no features other than DHCP and NAT is all 99% of people use anyway.
I think the widespread insecurity of home routers will not improve anytime soon.
Background: I work at a company which makes a "home router". It's not one you will find at a big box store, but internally it's not much different.
Most of these routers are built from a MIPS SoC manufactured by Broadcom, Atheros, or Marvell. Since their business is selling chips, not routers, these SoC companies need to make it easy for your LanWan Company startup to choose to use their chipset.
So these SoC companies will give you a reference hardware design. They will also give you a completely functional software package with Linux kernel, drivers for all the peripherals (Wi-Fi, ethernet, etc.), all the necessary user space utilities, a complete GCC cross-compiler toolchain binary which runs on Ubuntu, and a bad web app. You can literally unzip this package, run 'make', and end up with a functional filesystem image ready to flash onto the reference board.
So LanWan startup can start manufacturing routers with only one or two software devs who know some C and a part-time hardware engineer. Manufacturing is contracted out to China.
The vendor-supplied C code is not written by expert programmers. It's obvious when you (try to) read the source. It's also a huge and messy pile of code.
Where I work we use the vendor-supplied kernel but we wrote all the user space ourselves. All this stuff is written in C. The software devs here have more than a few years of experience writing C, but are very uneducated about how to write secure code. They don't think about it. And management does not think about it. The only thing that matters to management is that the box passes the tests.
I've been around long enough to have figured out that things are like this in most places. Whether small companies or big companies doesn't matter.
I believe this is the premise behind EFF's open router project. Provide a higher quality base router distribution that can be used by anyone, including SoC and router manufacturers.
Many years ago I went hunting for CSRF attacks in SOHO routers and found it in all of them. Most of them completely ignored me when I reported it, one accused me of accessing an internal dev-only version (when it was simply in the office of a friend of my boss). Checkpoint followed through like professionals.
(To be fair, I was working at a place selling all-in-one firewalls to SMB, so many of those boxes were our competitors.)
I own and am currently using an Actiontec Q1000 with a CenturyLink DSL connection.
I'm trying to work out just how exposed I am, and whether there's anything practical I can do about it.
Presumably I can:
1) buy a different device not currently known to be vulnerable
2) reflash with an alternate firmware
3) disable as many admin options as possible to reduce surface area
4) pray
Are there other alternatives for the luckless home router owner?
They gave the exploit a "1337 compromise" award, so it is almost as bad as it gets.
While you still have the Q1000, be sure that you have the remote interface disabled and use the NoScript browser plugin. Those two items will mitigate a lot of the risk.
I replaced my Actiontec Q1000 with a used Zyxel Q1000Z I got for $30. I haven't had time to assess the Q1000Z yet, but it does not have any known 0-day vulnerabilities.
> Unfortunately, fixes have been slow to roll out. Because each of the bugs have been disclosed to the manufacturer directly, there may not be pressure to push an emergency patch, but manufacturers have a chance to address the issues.
Responsible disclosure for the win. It's a good thing nobody else is looking for vulnerabilities in these routers.
I demonstrated the Actiontec Q1000 exploit on Track 0. As a security professional I am very interested in responsible disclosure, and had already reported the vulnerability to Century Link 6+ months before Defcon (slight correction to the article, the ISP is not Verizon). I first read about the SOHOplessly broken contest on HN the week before Defcon and figured I'd apply since I already had a 0-day in my back pocket.
As the article says the manufacturer has acknowledged the vulnerability, but I have not heard from them for quite a while. I've begun to wonder how much time has to pass without a fix before it would be irresponsible of me not to fully disclose the vulnerability. Lately I've been thinking that full disclosure may be the only responsible way to disclose a vulnerability. But I am still conflicted.
There's a much higher barrier to entry for security research on AirPort routers.
The only configuration method is over a custom binary protocol, so you can't just fuzz HTTP headers and input fields. The firmware downloads are encrypted, so there's no easy way to pull binaries from the device.
The only public way to do any analysis on the software requires soldering to the board.
The early models run VXWorks, the N models run NetBSD 4.3 on ARM (Express) and MIPS (Extreme), and the AC models (Extreme and Time Capsule, the weird tall ones) run a fork of NetBSD 6.0 on ARM. The AC versions actually contain a single-core binned ARM Cortex A9 from the iPhone 4S like you would find in the Apple TV.
That said, at least one group has root, firmware dumps, and is doing active research. Come hang out #theairportwiki on freenode if you're interested.
I think you are referring to the description of Track 1 and 2. Seems like you were one of the contestants. Sorry, we didn't mean to label anyone a newbie. It is just that Track 1 and 2 had goals of bringing in newbies. Of course many of the contestants were even experienced hackers. Indeed one of the winners of Track 1 was also the Track 0 winner.
I apologize if the phrasing in the blog post seemed like a put down of contestants' expertise in any of the Tracks.
[+] [-] dmix|11 years ago|reply
So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
The router manufacturers really need to step up here. And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
I'm curious if the gov will ever pressure these companies for better security, although they seem to prefer insecure-by-default.
[1] http://geer.tinho.net/geer.nsa.26iii14.txt
[+] [-] ultramancool|11 years ago|reply
What we need is more manufacturers simply to give up on developing router firmware and simply pay the devs on these quality projects to do the work for them. They've proven their dedication and can surely adapt to new hardware with relative ease. Some router manufacturers are already doing this. I know at least Buffalo was for some time.
[+] [-] danielweber|11 years ago|reply
This is a pretty active market already. It's called "Unified Threat Management" by the analyst firms. Keep your support up-to-date and they (ought to) take care of keeping the latest firmware on the device for you. Here are a bunch: http://mosaicsecurity.com/categories/68-unified-threat-manag...
NB: I used to work for one of those companies.
[+] [-] sebcat|11 years ago|reply
That's just plain old FUD, nothing new under the sun!
I realize this is not a very constructive comment, but the fact of the matter is that some people in the information security business likes these types of extravagant displays of "this is the end of the world as we know it!"
Not many SOHO-routers have capabilities exposed to the outside world.
I mean, yes, it would be nice if the world was a safer place, but it's all about risk management, and risk is a factor of probability and cost, and the probability level here is very low.
[+] [-] gear54rus|11 years ago|reply
Who would want to do that, I wonder. I mean, it's not a one-click process, on that scale, diversity will be an important factor (FW and HW versions, manufacturers, OpenWRT and stuff).
It seems to me that this would require a lot of effort and the result will be questionable. What will be achieved by this?
I think if someone cares about security, they've already flashed DD-WRT by now and those who don't... well, router (in)security will not stop their systems from being overtaken.
[+] [-] uptown|11 years ago|reply
[+] [-] makmanalp|11 years ago|reply
[+] [-] peterwwillis|11 years ago|reply
Second, your hypothetical mass attack would be easy to fix. Reinstall Windows on your malwared-up desktop, buy a new router, plug them both in, and update the router using approved vendor sites. There's no WAN hacks and the client machine wouldn't have any malware on it, so it could update safely.
The router manufacturers just need to disable all remote administration features and require a USB or CAT5 "admin port" to access setup functionality. Honestly, a bare-bones firewall with no features other than DHCP and NAT is all 99% of people use anyway.
[+] [-] netdog|11 years ago|reply
Background: I work at a company which makes a "home router". It's not one you will find at a big box store, but internally it's not much different.
Most of these routers are built from a MIPS SoC manufactured by Broadcom, Atheros, or Marvell. Since their business is selling chips, not routers, these SoC companies need to make it easy for your LanWan Company startup to choose to use their chipset.
So these SoC companies will give you a reference hardware design. They will also give you a completely functional software package with Linux kernel, drivers for all the peripherals (Wi-Fi, ethernet, etc.), all the necessary user space utilities, a complete GCC cross-compiler toolchain binary which runs on Ubuntu, and a bad web app. You can literally unzip this package, run 'make', and end up with a functional filesystem image ready to flash onto the reference board.
So LanWan startup can start manufacturing routers with only one or two software devs who know some C and a part-time hardware engineer. Manufacturing is contracted out to China.
The vendor-supplied C code is not written by expert programmers. It's obvious when you (try to) read the source. It's also a huge and messy pile of code.
Where I work we use the vendor-supplied kernel but we wrote all the user space ourselves. All this stuff is written in C. The software devs here have more than a few years of experience writing C, but are very uneducated about how to write secure code. They don't think about it. And management does not think about it. The only thing that matters to management is that the box passes the tests.
I've been around long enough to have figured out that things are like this in most places. Whether small companies or big companies doesn't matter.
[+] [-] AnthonyMouse|11 years ago|reply
[+] [-] danielweber|11 years ago|reply
(To be fair, I was working at a place selling all-in-one firewalls to SMB, so many of those boxes were our competitors.)
[+] [-] me_again|11 years ago|reply
I'm trying to work out just how exposed I am, and whether there's anything practical I can do about it.
Presumably I can: 1) buy a different device not currently known to be vulnerable 2) reflash with an alternate firmware 3) disable as many admin options as possible to reduce surface area 4) pray
Are there other alternatives for the luckless home router owner?
[+] [-] michaellosee|11 years ago|reply
While you still have the Q1000, be sure that you have the remote interface disabled and use the NoScript browser plugin. Those two items will mitigate a lot of the risk.
I replaced my Actiontec Q1000 with a used Zyxel Q1000Z I got for $30. I haven't had time to assess the Q1000Z yet, but it does not have any known 0-day vulnerabilities.
[+] [-] tedunangst|11 years ago|reply
Responsible disclosure for the win. It's a good thing nobody else is looking for vulnerabilities in these routers.
[+] [-] michaellosee|11 years ago|reply
As the article says the manufacturer has acknowledged the vulnerability, but I have not heard from them for quite a while. I've begun to wonder how much time has to pass without a fix before it would be irresponsible of me not to fully disclose the vulnerability. Lately I've been thinking that full disclosure may be the only responsible way to disclose a vulnerability. But I am still conflicted.
[+] [-] r00fus|11 years ago|reply
[+] [-] lunixbochs|11 years ago|reply
The only configuration method is over a custom binary protocol, so you can't just fuzz HTTP headers and input fields. The firmware downloads are encrypted, so there's no easy way to pull binaries from the device.
The only public way to do any analysis on the software requires soldering to the board.
The early models run VXWorks, the N models run NetBSD 4.3 on ARM (Express) and MIPS (Extreme), and the AC models (Extreme and Time Capsule, the weird tall ones) run a fork of NetBSD 6.0 on ARM. The AC versions actually contain a single-core binned ARM Cortex A9 from the iPhone 4S like you would find in the Apple TV.
That said, at least one group has root, firmware dumps, and is doing active research. Come hang out #theairportwiki on freenode if you're interested.
[+] [-] tehskylark|11 years ago|reply
[+] [-] rangak|11 years ago|reply
I think you are referring to the description of Track 1 and 2. Seems like you were one of the contestants. Sorry, we didn't mean to label anyone a newbie. It is just that Track 1 and 2 had goals of bringing in newbies. Of course many of the contestants were even experienced hackers. Indeed one of the winners of Track 1 was also the Track 0 winner.
I apologize if the phrasing in the blog post seemed like a put down of contestants' expertise in any of the Tracks.
[+] [-] lawnchair_larry|11 years ago|reply