Home Routers Are Full of Security Bugs — Update NOW

Researchers performing automated pentests on nine consumer routers discovered a bunch of bugs. Providers such as TP-Link and Linksys have had the worst results.

Most of the bugs are now fixed by the manufacturers, but one would think that these companies could have tested their own equipment, rather than leaving it to a third party. It smacks of cheapness and laziness.

So, yes, check the fixes– even if your router is not one of those tested. In today’s SB Blogwatch we don’t trust the auto update feature.

Your humble blogger curated these pieces of blogs for your entertainment. Not to mention: Mariah Dalek.

Inexpensive Lazy Sellers

What is the craic? Bill Toulas reports— “Routers used by millions of people were vulnerable to 226 vulnerabilities“:

Firmware fixes
Security researchers analyzed nine popular WiFi routers … manufactured by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology and Linksys. … Their results showed that many routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware.

All affected manufacturers have responded to the researchers’ findings and released firmware fixes [for] most security holes … but not all. … The team found common issues that affected most of the models tested:

    • Obsolete Linux kernel in firmware
    • Obsolete multimedia and VPN functions
    • Excessive dependence on older versions of BusyBox
    • Using weak default passwords like “admin”
    • Presence of hard-coded credentials as plain text

Horse mouth? Julia Alunovic— “Major security test uncovers vulnerabilities in all popular Wi-Fi routers“:

Huge claims for damages
Nine Wi-Fi routers from renowned manufacturers recently underwent extensive safety testing under laboratory conditions, with devastating results. … The first were [the] TP-Link Archer AX6000… with 32 vulnerabilities [and the] Synology RT-2600ac… with 30 vulnerabilities.

Germany’s new government announces that manufacturers will be required to take greater responsibility in the future. It states that “manufacturers are responsible for negligent damage caused by computer security breaches in their products.” This increases the pressure on the industry to permanently secure products in order to avoid huge claims for damages.

What can we do? Tobias Stadler is lost in the translation— “Test deckt Sicherheitslücken bei mehreren Routern auf“:

If you want to protect yourself, there are a few things to pay attention to: Make sure you change the default passwords and enable automatic firmware updates. You should also choose the strongest encryption for your network and disable unnecessary router functions.

Don’t think you are safe if you are using a small business router. This is Gareth Corfield— “Exploitable Netgear Router Defects“:

Prohibit default administrator credentials
Two arbitrary code execution vulnerabilities affecting a number of Netgear small business routers have been researched. [They] allow someone with remote access to the router to associate with the underlying operating system of the device.

With Britain taking action to ban default admin credentials, this type of problem is expected to decrease in the future. On the other hand, there are already millions of routers in use today that do not comply with these proposed new regulations.

Some interesting information about the regulations in other countries. aRTeeNLCH shrugged :

Data is published
I don’t know if more regulation will translate into a better state of affairs, but it’s easy to imagine how it could.
For example… prohibit the sale of any product with Internet capability without the source and method for creating and downloading the code to the device, stored securely in the hands of [a regulatory agency]. Then, when the devices are not maintained for a period X after a security bug is discovered, or a period Y in general, the information is made public.

Critical security bugs known in Android, no update within a month? Bootloader unlock becomes public, with custom ROM build information.

Known minor security bug in a router, no update within 6 months? The data is made public. The company goes bankrupt? The data is published. Etc.

And California banned default credentials last year. Murmaud suggests how it should be done instead:

Fix this default password problem
Sending routers with default login credentials is a security concern, they should send routers with a different random password on each one and a sticker at the bottom with the password. This would immediately fix this default password issue.

Good idea. Henri wertz 1 has another:

DD-WRT (after a certain version) used user: administrator… the password: administrator , but requires you to set the password the first time in the web interface. … This is not a step that people are going to skip unless they really want a named network jj-wrtwithout encryption.

Except getting people to do anything can be problematic. here is Lakados“:

Users do not take additional action
Most exploits rely on remote access, UPnP, WPS, or UART. So if you have misconfigured the devices, they can be accessed through wifi or physical connections. Most of the problems encountered can be mitigated by following current best practices for configuration.

The problem is their [setup] assistants do not follow them, and most users do nothing beyond the specific tasks presented to them in assistants, leaving them all in vulnerable states. Firmware updates will certainly fix major issues, but if users don’t take additional steps to secure their configurations, the bulk of them will stay.

Can you spot the intersection with the right to redress debate? Deanonymized Coward can:

We will find out
I maintain a lot of electronic devices and often come across older devices that cannot be repaired effectively due to a burnt out $ 3 microcontroller. Rather, I think that part of the right to repair … should also require that when they stop making parts available, they should release any firmware in those parts (even if it is a blob binary) so that a repair technician can obtain the part, program it, and install it.

I called the manufacturers to ask, and the usual first line of defense is “you need special gear!” ” Truly? There is an ICSP header right there. Give me the code, I’ll figure out how to put it in there. Then they switch to ‘we don’t have it anymore’ which is pretty funny in an environment where everyone stores logs of every mouse move made by every visitor to their site over the past 10 years. Then they move on to the secret sauce argument.

If your secret sauce is so precious to you, keep selling the repair part (with all of its code protection turned on) forever. If it’s not that valuable, you don’t need to provide the part at all – just post the code somewhere on your site and we’ll figure it out.

During this time, fredred is ready to give up:

OMG it never stops. I think I’ll buy two cans and a length of string. Anyone want to join my new internet?

And finally:

Spoilers for the special episode of 1/1/2022

Previously in And finally

have you read SB Blogwatch through Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites… so you don’t have to. Hate mail can be addressed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Sauce in the picture: Stephen phillips (Going through Unsplash)

Source link