Extraneous Network Services Leave Home Routers Unsecure 63
An anonymous reader writes "Today's home routers include a multitude of extra functionality, such as the ability to act as a file and print server. An article from CNET shows how an attacker can use vulnerabilities in these services, such as buffer overflows, directory traversal, race conditions, command injections, and bad permissions to take over the router from the local network without knowing the administrative password. Some of the worst vulnerabilities were in undocumented, proprietary services that users cannot disable and allowed an attacker to achieve a root shell. The researchers who discovered the vulnerabilities will be demonstrating them at the Wall of Sheep and Wireless Village at DEF CON."
A little late... (Score:1)
Didn't DEFCON end yesterday?
Re: (Score:1)
No, it ends tomorrow.
Re: (Score:1)
Except this story was supposed to be posted on Monday.
slownewsday (Score:5, Interesting)
Re:slownewsday (Score:5, Insightful)
I suppose there must've been some new attacks demonstrated. If it was against OpenWRT and its siblings, then probably I'd like to hear about it. All the other proprietary firmwares are assumed to be vulnerable by everybody who cares. Heck, there are still millions of devices running UPnP on the WAN port out there and "nobody" cares.
Re: (Score:2)
Videotape?!? That would not even work for 100 baud modems. An NTSC videotape will give you 60 fields per second; a PAL videotape will give you 50 fps.
Re: (Score:2)
Simpler than that... (Score:5, Interesting)
LOADS of routers are pwned far more easily than that, from simple SQL injection (either via query string or crafting get/post requests), or there's sometimes bootloaders that give *full* access to the filesystem via TFTP (you can download all init scripts for example), you can sometimes find undocumented manufacturer backdoor passwords which are hard coded, and there's lots of misconfigured routers and you can often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese...
It's rather easy to poke at the firmware and finding holes using binwalk and IDA Pro if you have basic RE knowledge.
Re: (Score:1)
How many home-routers use SQL for their configuration?
Re: (Score:2)
Cheaping out on the firmware is a ridiculous thing to do... They would be better off not bothering with firmware at all, merely ensuring the hardware is compatible with dd-wrt or openwrt and shipping that.
Re: (Score:1)
...often rely on trivial stuff like default passwords and what not. Even in 2013 there's lots of routers and similar equipment that are sold or configured in a state that isn't far from swiss cheese.....
Yeah, but what are the chances that someone named their kid "admin" and that kid would then go and accidentally try to login on your router using its name also as password ?!
Requires physical access (Score:4, Informative)
Attacker has to have access from the LAN side, and must install USB memory first.
including wifi, so don't plug in USB (Score:3)
The take-home message, then, is don't plug USB storage into your router, and do use WPA2, not earlier WiFi security protocols.
Re: (Score:2)
And some people plug their phones into the router because its a convenient always-on usb port for charging...
The Jokes On Them! (Score:2)
The jokes on them because I use my neighbor's unsecured WiFi. I even use his pool when their not home. I'm a great neighbor.
Re: (Score:2)
Take my wif(i), please.
To be clear (Score:5, Interesting)
I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), and if you have the services turned off, then you might be less vulnerable, and if you use hard, non-trivial, non-default passwords, that makes it harder too. I suppose it also helps if you have a router acting as a DNS server, after your WAN facing gateway, and the local DNS box not acting as the main switch (so to sum up, Gateway-DNS-Switch), with everything after the gateway as a Class C lan.
Re: (Score:2)
I looked at some of the source code, and the bash commands they execute, and it looks like you have to be on the local (class C) lan in order to attack at least the Linksys beast (the 192.168.blah.blah sure looks like you can't get there from the WAN side), ...
The javascript running in your browser has access from the LAN side. I have personally compromised my own home router by running Javascript on my public website as a proof of concept.
and that's why (Score:5, Insightful)
routers should route and probably run access control lists and other firewall stuff like expose some ports in your dmz.
servers should serve.
Servers route poorly, routers serve poorly.
Re: (Score:2)
That's not a function of the router, it's a function of the firewall.
We wish. In reality, almost no home routers have a firewall. An unfortunate side effect of NAT is that it looks like a firewall that allows outbound traffic. That's the scary thing about IpV6. Most vendors just don't care.
Plus, if the router doesn't work out of the box then plenty of users will just return it to the store. A firewall by its very nature is designed to prevent certain things from working. On a personal note, I can't wait to not have to worry about NAT traversal for VoIP.
Another trend to
Re: (Score:2)
We wish. In reality, almost no home routers have a firewall. An unfortunate side effect of NAT is that it looks like a firewall that allows outbound traffic. That's the scary thing about IpV6. Most vendors just don't care.
How is that a scary thing about IPv6? IPv6 so far does not support NAT. Regardless, as posters below stated, NAT is not a firewall, and an IPv6 that includes a firewall automatically takes care of this
TFA - the vulnerabilities that they exposed - did they expose that in both IPv4 AND IPv6? I understand that in addition to the addressing, a lot of other things have changed in IPv6, which would seem to avoid some of the problems, such as buffer overflows. I'd be interested to know whether the same vuln
because NAT acts like a firewall, as a side effect (Score:3)
Re: (Score:3)
You can have NAT with IPv6 - I believe there's even an RFC for it, and an implementation on FreeBSD. Linux did get patches that were rejected. Hell, there's e
Re: (Score:2)
Firewalls have nothing to do w/ end to end connectivity. End to end connectivity simply means that the source or destination addresses are not tampered with while the packets are en route - something that's violated in NAT. A packet can go from a source to a destination, and get dropped by the firewall if it violates certain rules, but that doesn't mean that end to end connectivity is not there.
NAT-PT is not about IPv4-IPv6 connectivity - it's just about bringing certain features, such as load balancing
Re: (Score:2)
It's worrisome because although NAT is not designed to take the place of a firewall, in fact it often does. For home or SOHO users, it's actually reasonably good as a firewall. They "should" have better, you might argue, but in fact they don't, most often. IPv6 removes the need for NAT, possibly leaving many SOHO users with no firewall-like protection.
That is tangential to the question of whether IPv6 comes with or without a firewall. Any router that's worth anything comes with a firewall. Regardless of whether it has NAT or not. !NAT != !Stateful_firewall.
On the question of this story, I do agree with bobstreo - routers should route and servers should serve i.e. routers shouldn't have things like FTP, SCP, SSH, SMTP, IMAP/POP or any other servers on it. It should have 2 and only two functions - routing traffic from one network to another, and prov
Re: (Score:2)
It's not because one uses iptables instead of route to do NAT on linux that commercial routers don't do NAT.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml [cisco.com]
Re: (Score:2, Insightful)
NAT does not equal security. NAT is not a function of the firewall either. NAT is a function of IPv4, because we would have run out of addresses long ago. A firewall whether stateful or not tracks connections and will deny erroneous ones. A firewall will inspect the packet to make sure it meets the necessary criteria. NAT does not. Please don't conflate the two.
Re: (Score:2)
NAT does not equal security.
NAT really shouldn't be used for security, but in actually, it does make networks more secure than without it, so to say it's not security is wrong. It's not great security.
NAT is not a function of the firewall either.
This is debatable, but more than likely most would view NAT being a part of the firewall. Firewalls do inspect packets and either forward them on or drop them depending on the rules set up. Doing NAT involves that same thing, but while inspecting outgoing packets you need to change the source ip and port, and then add a rule to incomi
Re: (Score:2)
NAT is not a part of any protocol - in fact, the IETF routinely designs protocols that break NAT pretty willfully. Simple reason - NAT is just a patch to delay the address exhaustion of IPv4. Fix that issue, and NAT's not needed. Just add firewalls to IPv6 routers, and the same purpose will be served.
Without breaking end-to-end connections between sources and destinations of internet traffic.
Re: (Score:2)
How to secure home routers (Score:2)
I just recently installed a wlan router at a friends place. The goal was to make it rock solid and secure.
Here is what I did:
- Changed default username and set very strong password
- Changed web admin interface to non default high port, allow only https
- Only allow access to the admin interface from a specific ip/mac address
- Disable telnet and ssh acces
- Disable print server and usb samba share
- Disable upnp and all vpn/ipsec passthrough
- Enable statefull firewall, connections must originate from inside lan
Re: (Score:2)
Problem is that some cheap routers keep the functionality alive even when you disable it!
Some are notorious for being hackable with WPS even when the functionality is disabled:
https://docs.google.com/spreadsheet/lv?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c [google.com]
Re: (Score:2)
I don't really think there's a need to disable all that either. Personally for my home connection the only real security I need is to block all remote connections and prevent any administrative access from wifi. If i could set my router to not even require a password for LAN connections I would I need no such security to my computer hardwired to my network inside my locked home.
I'm sure If I ran it on some larger network security is important, but the article does say HOME routers.
Re: (Score:2)
I'm not a 'sec guy' but for home routers:
- upgrade your router firmware, often
- disable services you don't need
- use strong passwords
- disable remote admin access
- read articles like this one and understand where you're vulnerable despite all of the above. Research on the extent and severity of the risks and make an informed decision on whether you should purchase a separate dedicated firewall device (or two), on whether you should use another firmware or device because your existing router is just too risk
Who cares? They are local "attacks" (Score:2)
As long as it's only "vulnerable" to "attacks" from the local network, who really cares about vulnerabilities? It's a home router; I'm surprised home routers even have the ability to enforce things like directory permissions at all. I hardly need to "protect" my files from my wife; if she wants to read my stuff, she has much easier ways than launching a buffer overflow attack on my router.
If you want real security, buy something designed to care.
Re: (Score:2)
XSRF attacks - i.e. redirecting your browser to issue requests to your internal router...
Insecure wifi.
Guests.
Already infected mobile devices.
Small hotels/cafes which provide wifi access using a small router like those described.
Plenty of scope for malicious devices to get into your home network and be used to attack the router.
Signed updates... (Score:2)
One of the recommendations is that manufacturers use signed updates... This won't help with issues like those disclosed, and may even make it worse...
The primary reason for including signed updates is to prevent third party firmware from being used, it does nothing to stop the official firmware from having security holes, and it's very unlikely that a hacker is going to completely reflash the device to run a custom firmware rather than backdooring the existing firmware. On the other hand, manufacturers gene
Fuck WIFI (Score:2)
Look if you don't have to have WIFI at home then don't.
You can buy a USB to rj45 adapter for any device. Buy an 8 or 12 port switch, locate it centrally, run short cords from there to multiple jacks in rooms and from there have short cords available for plugin. Done. Use different color cords for devices in close proximity just to make it easy to trouble shoot.
Its clean, it's convenient you can scale it up as you need and you don't have to worry about all the bad programming bugs that WIFI routers are sp
Re: (Score:2)
What about my iPad? Am I to buy $60 in hardware and hope the camera kit will talk to an Apple ethernet-to-USB adapter (if you can still find that discontinued adapter)? Wh
pfsense (Score:2)
Pfsense [pfsense.org] and a computer with two network cards is all you need. Pick up a used cisco access point and add a 3rd nic for wireless.
Rock soild, Guaranteed no back doors. Installs in less than 15 minutes from cd. Dependability based BSD and the parts you put in it. Get a cheap core2duo era xeon 1u server for 100 bucks, and make it look even slicker
Re: (Score:1)
Or, better, a m1n1wall for $200-something. Set it up. Connect your router.