×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Hack Over a Dozen Home Routers

samzenpus posted about a year ago | from the protect-ya-neck dept.

Security 109

An anonymous reader writes "Security researchers at Independent Security Evaluators have published a report demonstrating that a slew of home and small office (SOHO) routers are vulnerable to previously undisclosed vulnerabilities. The report asserts that at least thirteen popular routers can be compromised by a remote attacker, and a number of them do not require knowledge of credentials or active management sessions. Some of the routers are not listed as they work with vendors to fix them, but there are 17 vulnerabilities disclosed, with another 21 pending release. An article on CNET includes an interview with some of the researchers."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

109 comments

Use a FreeBSD box as your firewall (4, Insightful)

Anonymous Coward | about a year ago | (#43479141)

An older computer redone with a FreeBSD install makes an excellent router and is extremely secure. I would suggest anyone who is comfortable with a *nix command line use this solution as I've found it to be virtually bulletproof.

Re:Use a FreeBSD box as your firewall (3, Insightful)

Anonymous Coward | about a year ago | (#43479157)

Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

Even a mini-ITX build is still using more power than I'd prefer.

Re:Use a FreeBSD box as your firewall (4, Informative)

00Monkey (264977) | about a year ago | (#43479227)

pfSense and others like m0n0wall will work on Netgate's ALIX Kits: http://store.netgate.com/ALIX-Kits-C86.aspx

They're small and actually look like a router.

Re:Use a FreeBSD box as your firewall (2, Interesting)

vjlen (187941) | about a year ago | (#43479235)

This. We build these for clients and run pfSense on them. Low power, no heat, supports a backup WAN connection with it's three ethernet interfaces. And you can add two more with USB Ethernet adapters.

Re:Use a FreeBSD box as your firewall (-1)

Anonymous Coward | about a year ago | (#43479253)

so you would sacrifice security for convenience? Then, you deserve neither*.

Quit being so lazy as to expect everyone else to provide what you want on your terms. People like you make me sick.

*With apologies to Benjamin Franklin.

Re:Use a FreeBSD box as your firewall (5, Informative)

AlphaWolf_HK (692722) | about a year ago | (#43479309)

No he isn't doing that. You'll get the same security benefit of having a roll your own box if you loaded your own custom firmware that was better tested, like say tomato or openwrt (I'm not a fan of dd-wrt myself, but it seems secure enough.)

Re:Use a FreeBSD box as your firewall (-1)

Anonymous Coward | about a year ago | (#43480155)

Aha, proof by blatant assertion never makes a convincing argument.

"Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that."

The phrase "I want" gives it away right from the second sentence. I want lots of things too, but many of them ain't gonna happen. Complaining that one option is not his preference and therefore 'not an option' is being lazy and self-serving. If the GP was *truly* interested in security he would do what it takes to obtain it, *regardless*. Consumer grade hardware gets worse by the year so IMO the best way to do something right is to do it yourself. Sure, it may come with attendant disadvantages, but then with the state of consumer grade hardware these days, if one wishes to have true auditable security, one doesn't have many options. You described a very good one yourself, but I wouldn't be surprised if he thought that was "too much work".

And dd-wrt is awesome IMO. I have 2 boxes running it and have not had a single issue in nearly 2 years.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43482053)

What you're missing is that most people are not interested in building their own router and firewall any more than they are interested in machining their own keys and locks for the doors on their house. They want a solution which balances effectiveness with price and ease of use. Yes, some people who are hobbyists or have a professional interest will bring out the "big guns", but those people are not typical consumers. The typical user of any consumer-grade product is a consumer, not an expert.
The issue discussed in the article is not something inherently bad with consumer class equipment, but rather laziness or incompetence on the part of the hardware makers.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479935)

so you would sacrifice security for convenience? Then, you deserve neither*.

I'm unwilling to sacrifice my needs to take the cheap option suggested by the original poster. Since when does that preclude actual security?

In your fevered imagination, perhaps?

Quit being so lazy as to expect everyone else to provide what you want on your terms. People like you make me sick.

Quit being so arrogant as to expect me to not want what I want, and there is absolutely no reason for me to not what I want and refuse to compromise because of it. Certainly not with the suggestion of an older PC running FreeBSD. Fuck that, I'd rather actually do what some other posters have suggested and get a custom open-sourced firmware working on hardware.

Maybe instead of being sickened by a reasonable course of action, you ought to be a little less quick to judge.

No, that'd take too much fucking effort. I bet Ben Franklin said something about that.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43480177)

Hold on a minute. FBSD s most likely highly portable. I wouldn't be amazed if you could install in on most of those crappy flashable routers at home.(I don't use one, i live on my own, ground floor, almost basement :P)

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43481299)

It is not "portable" due to the high memory and HDD usage. Plastic routers have very limited resource : 32 - 64MB RAM and 4-8MB FLASH.on most $50 range.
Once you pay $100 and more and not get much more ram and CPU speed, you are way better off going to a mini-itx or other low power PC e.g. laptop motherboard on ebay.

Re:Use a FreeBSD box as your firewall (-1)

Anonymous Coward | about a year ago | (#43480939)

Now you just sound like a whining bitch.

'I want what I want wah wah!!'

in fact:

Quit being so arrogant as to expect me to not want what I want,

I expect no such thing. How about you quit being so intellectually lazy and bloody-minded? All I expect is for you to be *realistic*...but No, that'd take too much fucking effort.

and there is absolutely no reason for me to not what I want and refuse to compromise because of it.

Your poor mastery of yourself and the English language shows. Refuse to compromise and whine like a bitch all you want, you'll see where it gets you.

But then this *is* /. ... home of the internet retarded.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43482391)

You're the one sounding like a whining bitch, while blindly stuck in your own smug and condescending arrogance.

The real intellectual laziness is on your own end, as you'd much rather sound like a dick defending a sub-optimal choice than admit that there's other considerations to work with that don't actual require any compromises.

Re:Use a FreeBSD box as your firewall (5, Funny)

wonkey_monkey (2592601) | about a year ago | (#43480241)

so you would sacrifice security for convenience? Then, you deserve neither*.

You're right. He should block all traffic and whitelist every single IP address as he needs to. Actually, he should manually inspect every packet he receives. Actually, he should have all his packets printed at a remote location and FedEx'd to him for examination and re-input.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479681)

Perhaps this [viaembedded.com] or this [viaembedded.com] could work? Niche is always little expensive, though.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479975)

That looks more suited to use as an AIO PC than a router.

Total waste of money and functions. It'd be like having a riding lawn-mower when I have 150 square feet of grass to cut. Or 500 even. Or using a high-end hammer-drill when I just need to unscrew a receptacle.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43484757)

Well, who doesn't watch netflix with the router while configuring it!? ;)

Re:Use a FreeBSD box as your firewall (1)

Joce640k (829181) | about a year ago | (#43480047)

Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

Even a mini-ITX build is still using more power than I'd prefer.

What about a Raspberry Pi?

Re:Use a FreeBSD box as your firewall (1)

SuricouRaven (1897204) | about a year ago | (#43480209)

The onboard ethernet is actually connected via USB, and a second network port would have to be connected the same way. It's doable, but not really optimal. Fine for those on low-bandwidth connections, but many internet services now would easily overwhelm it. It's only a 100mbit port at best, and the processor might be a limitation before you reach that point.

Re:Use a FreeBSD box as your firewall (1)

isama (1537121) | about a year ago | (#43480561)

My Raspberry Pi seems to cap out at 20Mbit on my 50Mbit home connection.

Re:Use a FreeBSD box as your firewall (1)

rvw (755107) | about a year ago | (#43480251)

Except for power and space. Sorry, but I want something that I can tuck away on the wall or on top of a shelf, and the average older computer isn't very suitable for that.

Even a mini-ITX build is still using more power than I'd prefer.

How about a Raspberry Pi like device with two ethernet ports and FreeBSD on it?

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43482691)

How about a Raspberry Pi like device with two ethernet ports and FreeBSD on it?

A) Speaking for myself, I need 4-ports for my LAN

B) Depends on how Raspberry Pi-like the device is, the power-usage is acceptable, but the performance is not. They didn't pick great networking components for that usage. Adequate for using one in a common way, but not so much for a router. I'm not even sure how suitable the ARM-Processors are for building a router-core upon. It might be more desirable to go with an entirely different SOC-design.

Re:Use a FreeBSD box as your firewall (1)

Grishnakh (216268) | about a year ago | (#43482199)

Exactly. Using an older computer as a router is a massive waste of power (and space). Get something that's designed specifically for the purpose: a modern router like a typical Linksys unit uses a tiny amount of power and is very small. And the software side isn't a problem: just install DD-WRT on it.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479179)

I one up you with OpenBSD.

Re: Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479217)

OpenBSD is the trump card. He has won.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479249)

OpenWRT. Linux interface, router package and power consumption. Easy.

Re:Use a FreeBSD box as your firewall (2)

blackicye (760472) | about a year ago | (#43479307)

OpenWRT. Linux interface, router package and power consumption. Easy.

of if that is too intimidating, DD-WRT or Tomato.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479841)

Personally, I'm aiming to make use of DebWRT [debwrt.net].

Re:Use a FreeBSD box as your firewall (-1)

Anonymous Coward | about a year ago | (#43479375)

All these routers are already based on Linux and got powned. Easy.
OpenBSD > Linux.

Re:Use a FreeBSD box as your firewall (1)

Nerdfest (867930) | about a year ago | (#43479243)

No wireless AP though.

Re:Use a FreeBSD box as your firewall (1)

UnknownSoldier (67820) | about a year ago | (#43479341)

So add the WRT54GL to it running Tomato, OpenWRT, or DDWRT.

$50 from NewEgg
http://www.newegg.com/Product/Product.aspx?Item=33-124-190 [newegg.com]

Re:Use a FreeBSD box as your firewall (1)

Nerdfest (867930) | about a year ago | (#43479393)

Older router, slower processor, G only. Buffalo has some nicer routers with DD-WRT per-installed. Really though, I was just saying that for most people, a wireless access point is their primary concern, not a hardened router.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479617)

I run a gentoo hardened install with hostapd, it does 802.11n, best of both worlds. Not for a beginner though.

Re:Use a FreeBSD box as your firewall (3, Informative)

blacksmith_tb (855386) | about a year ago | (#43480193)

www.easytomato.org - nicely polished version for a common (and fairly versatile) modern router, the ASUS RT-N16.

Why not? (1)

tick-tock-atona (1145909) | about a year ago | (#43481371)

I've got one of these [jetwaycomputer.com] running debian wheezy. It acts as firewall/router/wifi-hotspot/OpenVPN gateway, and even allows me to have a *real* DMZ, unlike most home routers.

Re:Use a FreeBSD box as your firewall (5, Insightful)

AlphaWolf_HK (692722) | about a year ago | (#43479277)

I like these embedded devices because they are low power (save you money on an ongoing basis) and do the job. Many even offer some nice things like switch management (e.g. creating vlans) if you use custom firmware. That said, if you do switch to a custom firmware, chances are good that you are immune to these vulnerabilities.

These security researchers don't really count on the later though. They advocate requiring these devices to require signed firmware. That means no custom firmwares, so if your manufacturer ever abandons the device, and security vulnerabilities are later found, you really can't do anything about it. I like custom firmware for not only that reason (e.g. it uses software that is generally better tested against threats) but because it ads features that most OEMs require you to pay a LOT extra for.

I hope none of these vendors take the signed firmware advice, or at least allow you to sign your own. But many here already know how that goes. I think Netgear is the only one that might set itself apart in that regard as they carry certain models that are explicitly advertised to the customer as being able to use your own firmware.

Don't forget Buffalo (3, Informative)

Zynder (2773551) | about a year ago | (#43479553)

The Buffalo Nx00 series (mine is an N900 I think) also uses DD-WRT and actively advertises it. In basic mode, it is a Buffalo branded implementation but there is a variable to set which puts it in advanced DD-WRT Mode. It was the primary driver in my decision to purchase said router. My knowledge at the time was that Buffalo only did backup solutions & SANs but went out on a limb and bought it anyway. I have never been more happy. Buy one today!

Re:Don't forget Buffalo (1)

Grishnakh (216268) | about a year ago | (#43482239)

If I didn't have a Cisco/Linksys E1000 running DD-WRT, I'd definitely be getting a Buffalo just for their support of DD-WRT.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479559)

Do you want a secure device, but you don't want something big like an old desktop?
Just buy a raspberry pi and a cheap switch and that's it. It's cheap, small, low consuming, easy upgradeable (software) and you can secure it as much as you want.

Re:Use a FreeBSD box as your firewall (2)

AlphaWolf_HK (692722) | about a year ago | (#43479661)

Probem with Pi is that its network throughput is kinda bad. I have a 50mbit pipe, and pi seems to top out at 35. Kind of problematic for XBMC use for me as well in that playing blu-rays results in buffering for me for the high bitrate ones (add nfs/smb overhead and you dip down to 30mbit - some of my blu-rays peak at 39mbit.) Still trying to figure out of the problem is just me (I only got the pi a week ago) or if everybody with high bitrate ripped bd's has this problem. And no, I don't want to transcode them to a lower bitrate.

Re:Use a FreeBSD box as your firewall (2)

SuricouRaven (1897204) | about a year ago | (#43480237)

That's because the Pi chip doesn't have ethernet at all. Instead the ethernet port is connected via USB internally. It was the only way to meet the low-cost requirement, but comes with a performance cost: USB takes considerable processor time for bulk data transfers.

Re:Use a FreeBSD box as your firewall (1)

pnutjam (523990) | about a year ago | (#43483297)

I would go Mikrotik [routerboard.com] before I would try a rasberry pi. For about the same price you get 5 ethernet ports and 802.11n in a low power, tiny package.

Re:Use a FreeBSD box as your firewall (1)

sinij (911942) | about a year ago | (#43479329)

Above is technically complex solution (not everyone on /. is up for it, never mind general crowd) when much easier solutions like custom router firmware like Tomato or DD-WRT exist.

Re: Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43479503)

I'm quite happy with my Cisco ACLs... And honestly, I don't even remember what UPnP was used for...

Warning: $1 a day for some "older computers" (5, Insightful)

NotQuiteReal (608241) | about a year ago | (#43479513)

It's been mentioned, but I have actual metrics (Kill-A-Watt P3) on the electricity used by "old computers"... in my case it was about a buck a day (I'm in So Cal, so YMMV, but I am sure electric rates are going to go up here, since California is going to save the world from global warming [or go broke trying], all by itself, by taxing the bejesus out of anyone with two nickles, You're welcome.)

BTW - anyone with an old VCR or DVD player you REALLY don't use... about $18 year just to keep it plugged in (flashing 12:00 or not). I tossed 2 units in the Goodwill bin a couple of years ago and haven't missed them.

Won't help you (2)

dutchwhizzman (817898) | about a year ago | (#43479929)

Using a firewall box behind the router your ISP mandates you use, will not help you against a number of threats. Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic. The extra firewall may or may not prevent them gaining access to your computers behind the IPV4-NAT your router usually does. That's the only protection an extra firewall might give you. I'm saying might, since slight misconfiguration or access to a hackable service behind the firewall will negate all security that firewall is giving you.

Advocating FreeBSD, or any other specific solution is not helpful here. There are plenty of other adequate firewall solutions, more or less regardless of the operating system they may be running.

In practice, it will only help if manufacturers and vendors will be found liable for security flaws in their equipment and will automatically have to pay not just the price of the device and all damages to all customers that have bought it, but also a fine if they are found to be negligent. It's clear that vendors don't take security seriously (all tested devices were hacked) and ISPs aren't either. Home users can't be expected to know their security details up to such a high level so can't really be blamed for trusting their ISP or a leading brand to take care of security adequately. ISPs, vendors and manufacturers are supposed to know and actively secure their devices. Since they don't seem to care, some sort of threat should be put in place to make them take this more seriously.

Re:Won't help you (1)

jawtheshark (198669) | about a year ago | (#43480273)

Ehm, that's why you set your router in "bridge" mode and use it as a dumb ADSL modem. Or, if you're like my dad and have real fiber at home, you just plug into the ONT. No more modem needed. Sure, you have to do the PPPoE yourself on firewall/router-machine, but that works just fine. (Fiber with a ONT, usually involves adding a VLAN and the do PPPoE over the VLAN)

Re:Won't help you (1)

pnutjam (523990) | about a year ago | (#43483321)

Try that with IP-tv, like Uverse. I have to allow their router to function, but I tell it to passthrough my router on the external address. It usually forgets the configuration every couple of months and I have to reset it, lots of fun.

Re:Won't help you (0)

Anonymous Coward | about a year ago | (#43482179)

behind the router your ISP mandates you use

Citation needed.

Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic

Citation, and tinfoil hat, needed.

Re:Won't help you (1)

ImprovOmega (744717) | about a year ago | (#43482905)

Basically, they take over your router, put a sniffer on it and they can sniff all your internet traffic.

I'm sure all of the encrypted SSL traffic between me and 80% of my web browsing will be incredibly useful to these malicious attackers.

Re:Won't help you (1)

pnutjam (523990) | about a year ago | (#43483347)

Nothing a vpn won't fix

Oh, your router can't act as a vpn client? Guess you should check out pfsense.

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43480763)

IPFire could be worth a mention to those that don't have the knowledge to deal with iptables and etc.

Basically: Install like a regular linux distro, once it's booted it's a basic terminal, but you can access a management GUI via browser and configure pretty much everything from there. Including who from where and with which keys/certs can get access to the management interface, so it can be as secure as possible.

Fire up a virtual machine and play around with it, see if it could be of any worth. As soon as I build or buy a very tiny system to replace my router I'll be going this route

Re:Use a FreeBSD box as your firewall (0)

Anonymous Coward | about a year ago | (#43481101)

I've been thinking of turning one of my early netbooks in to one of these.

But I haven't gotten around to doing it because I would likely need to find weird USB or internal phone-line connections.
Then comes the LAN connections. I'd still probably be able to use my modem+router for that since it would be behind the initial hurdle of the locked-the-hell-down netbook modem.
And equally it would also act as a way for me to run torrents, web scraping and other general always-on software on there with VNC.
Hell, I could probably just use a USB wifi AP like what I do when I am on holiday using a wireless dongle.
Saves having this stupid bunged up slow router from the 1600s.

Hell, with that combined with tablet with VNC, I'd likely never need to turn on the PC unless I feel like gaming. I use my tablet both as just a tablet as well as a remote client to PC for drawing, programming and the like from around the house with little hassle. (wrote my own touch keyboard for it too)

ISP Provided? (1, Interesting)

GeneralTurgidson (2464452) | about a year ago | (#43479175)

If your ISP provides you an insecure router and your credit card numbers are subsequently stolen, whose fault is it? Especially when these routers are only configurable via your ISP?

Re:ISP Provided? (5, Insightful)

JJJJust (908929) | about a year ago | (#43479303)

Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

Blaming the victim (-1)

Anonymous Coward | about a year ago | (#43479517)

Do you blame victims of burglary too? How about the bomb in Boston? Is it their fault they weren't wearing flak jackets?

The only person responsible for any misdeed is the person that did it.

Re:Blaming the victim (-1)

Anonymous Coward | about a year ago | (#43479591)

Do you blame victims of burglary too?

if the victim puts expensive Jewels on display in his front window then yes they have to accept some responsibility for being a moron. a door lock only takes you so far. Try claiming on your insurance and telling them you did something this idiotic and you will have a tough time making a claim.

How about the bomb in Boston? Is it their fault they weren't wearing flak jackets?

So you went from idiotic with the first statement to just plain retarded with this one, how the fuck is this even close to related. Especially as we don't even know why the bombs were planted or who did it at this point in time. but regardless you're a fucking retard.

Re:Blaming the victim (2, Insightful)

epyT-R (613989) | about a year ago | (#43479701)

the people responsible are the ones who committed the crimes, not the people who coulda-shoulda-woulda been in positions to prevent it if they had done X more.

Don't blame the victim; blame Microsoft/Router com (0)

Anonymous Coward | about a year ago | (#43479991)

No- the people responsible are the ones who put users in danger through stupid designs.

They should be releasing 100% of the code, providing security updates, and making sure defaults are such that users are not able to easy install whatever they want. The system should make it somewhat difficult to do point and click installs of potentially dangerous software.

Re:Blaming the victim (0)

Anonymous Coward | about a year ago | (#43484003)

the people responsible are the ones who committed the crimes, not the people who coulda-shoulda-woulda been in positions to prevent it if they had done X more.

The people responsible under the morals and laws of society are the ones who committed the crime.
In Real Life, however, the person who fails to anticipate an obvious and likely course of events can also be said to bear some of the fault.

Or put another way:
If you want to cry about whose fault it is you got raped, then you can walk down an alley full of convicted rapists wearing nothing but a g-string.
But if you'd rather just not get raped to start with, you might want to consider walking somewhere else, wearing different clothing, and/or carrying a gun.

No matter how hard you beat your Utopian Drums, the world has bad people in it who are looking for Victims. You can be proactive about making sure you don't become a victim, or you can piss and moan about it when it happens. But if you ARE going to insist on doing stupid shit, then don't come crying to us about it.

Re:ISP Provided? (1)

goombah99 (560566) | about a year ago | (#43479643)

Yours for either A. having your credit card information on the network in an unencrypted state, B. transmitting it without making sure the HTTPS lock is present, and/or C. not having adequate deskop security.

It takes more than just an accessible router to get to sensitive information... if an unauthorized party is able to access that information, 9 times out of 10 it'll be a user's fault.

Most people use dynamic addressing and delegate the DNS lookup to the router. This means Https or any of the other things you mentioned are useless as security measures.

Re:ISP Provided? (1)

SuricouRaven (1897204) | about a year ago | (#43480255)

Simply falsifying DNS won't do it - you can't impersonate an https site without a cert. Easiest way I see would be to intercept logins to non-https sites, and rely on the user reusing passwords.

Re:ISP Provided? (1)

DarkOx (621550) | about a year ago | (#43481115)

you can't impersonate an https site without a cert.

Maybe. The recent browser releases have taken a step to improve the situation by remembering if they used https for a host before and doing it by default the next time but its not 100%.

Consider:
You type thinkgeek.com in your url bar. You don't specify the protocol because only those of us slashdot readers understand the risks inherent in not doing so bother and your browser decides to use plain http. An important omission was made but no typo. I intercept your clear text 80 traffic and rather than the remote host sending a 302; I send you a 302 and point you at https://thinkgeak.com/ [thinkgeak.com] which redirects to a server I control and have a valid certificate for. Your browser issues no warnings. Will you notice if I have done a good job cloning the site? Hell maybe I actually proxy your requests to the real host so you can even order and get your stuff like nothing is wrong, meanwhile I snag your CC and CVC as it goes by with a ciphers I selected.

https is pretty good but its still possible to do some amount of spoofing under the right conditions.

Re:ISP Provided? (1)

petermgreen (876956) | about a year ago | (#43481805)

In an ideal world software vendors wouldn't put users in a position of choosing between trusting their internet connection and not getting the software. Certification authorities would make damn sure they were issuing certificates to the right entity. Credit card companies would move away from a system where the dominent way of making an online payment is to give the vendor a code that lets them take unlimited money from your account. Users would directly enter the https url or at least carefully check the https url they had been redirected to after entering the http url. Legitimate vendors wouldn't spread their services across multiple domains so it would be easy to tell the difference between the vendor's legitimate site and a scam domain. Websites that were going to use a third party payment gateway would bring users into a secure area of their own site before giving them the url of the payment gateway.

Sadly we don't live in that world

Re:ISP Provided? (1)

JJJJust (908929) | about a year ago | (#43482317)

In an ideal world software vendors wouldn't put users in a position of choosing between trusting their internet connection and not getting the software.

Most of the majors have a system for buying game cards in a physical store. If the user prefers convenience, that's on them.

Credit card companies would move away from a system where the dominent way of making an online payment is to give the vendor a code that lets them take unlimited money from your account

Credit card companies used to do this via one-time virtual card numbers. For the most part, the user found it inconvenient and didn't use it.

Re:ISP Provided? (2)

sinij (911942) | about a year ago | (#43479313)

I see where you went wrong. You are trusting the same guys that try to oversell and under-deliver all while trying to legislate away competition to be technically competent and deliver you a secure router. What makes you think this time will be any different?

Re:ISP Provided? (1)

epyT-R (613989) | about a year ago | (#43479653)

It's the fault of the person who stole your information...or at least it should be. Today's over litigious society probably disagrees.

Fault? (1)

dutchwhizzman (817898) | about a year ago | (#43479959)

I don't think there's a single person or legal entity "at fault" here. It's a combination of multiple factors. First of all, your credit card company uses a proven flawed security model. Second of all, you should have been more careful with those numbers yourself, since it's a proven flawed system. Third of all, yes, your ISP can be found negligent for not adequately testing the equipment they provided to you. They can blame it on their manufacturer, but if they haven't tested the equipment they should be found criminally negligent in my opinion. You can't ask home users to know this much about computer security, since it's not their profession in general. However, ISPs are in this for a living and should know better.

Slashvertisement (0)

Anonymous Coward | about a year ago | (#43479201)

Researchers? From the linked web page, this looks like an ad for some high-priced security consultants. I stopped reading after, "All 13 routers evaluated can be taking over from the local network." Can be taking over? Kind of makes you wonder how careful their "research" was, although as I said I didn't bother to read any more.

Somebody alert NASA (2)

servognome (738846) | about a year ago | (#43479231)

They hacked 13 Solar & Heliospheric Observatory routers.

Yes I did go to the actual article, but got bored after reading the headline.

This time I'm intrigued... (3, Interesting)

juventasone (517959) | about a year ago | (#43479345)

Comprosing cheap routers is a topic that has been covered on Slashdot many times before. In every previous article, they've required that remote administration be enabled on the router, which is generally never a default setting. This report states, "tested with out-of-the-box configuration settings". Really? Yikes.

Re:This time I'm intrigued... (0)

Anonymous Coward | about a year ago | (#43479709)

Many of which probably have default passwords. They aren't "password" anymore, but they are "number on bottom of box".

Easy to mitigate. (4, Insightful)

viperidaenz (2515578) | about a year ago | (#43479469)

They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

Re:Easy to mitigate. (2, Interesting)

animaal (183055) | about a year ago | (#43480383)

They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

I'm scratching my head here - why would an address like 192.168.1.1 be a problem? It's only an internal IP address. An attack from the outside would come through the external IP address. Once they've breached the router, surely it'd be simple to find internal addresses anyway?

(Really hoping I don't have to re-address my stuff!)

Re:Easy to mitigate. (0)

Anonymous Coward | about a year ago | (#43480595)

As I understand it, some of the exploits were running on the browser of a machine inside the network - think a drive-by download. However I'm not certain that moving the IP address of the router will help address this as once you have running code inside the target network you should be able to determine the way out onto the public internet; with the router being typically first hop out.

As you say, knowing the router is on a particular address won't help you compromise it remotely though.

Re:Easy to mitigate. (1)

viperidaenz (2515578) | about a year ago | (#43480625)

They're not running code on your browser. They're just making the browser perform a request. You need to know the routers local IP for that to work.
Browsers block cross-domain code execution, so you can't read any data that comes from another domain via Javascript. All you can do is blindly fire off requests.

Re:Easy to mitigate. (4, Insightful)

viperidaenz (2515578) | about a year ago | (#43480619)

Because its cross-site-request-forgery.

If you're logged in to your router and you go to another website that has an image tag with a url of "http://192.168.1.1/admin/enable-remote-login" or submits a form using javascript off to 192.168.1.1 then they've effectively made that request from inside your local network via your browser.

If there is an exploit that enables remote admin then not only has the attacker now enabled remote admin on your router but they have your external IP address to exploit because you made the request...

I'm disappointed in the Slashdot moderators for giving this +4 Insightful. It was a good question though.

Re:Easy to mitigate. (1)

DNS-and-BIND (461968) | about a year ago | (#43482669)

I am a moderator who gave him a +1 for that question. It will be undone, of course, because I posted in this thread. It was a good question that I wanted an answer to. Now that it got up to +4, someone answered it. If it was still sitting at Score:1 where it was before I gave it mod points, would anyone have bothered to answer?

I'm disappointed in the parent poster for dissing the moderation system because it worked as intended.

Re:Easy to mitigate. (0)

Anonymous Coward | about a year ago | (#43481449)

They're pretty much all CSRF vulnerabilities. Don't save your password to your router or don't use a common router IP address like 192.168.1.1

Wait, what? Changing the router IP does absolutely nothing to enhance security. Default gateway much?

Re:Easy to mitigate. (1)

cgimusic (2788705) | about a year ago | (#43482565)

How does it not? An external attacker should not have any access to your internal network and hence has to guess the IP address of the router. It is easier for them to make a few attacks against 192.168.1.1 and 192.168.0.1 than for them to try and attack the entire range of IP addresses reserved for internal networks.

DD-WRT (1)

theshowmecanuck (703852) | about a year ago | (#43479729)

I wonder how DD-WRT stacks up.

Re:DD-WRT (1)

Anonymous Coward | about a year ago | (#43480127)

I wonder how DD-WRT stacks up.

It bothers me that the "Latest stable release" on DD-WRT's website still refers to a version (10020) which is vulnerable to a remote code execution discovered in 2009. You must be running a version marked as "development" to be secure from the bug, which is bad marketing.

Confirmed case here (5, Interesting)

xyourfacekillerx (939258) | about a year ago | (#43480057)

My parents' ISP issued router came down with a case of malware. The ISP kept putting them into walled-garden claiming botnet activity, and after months and months of this, I intervened. upon my investigation (which also took months) and thanks to their reluctant but cooperative security team, we determined it was not the only connected device that had the malware, but the router itself. And only because I "hacked" into it at some point and observed the malware in action, and reported my results back to the ISP. I thought my method (though it required some circumvention) was an intentional feature of the router. I didn't realize it was a vulnerability. Not at the time. I mean how do they remotely configure your router while on call or live chat with them? How can they expect me to think I can't do the same thing myself?

Re:Confirmed case here (-1)

Anonymous Coward | about a year ago | (#43481227)

My parents' ISP issued router came down with a case of malware. The ISP kept putting them into walled-garden claiming botnet activity, and after months and months of this, I intervened. upon my investigation (which also took months) and thanks to their reluctant but cooperative security team, we determined it was not the only connected device that had the malware, but the router itself. And only because I "hacked" into it at some point and observed the malware in action, and reported my results back to the ISP. I thought my method (though it required some circumvention) was an intentional feature of the router. I didn't realize it was a vulnerability. Not at the time. I mean how do they remotely configure your router while on call or live chat with them? How can they expect me to think I can't do the same thing myself?

Dude, you're so full of shit. Get the fuck out of here. Really?

Re:Confirmed case here (0)

Anonymous Coward | about a year ago | (#43481641)

Sounds interesting. What kind of router was that, and what was the Malware doing? How was it installed on the router?

Worked on my router (0)

Anonymous Coward | about a year ago | (#43480091)

I have a Netgear router, not the exact one mentioned, and not the same firmware.
Tried what they said, and it worked just like they said. I no longer need to use password to access my router.

So great, now tomorrow I get to reset to factory settings and set the whole thing up again for all the MAC addresses.

GC

SOHO newtorking device ADMINISTRATORS (-1)

Anonymous Coward | about a year ago | (#43480999)

It's nice to see Engrish is alive and well!
> SOHO newtorking device ADMINISTRATORS should take the following actions to help mitigate these issues.

the quote from the researcher (1)

nimbius (983462) | about a year ago | (#43481373)

Darren Kitchen: "There's not a consumer demand for security; it's not a feature that will sell it."

PfSense: "Speak of the devil and he shall appear."

Re:the quote from the researcher (2)

Wilf_Brim (919371) | about a year ago | (#43481605)

I disagree. There is a demand for security, at least among some a certain set of consumers. The current problem is that apparently none of the commercially available routers appear to be worth anything when it comes to security. Every time an article like this appears on /. I keep looking for some recommendations as to what to do. And I never find anything. The only recommendation I did find was from Mr. Kitchen, about using an old computer and smoothwall. Well, first, physically that wouldn't work (the cable modem, router, and switch all live up on a small shelf near the patch panel for my house. Yes, I paid $$ to get the place wired). Second, I really doubt my ability to keep a linux box up, operating, and fully patched. Keeping the router's firmware up to date is easy (it checks itself, and will pop up on the admin page when a new firmware is available: some will even flash themselves if you allow it): a unix OS isn't going to be that easy. I really don't understand why some manufacturer doesn't use this as a marketing opportunity. There is a niche here. I'd may more (maybe significantly more) for something that is secure, works well, and meets my needs.

I used Smoothwall from about 2002 to 2006... (0)

Anonymous Coward | about a year ago | (#43482499)

Back then the store bought routers were soooo delicate, they would go bad for reasons I was never able to figure out. So I took an old PC, put Smoothwall on it and used it till the PC finally died a few years later. I configured a few of them for friends as well. Don't know exactly why I started using store-bought routers, probably just because they were smaller than an old commodity PC. Looks like I oughta turn the clock back, huh?

Only idiot, moron, democrat, socialist, communist, (1)

JohnnyConservative (1611795) | about a year ago | (#43484951)

Only idiot, moron, democrat, socialist, communist, progressive folks use a hackable router or firewall! They really are just that dumb! Look at how they vote!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...