Researchers running automated pentests against nine consumer routers discovered a bucketful of bugs. Vendors such as TP-Link and Linksys came off worst.
Most bugs are now patched by the manufacturers, but you’d think those firms could have tested their own gear—rather than leaving it to a third party. It smacks of cheapness and laziness.
So, yes, check for patches—even if your router isn’t one of the ones tested. In today’s SB Blogwatch, we don’t trust the auto-update feature.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Mariah Dalek.
Cheap, Lazy Vendors
What’s the craic? Bill Toulas reports—“Routers used by millions were vulnerable to 226 flaws”:
“Firmware patches” Security researchers analyzed nine popular WiFi routers?…?made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys. … Their findings showed that many of the routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware. … All of the affected manufacturers responded to the researchers’ findings and released firmware patches [for] most of the security flaws?…?but not all of them. … The team found some common problems that affected most of the tested models:
Outdated Linux kernel in the firmware
Outdated multimedia and VPN functions
Over-reliance on older versions of BusyBox
Use of weak default passwords like “admin”
Presence of hardcoded credentials in plain text form
Horse’s mouth? Julia Alunovic—“Major security test uncovers vulnerabilities in all common Wi-Fi routers”:
“Immense claims for damages” Nine Wi-Fi routers from well-known manufacturers recently underwent a thorough security test under laboratory conditions—with devastating results. … The front-runners were [the] TP-Link Archer AX6000?…?with 32 vulnerabilities [and the] Synology RT-2600ac?…?with 30 vulnerabilities. … The new German government announces that manufacturers will be required to take greater accountability in the future. It states that “manufacturers are liable for damage negligently caused by IT security vulnerabilities in their products.” This increases the pressure on the industry to continuously secure products in order to avoid immense claims for damages.
What can we do? Tobias Stadler is lost in translation—“Test deckt Sicherheitslücken bei mehreren Routern auf”:
If you want to protect yourself, you should pay attention to a few points: Be sure to change the default passwords and activate automatic firmware updates. You should also choose the strongest encryption for your network and deactivate unnecessary router functions.
Don’t think you’re safe if you use a small-business router. Here’s Gareth Corfield—“Netgear router flaws exploitable”:
“Ban default admin credentials” Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research. [They] allow someone with remote access to the router to pwn the device’s underlying OS. … With Britain making moves to ban default admin credentials this kind of problem should decrease in future. On the flip side, there are already millions of routers in use today which don’t comply with these proposed new regulations.
Interesting couple of tidbits there about regulation in other countries. aRTeeNLCH shrugged:
“Data gets published” I don’t know if more regulation will result in a better state of affairs, but it’s easy to imagine how it could. For instance?…?disallow sales of any product with internet capability without the source and method to build and upload the code to the device being safely stored in the hands of [a regulatory agency]. Then when devices aren’t tended to for an X period of time after a security bug becoming known, or a Y period in general, the information is made public. … Known critical security bugs in Android, no update within 1 month? Bootloader unlock becomes public, alongside custom ROM building info. … Known minor security bug in a router, no update within 6 months? Data gets made public. Company goes bankrupt? Data gets published. Etcetera.
And California banned default credentials last year. Murmaider suggests how it should be done instead:
“Solve this default password issue” Sending out routers with default login details is a security issue, they should be pushing out routers with a different random password on each of them—and a sticker on the bottom of it with the password. That would immediately solve this default password issue.
Great idea. Henry Wertz 1 has another one:
DD-WRT (after some version) used user: admin?…?password: admin, but requires you to set the password first time into the web interface. … It’s not a step people are going to skip unless they really want a network named dd-wrt with no encryption.
Except getting people to do anything can be problematic. Here’s Lakados”:
“Users don't take additional steps” Most of the exploits rely on Remote Access, UPnP, WPS, or UART. So if you have poorly configured the devices then they can be accessed via wifi or physical connections. Most of the issues found can be mitigated by following current best practices for configuration.
Problem is their [setup] wizards don’t follow those and most users don’t do anything beyond those specific tasks presented to them in the wizards, which then leave them all in vulnerable states. The firmware updates will fix the major issues for sure, but if the users don’t take additional steps to secure their configurations then the bulk of them remain.
Can you spot the intersection with the Right To Repair debate? DeanonymizedCoward can:
“We'll figure it out” I service a lot of electronics, and often run into older devices that can’t be effectively repaired due to a blown $3 microcontroller. I rather think that part of the right-to-repair stuff?…?should also require that the moment they stop making parts available they have to release any firmware contained in those parts (even if it’s as a binary blob) so a repair tech can source the part, program it and install it.
I’ve called manufacturers to ask for it, and the usual first line of defence is “you need special equipment!” Really? There’s an ICSP header right there. Gimme the code, I’ll figure out how to get it in there. Then they move on to “we don’t have it anymore,” which is sort of funny in an environment in which everyone stores logs of every mouse movement made by every visitor to their site for the past 10 years. Then they move to the secret sauce argument.
If your secret sauce is so valuable to you, keep selling the repair part (with all its code-protection turned on) forever. If it’s not that valuable, you don’t have to supply the part at all — just post the code somewhere on your site and we’ll figure it out.
Meanwhile, fredrated is ready to give up:
OMG it never stops. I think I’m going to buy two cans and a length of string. Anybody want to join my new internet?
Spoilers for the 1/1/2022 special episode
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.