Over 100 Wi-Fi Routers Fail Major Security Test -- Protect Yourself Now

schwit1 shares a report from Tom's Guide: Using its own analytical software, the [Fraunhofer Institute] tested the most recently available firmware for 117 home Wi-Fi models currently sold in Europe, including routers from ASUS, D-Link, Linksys, Netgear, TP-Link, Zyxel and the small German brand AVM. The models themselves were not physically tested. A full list of the tested models and firmware is on GitHub. The institute was not able to examine the firmware of 10 more models, mostly from Linksys. The report notes (PDF) that many firmware updates are issued without fixing known flaws.

So what can you do? You can make sure that the next router you buy automatically installs firmware updates. You can check to see whether your current router does so, or makes it fairly easy to install firmware updates manually. You should also make sure that the administrative password for your router has been changed from the factory default password. (Check the list of default passwords at https://www.routerpasswords.com.) You should also check its administrative interface to make sure that UPnP and remote access are disabled. And if your router was first released more than 5 years ago, consider buying a newer model unless it meets all of the above criteria. Alternatively, you could try to "flash" your older router to run more secure open-source router firmware such as OpenWrt, DD-WRT or Tomato. "The worst case regarding high severity CVEs [widely known flaws] is the Linksys WRT54GL powered by the oldest kernel found in our study," the report said, noting that this model uses the 2.4.20 kernel from 2002. "There are 579 high severity CVEs affecting this product."

"That particular model last had its firmware updated in January 2016, one of the oldest firmwares in the study," adds Tom's Guide. "The Linksys WRT54GL was first released in 2005 and is still sold today, even though it handles Wi-Fi protocols only up to 802.11g. However, the WRT54G series is possibly the best-selling family of Wi-Fi routers ever..."

Well,

[NoNonAlphaCharsHere]

My router's security might be a bit shaky, but I know that all my IoT stuff is ROCK SOLID!!

Basic rule is...

[bagofbeans]

...before buying, check that you can flash OpenWrt, DD-WRT or Tomato on it. Then contribute a little $ to whichever. And beware, because there are multiple hardware iterations of common models, and not all versions are WRT-able.

Consider buying a second identical router after happily setting up the first, flash that also while you have the images, and you have a cold spare ready to slap in. Configurations can be saved and loaded...

Re:

[Darinbob]

Got one, is going bad, so I got a new router. Put OpenWRT on it, which was only thing supporting it (stupid stupid vendors changing hardware completely on the inside but you only find out when I open the box and see "v3" on it). But weird bug.

It is trying to erase a block, it won't, so it want to mark the block bad. But that also fails. Then it continues and it's all fine until the next reboot when it panics. Turns out the block that is bad is also the same block where it stores the bad blocks (ie, the

Re: Basic rule is...

[mr.morbo]

Or you could buy an APU with WiFi and proper SSD for a couple of hundred bucks and run pfSense(1) on it, knowing it'll be good and supported for a good long while.

You wont need to worry about shoehorning one of those small router builds into arbitrary and very limited hardware and you won't need to worry that the single maintainer of the build for your device might not keep up with updates or just bail out.

(1) or any of the other full size router distros out there that work well on white box PC hardware, but I like pfSense.

Re:

[aaarrrgggh]

Personally, I would have a tough time going back to an integrated router/wifi system. It is just such a sad compromise. I went Ubiquiti and have a $50 router and a few access points scattered around the home hard-wired back to some switches.

Re: Basic rule is...

[Bearhouse]

Mod up.

Re:

[psb777]

I bought a cheap SSD headless PC with 4 network interfaces and run plain old Devuan (Debian without systemd) on it. I tried all the packaged router software such as pfSense but it's actually easier and less learning to do just to use the already built-in iptables etc etc software. Rock solid and safe.

Re:

[arglebargle_xiv]

Draytek... Draytek... Draytek... nope, not present in that list of vulnerable devices. Which goes to show that buying from the cheapest vendor isn't always the best strategy.

Re:Well,

[Opportunist]

Or, more likely, it's such an obscure brand that they didn't bother to test it.

Re:

[arglebargle_xiv]

I'd considered that, but they're reasonably popular in Europe where the survey was done. Another thing is that Draytek gear is pretty well-engineered, and they support their stuff with new updates more or less forever, so the problem of unpatched vulns and long-obsolete software, which is what this mostly seems to be about, isn't really present there. Sure, they get issues from time to time, but it's mostly from things like users making the web admin interface available on the public internet...

Re:

[stoatwblr]

It's entirely possible they couldn't get it in Germany

AVM (Fritzbox) are big in germany and popular with a lot of people who like the integrated PABX/DECT/fax functionality

Misleading "analysis"

[Burdell]

For some firmwares, they followed the backport approach to kernels, only applying necessary fixes rather than blindly upgrading to the latest and greatest, so just because it reports as 2.4.20 doesn't mean it doesn't have later fixes.

Also, 579 CVEs? I sure don't remember there being 579 remotely-exploitable kernel flaws. How many of those CVEs actually apply to a kernel used in a router context, vs. how many are something like "inserting a USB drive with a malformed filesystem can break the kernel"? The WRT

Re:

[rtb61]

It's called profit, spend $50 and that's a cost that reduces profit. They do the least they can get away with and charge the most they can, it's called profit. Why do they not repair years old faults because it costs money to do so and the customers will buy it unrepaired, so fuck the repair. What is profit evil (yes it is apparently).

Re:

[Paradise Pete]

Sounds to me like there's some easy profit to be made by selling a secure router and linking to that article in your ads.

Re: Misleading "analysis"

[littlepeon]

I'm with a major hotel chain, we buy routers 5k-10k at a time directly from Chinese manufacturer at a substantial discount (what u pay $200, we pay $40). We did a major refit of the chain and literally ordered 500k, buyer got deal at double cost of manufacturer cost, we paid $20 per router..same router goes for $200+ at Amazon.. so there is major profit to be made with just what they are doing, without going extra!

Re:

[stoatwblr]

You only need to buy 100 or so to see 75-80% discount

At some point the concept of vendor liabilities will start cropping up and I can't see them trying to push that back on FSF

Re:

[ISayWeOnlyToBePolite]

For some firmwares, they followed the backport approach to kernels, only applying necessary fixes rather than blindly upgrading to the latest and greatest, so just because it reports as 2.4.20 doesn't mean it doesn't have later fixes.

Do you know of anyone that maintains that old kernel? I can't find any online traces but perhaps I'm not looking hard enough.

...and a terrible recommendation

[Excelcia]

The industry is trying really hard to get everyone to accept automatic updates. This is a terrible recommendation! Allowing anyone to remotely execute arbitrary code on your router is the worst possible advice. I don't care who it is, even the manufacturer. It's dangerous. I don't allow it on my Windows machines, and I certainly don't allow it on my routers.

Many manufacturers see "router software as a service" as the next big thing and are pushing really hard for people to let them change what's on your router. Netgear, for example, is actively pushing out updates that are erasing features and then adding them back in only if you pay. This is the real reason they want unfettered access to your router and this is the reason you are seeing this "study". Do the smart thing, vet the updates that go into your router just as you would (I hope) vet the drugs that a doctor prescribes you.

Re:

[Opportunist]

Even if it was "only the manufacturer", it's an exploit away from changing that to "any attacker".

And it hardly never happened either. Set yourself an alarm and check whether there's an update for your router once a month. It's not like it's a project that takes a day of your time, mowing your lawn occupies more time than that.

Re:...and a terrible recommendation

[cmseagle]

Automatic updating is the lesser of two evils for the vast majority of consumers. The average user simply will not go to the manufacturer's website, download the update, verify the signature, go to their router's web interface, and do the install.

The only way I could see an average consumer doing a firmware update regularly is if it was as simple as "press this button to update your firmware." At that point, why not just have the router do the update automatically? Maybe the Slashdot crowd will turn off the automatic updates in favor of the slightly more secure manual update process, but my grandma sure won't, and she'll be better off for it.

Re:

[organgtool]

The average user simply will not go to the manufacturer's website, download the update, verify the signature, go to their router's web interface, and do the install.

Maybe the manufacturer should make the installation process easier. On the Nighthawks that I manage, all of them can be updated with a single click in the web UI. It's easy enough to remember to log in every few weeks and check for an update. I can then determine when I'm willing to take the downtime, manually apply the update, and verify th

Re:

[cmseagle]

That's what I suggested.

The only way I could see an average consumer doing a firmware update regularly is if it was as simple as "press this button to update your firmware."

Which raises the question:

At that point, why not just have the router do the update automatically?

It's the worst of both worlds for the average consumer. Most people still won't do it, and if they do they're exposed to the same vulnerabilities as if the router was automatically reaching out for those updates on a schedule.

You raise a fair point about the benefits of having direct control over when the outage occurs. But, if you're someone worried about "downtime" and "user productivity" are you even using a consumer-grade router?

Re:

[organgtool]

I agree with pretty much everything in your response. Regarding the worry about downtime, consumer-grade routers are often used for small-office, home-office (SOHO) settings since there aren't too many routers dedicated for that purpose (your options are usually consumer or high-end enterprise gear). While I wouldn't think that SOHO is a common use case for this gear, I also wouldn't think that home users are a super common case either since almost all internet modems already provide wifi. Either way, it

Re:

[stoatwblr]

"Netgear, for example, is actively pushing out updates that are erasing features and then adding them back in only if you pay. "

Pulling this in Europe will result in $LARGE fines

Re: Misleading "analysis"

[sectokia]

I agree this is all bs... unless you have a remote exploit from the WAN side no one cares.

Strange example

[Presence Eternal]

The WRT54G was widely considered the best consumer router in the world...for installing custom firmware which wouldn't be influenced by this problem. I think the crowd that actually used them has entirely moved on to ASUS and homebrews and goddamn Ubiquiti's goddamn overhyped crap.

Re:

[oddtodd]

That's why I bought one, and how I learned of Tomato and dd-wrt when I looked for what to flash it with.
I run dd-wrt on a NetGear wndr3800 now, but I've got a couple WRT54s in a box in case of emergency ; )

Re:Strange example

[anegg]

"I think the crowd that actually used them has entirely moved on to ASUS and homebrews and goddamn Ubiquiti's goddamn overhyped crap."

I'm curious; I replaced my commodity class home routers and Wireless Access Points with Ubiquity gear (EdgeRouterLite and UniFi AC WAP) at least 6 years ago, and I've been very happy with them ever since. I've found them to be more accessible/controllable than the standard NetGear/Linksys/whatever stuff, at not much more expense, and they have been extremely reliable. I guess I didn't pay attention to any hype, but I"m curious as to the source of your frustration with equipment from this vendor - care to share?

Re: Strange example

[mr.morbo]

I'm also curious why someone would dump Ubiquiti for Asus.

I run UBNT at home and it's rock solid with great performance. The devices are still receiving regular firmware updates after 5 years and the controller software is gold. Also, UBNT stuff is visibly unobtrusive.

Asus stuff might get an update or 2 over it's 2 year expected life then you're expected to but a new one if you care about pesky things like security. It also seems like they hired the worst designer they could find and gave the mandate "as ga

Re:

[coofercat]

I agree - I use Ubiquiti around the house too. The old Asus it replaces is out in the shed for a bit of garden wifi. The biggest annoyance with that setup is that if I do a firmware update, I have to physically go and reset the Asus afterwards. The Ubiquiti just reboots itself and works fine (and actually seems to do all of that pretty quickly).

So in terms of "barriers to adoption", the Asus has a big one - you do the update, it takes down service until you physically switch it off and on again. It leads to

Re:

[Presence Eternal]

This deserves a good reply, and I'm sorry that I can't manage one. Remembering my experiences after being oversold on how much better pfsense+ubiquiti are gets me too cheesed off to say anything productive. I'll start summarizing my complaints, trying to be constructive, but what comes out of my keyboard is that SQUID IS NOT USEFUL IN THE HTTPS ERA YOU JERKS.

See, look at that. It is rude and it doesn't even have anything to do with ubiquiti. But it just comes out.

Re:

[anegg]

"This deserves a good reply, and I'm sorry that I can't manage one. Remembering my experiences after being oversold on how much better pfsense+ubiquiti are gets me too cheesed off to say anything productive. I'll start summarizing my complaints, trying to be constructive, but what comes out of my keyboard is that SQUID IS NOT USEFUL IN THE HTTPS ERA YOU JERKS."

Well said, and I've had similar experiences myself. But I have enjoyed working with Ubiquiti. Despite 25 years experience working comfortably with

Re:

[aaarrrgggh]

Me too... I have an ER-X, a couple of mesh access points, an in-wall unit, a couple switches, and an outdoor unit that isn’t being used right now. This gives me a pretty painless IKEv2 VPN, great wireless control, and pretty good firmware updates. Don’t get me wrong; there are issues with them, but I am much happier with them than the Asus equipment that they replaced.

Even have a few similar systems in the office. Kind of nice when you can buy everything and still have enough money for backup

Re:

[Thrakkerzog]

I have an ERL-3 and the wireguard module. It was the easiest VPN setup that I've ever done.

Re:

[aaarrrgggh]

Is wireguard officially supported yet on Edgemax? I look forward to using it, but IKEv2 (unsupported, but easy enough) is working quite well for me.

Re:

[Thrakkerzog]

It is not officially supported, and probably will never be officially supported with the current hardware.

I can, however, say that it works quite well.

Re:

[Thrakkerzog]

I replaced my Buffalo APs running OpenWRT with Unifi APs (green ring), which were subsequently upgraded to Unifi AC Pro units as my ISP increased their speeds and the 100mbit port on them became the bottleneck.

With the Buffalo APs and OpenWRT, I would have to power cycle them once every 30 days or so -- a reboot was not good enough. I greatly appreciate the work that nbd did with the ath9k driver in Linux / OpenWRT, but it is still not as stable as Unifi. I now reboot my APs once a year, and that is only

Re:

[organgtool]

My experience with Ubiquiti was not as puppies-and-unicorns as yours. I had to set it up for a new office location and it was far from easy. First, I had to download a smartphone app onto my personal phone just to be able to set up the damned thing. Next, the app refused to connect to the device despite the fact that it was inches away from the access point. My colleague tried his phone as well and still absolutely nothing. I couldn't use a hard-wired connection to my laptop since the access point does

Re:

[anegg]

"My experience with Ubiquiti was not as puppies-and-unicorns as yours."

Ubiquiti has not been all puppies and unicorns. I have found them to be high-performing, highly configurable, well maintained, and highly reliable. However, they are tilted towards larger deployments that desire rich feature sets but require one to put up with (at least in earlier versions of the software) certain UI issues and the overhead of a management application (for the WAPs).

Since I've dealt with UI and initial configuration is

Re:

[organgtool]

They seem like they could be fairly decent if you require a mesh network or special networking conditions such as your coast-to-coast system. For the needs of most households, it seems like they would be much better served by a decent, dedicated router (with a web-based UI) assuming that a single router can cover the entire living space. But to each their own...

Re:

[cthulhu11]

A handful of years ago I bought a Ubiquiti UAP based on hype from a certain someone. It was flaky, firmware updates were only ever infrequent betas hidden in discussion forums, and the management software was rather awkward. When it became too flaky to tolerate and I RMAd it, it took several months to get a replacement *BECAUSE THE MANUFACTURER DIDN'T HAVE ANY*.

Never again.

Re:

[drinkypoo]

I went on to a WRT1200. That's got enough RAM to do its job, a USB port so it can run Transmission and put the downloads somewhere while my PC is off, and is fast enough for practical purposes. I use a wire when I need fast transfers... and I run openwrt.

Re:Strange example

[Voyager529]

The WRT54G was widely considered the best consumer router in the world...for installing custom firmware which wouldn't be influenced by this problem. I think the crowd that actually used them has entirely moved on to ASUS and homebrews and goddamn Ubiquiti's goddamn overhyped crap.

Sadly, things haven't gotten better in the custom scene. On the bright side, in many regions of the US, it's easy to get residential internet fast enough that 100Mbit/sec is the bottleneck. However, aftermarket routers are starting to get locked down at a problematic level.

My last modded router was a Linksys EA6900. Solid piece of kit, runs TomatoUSB like a champ...but Linksys started requiring signed firmware blobs midway through its life cycle, and downgrading was a pain. I got lucky.

When I went shopping after that, the only router I could find that allowed aftermarket firmware was the Linksys WRT3200AC; a $300 piece of kit that only seemed to have a build of DD-WRT for it. I couldn't find a single router on the shelf that was supported by TomatoUSB or OpenWRT. Most routers required signed firmware blobs, the ones that didn't had Broadcom chipsets with closed source drivers that meant Wi-Fi didn't work at all, or if it did, it was only at 802.11n speeds or something equally pointless.

Enter the Ubiquiti Edgerouter Lite. $150, and does everything I need, nothing I don't (Appy-app requiring router configs and or "create an account" requirements, I'm looking at you...).It's fast, it's tiny, I can run nginx as a reverse proxy if I want (I've since made that a Docker container), I can add as many VLANs as I want, with as many firewall rules as I want, it runs OpenVPN (shameless plug for the configurator [github.com] I worked with a developer to make for that purpose), DPI if I care, and they release plenty of firmware upgrades for it. Oh...and there's an OpenWRT release for it, too.

I submit that Ubiquiti isn't overhyped, it's disruptive. It wasn't long ago that the feature set in a $130 Edgerouter Lite required a $1,000 Fortigate or Sonicwall appliance. Both companies have released budget models to compete. Their Unifi line is incredibly flexible. Want to use it with a cloud hosted account? you can! Want to roll your own on-prem appliance? do it! Want to run your own instance in AWS? Knock yourself out! ...and they don't require subscription fees like Meraki to keep working.

Ubiquiti does have its issues; notably their support isn't as good as other business-grade vendors (though I'd still put them ahead of Netgear's consumer division). However, I'm hard pressed to point to a router whose initial revision was released in 2013 that still gets regular firmware updates, has an unlocked bootloader, can be as simple or complex in its firewall and routing tables as the user desires, and does so for under $150. If you've got an option for a piece of hardware that fits the same bill, I'm interested...but Ubiquiti isn't just popular because of a set of fanbois, it's because they fill the chasm between the consumer routers TFS references, and the high end gear that's prohibitively expensive for residential installations.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[aaarrrgggh]

It would likely compare well to a AirPort Extreme at the same age. Pretty solid, but a little locked down in the process. I had my little sister get one for her home, and she is happy with it.

I would not be happy using one, because I like the flexibility to tinker with things a little more. (I use an ER-X at home, but unless you want to get into the weeds with your router there is no need to go with their Edgemax line.) The one feature Amplifi misses for me is an IKEv2 VPN option— it is important f

Re:

[aaarrrgggh]

I love that I could buy 4 of the ER-4 routers for two sites and have a more robust network and VPN than I could get for twice the money from the alternatives.

That said... to work reliably with my (unsupported) configuration, two routers on each end made a lot of sense. To troubleshoot the reliability issue was painful... but again having extra hardware around made it a relatively painless process.

Everybody has their pinch-points, but Ubiquiti works well for me.

Re:

[Bourdain]

It's not TOO hard to find an OpenWRT router - I did a lot of research on this months ago at the beginning of COVID lockdown as my cheapo ISP provided router wasn't going to cut it for full-time work use...

I strongly recommend the TP-Link AC1750 (C7)

make sure NOT to buy it from amazon but instead buy it elsewhere (staples, office depot, etc.) which may cost a bit more but it will be fully supported by OpenWRT as it's a bit unclear if the A7 variant will work optimally with the firmware

https://openwr [openwrt.org]

Re:

[cthulhu11]

s/whose initial revision was released in 2013 that still gets regular firmware updates/whose initial revision was released in 2013 that EVER GOT regular firmware updates/

FTFY

Re:

[Fringe]

... and goddamn Ubiquiti's goddamn overhyped crap.

Like pretty much everyone else here, I've been using Ubiquiti for a long time very successfully. It's low-priced, high-performance (I have a real gigabit fiber connection and the ERL3 keeps up no worries), extremely configurable, frequently updated and very flexible. Perhaps it's just too much firewall for your pre-biased brain, but by all means stick to using your cheap router with the default passwords.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[nehumanuscrede]

I do.

Albeit, they are the previous generation of cameras ( Unifi G3 ) and not their new and shiny G4 series.

I would warn you away from them in all honesty as they seem to have a production / hardware issue and is unknown ( to me ) if it was ever fixed with the new series. In the G3 units, there is an IR filter that is electro-magnetically operated when the unit goes into IR mode. These have a bad habit of failing just outside of the warranty period ( 1 year ) rendering your camera stuck in either day or n

Re:

[account_deleted]

Comment removed based on user account deletion

imagine a Beowulf cluster

[Anonymouse Cowtard]

of WRT54GLs. The ultimate honeypot.

Linux router

[drinkypoo]

Whether you're using a PC, or buying an AP, a router that will run an alternate firmware is an absolute necessity. Then you can actually update it. Using a PC as a home router used to be common, then it became too expensive to pay for the power, but now they are low power enough that it's probably a good idea again unless you're running off of a small solar array. I bought a Linksys since they are a known quantity, and immediately reflashed it. So far it's been very good.

Re: Linux router

[BAReFO0t]

AVM routers usually update, even a decade later, and are as quick as a good open source project in their bug fixing responses. They are the German standard ISP home router for a reason.

(I'm still using my own Linux box. But I won't do the maintenance for others with less skill. AVM does that.)

Re:

[drinkypoo]

I've never heard of AVM. Googling it returns pages about "arteriovenous malformation". An Amazon search wasn't any better, for that matter.* I suspect they are not really a good option for someone in an English-speaking country.

* Though at the bottom of the search results, I did find this gem [amazon.com]. Hilarious.

Re:

[dunkelfalke]

AVM is huge in Germany. Their brand for DSL routers has become synonymous with this kind of products and the German ISPs assume that if the customer doesn't use a router they provide (often also made by AVM), it is a Fritzbox. All other DSL routers are niche products in Germany.
Their stuff had a good reputation already from way back in the day, they used to make pretty good ISDN adapters with the best drivers and the best support for operating systems other than Windows. They also release firmware updates f

The sky is NOT falling...

[Magnificat]

The study makes it sound like the sky is falling and that all of these routers are basically unsafe to use at this point....honestly, they aren't. The study specifically did not test to see how many of the units actually had the ability for the configuration pages to be access remotely, potentially as a result of the exploits. If remote access is not available on the WAN port, then many of these issues are simply "who cares" for most users -- as a device on your home network would ALREADY have to be compromised before it became an issue. The same is true for most of the UPNP exploits, they require a device on your network to already be compromised, plus if you don't have UPNP turned on, you can forget about using a vast number of internet and gaming applications. As long as the WAN facing ports on the router are closed and no significant buffer overflow attacks are possible that can be executed from the WAN side, then almost all the other vulnerabilities really don't make that much difference, as long as you are following at least reasonable security precautions on your network by not installing dubious software willy-nilly or clicking on random links. And if you AREN'T taking those reasonable precautions and being at least somewhat cautious on your home network, then having your router password as "admin:password" but only accessible from the LAN side, is the LEAST of your problems. Basically, in 90% of cases where any of these would be a problem, you ALREADY had a problem or these problems wouldn't have been an issue to begin with.

Re:

[anegg]

I'm not sure I agree with the logic that despite having many known vulnerabilities in internal code, as long as no paths to those vulnerabilities are known, I shouldn't be alarmed at the lack of security assurance in a device that is all that stands between the wild west of the Internet and my precious domestic network.

It is a component of assessment in information security practice to examine security postures - what can be known about how an organization practices good security hygiene even when no partic

Re:

[Retired ICS]

Unfortunately there are *no* devices that you can buy that have any meaningful security posture. The problem is that silly people tend to assume "trustworthiness" when the device in question is completely untrustworthy.

The difference is quite simply the difference between "having a good belly laugh" at the idiots caught by some "new vulnerability" (which is not new -- it existed from the get go and was merely newly DISCOVERED). Just because the peeper over the road got a goodly photograph of you dancing n

Or if you use the web

[raymorris]

It's certainly a good idea to have the admin interface turned off on the external port.

That means bad guys can't access it in any way, right?
What do your think your browser, which is inside your network, does when it sees this html on a random web page?
img src=http://192.168.1.1/admin/pwreset.cgi?newpass=foo

Yeah, the web page has access to the internal interface of the router. Thinking "I don't have to worry about it because it's inside the network" is GREAT way to have guys like me completely own every device on your network.

Here's a fun one:

for (pw in common_passwords) {
    xhttp.open("POST", ...
}

Yeah, I can easily have you brute force your own router for me, just by putting a little JavaScript on a web page. I don't even have to use my own resources.

Re:

[Retired ICS]

No you can't. I have JavaScript disabled.

Re:

[thegarbz]

We can see that because no one can read the post you didn't just make because it requires Javascript :-P

Seriously not everyone is far enough along the spectrum to micromanage websites.

Re:

[Darinbob]

Newer versions of OpenWRT allow you to use HTTPS for this. But it seems a bit silly, since any attacker from your web browser connected via ethernet will be able to connect with or without a cert anyway (the cert is so that your browser trusts the far end, not so the far end trusts you). In any case, don't allow access without a password, tighten up the web server to be more secure.

Presumably you could also set it up so that there's no web server at all on the router until you physically push a button on

Re: Or if you use the web

[c6gunner]

What do your think your browser, which is inside your network, does when it sees this html on a random web page?
img src=http://192.168.1.1/admin/pwreset.cgi?newpass=foo

Nothing, since that's not a valid IP on my network.

Re:

[bgarcia]

Do all the script kiddies assume that internal networks are set to 192.168.1.*?

They hit the 100 most common

[raymorris]

Typically they hit a list of most common gateways.
The router doesn't HAVE to be x.x.x.1; that's just an easy way to remember.

Re:

[MobyDisk]

AFAIK, CORS should fail that request. [mozilla.org] It would be a cross-domain call, so the router should not allow it either by denying the HTTP OPTIONS preflight request or by failing because the Origin header doesn't match.

Re:

[raymorris]

There is no preflight if you don't mangle the headers.
It works just like if the html contained a copy-paste of the "change password" form:

form action=http://192.168.1.1
input name=newpass value=sucker

Then:
script type=text/JavaScript
form.submit();

What the same-origin policy does (if the hacker doesn't do anything tricky) is prevent JavaScript on the page from READING the contents of the reply. It just gets "error" or "success". Which is all that it needs. We aren't trying to read the password - we just set

Re:

[MobyDisk]

There is no preflight if you don't mangle the headers.

Agreed, that approximately matches the MDN article I linked to.

prevent JavaScript on the page from READING the contents of the reply

Aha! Okay, interesting.

It seems like this would only work on a crappy router.
1) The router should return an error and not process the request since the Origin is not 192.168.1.1.
2) It should also give a 401 unless the user has already logged-in to their router. (I'm assuming the attacker fooled the user into doing this and the user has an auth cookie)
3) The router should have XSS tokens in the page to prevent this as well.

But since the context

Re:

[raymorris]

Pretty much what I'm thinking.

For #2, one can fool the user into logging in. One can also try hardcoded model-specific default passwords that have been leaked (or openly published by manufacturers). One can also look up the pattern used by ISPs or manufacturers to generate passwords, and have the browser try a few thousand possibilities.

Why you should use Firewall Distro

[Rockets84]

This is exactly the reason why I recommend using something like pfSense, DD-WRT, Untangle, Sophos UTM Home etc and separate Wi-Fi AP's instead of these POS devices. All these distros will run on home brew hardware or things like APU boards from PC Engines or Qotom mini PC's. These distros are updated frequently, more stable & are far more powerful feature wise. I you really want to buy one of these devices get a ASUS and install Merlin.

Comment removed

[account_deleted]

Comment removed based on user account deletion

A tip on wireless security

[BringsApples]

Most home users have a wireless router as their main router, however if you can, disable the wireless on that router, or buy a router that doesn't have wireless ability, then install a separate wireless access point, or better yet, install a wireless router in the same way that you would a wireless access point. Plugging it's LAN cable into the WAN side of the router, allows setting the LAN IP scheme separately. Also, only allow certain mac addresses to obtain DHCP.

A better alternative is to simply not in

Re:

[Bert64]

Most users use whatever device the ISP supplies, in whatever default configuration it comes with.
Often these devices won't even be one of the known brands, they will be manufactured by an unknown chinese manufacturer and possibly branded by the ISP. The ISP will usually also retain remote access to it.

And most users don't care.

OpenWRT

[hcs_$reboot]

1. buy a router OpenWRT compliant
2. install OpenWRT on it

Re:OpenWRT

[Darinbob]

Did that, still a headache. OpenWRT is very tricky in the first place. And many routers require some sort of unusual step, that OpenWRT does not like to document very well for novicdes. Tomato is a lot simpler, but also supports a lot fewer routers too.

A big snag unfortunately is that different routers with the exact same model will have different versions, and those versions will often be completely different from each other in fundamental ways. If you don't have the box handy before you buy because you're buying online (since you're locked in at the moment), or the box doesn't list the version number, you may find yourself with an unsupported router despite doing the necessary homework. The second snag is that the "We support these models" databases for Tomato or OpenWRT will say they support v1 and v2, but they don't mention that there's actually a v3 out there that they don't support.

Very frustrating. Anyone want a high end router cheap?

Re:

[dunkelfalke]

Not just that, installing OpenWRT often means losing features like hardware acceleration or DECT.

Re:

[Darinbob]

Maybe. I know when I first put on Tomato that I got a noticeable improvement in speed from the stock bland firmware, with an n600 router. I don't know about higher end routers though. It's entirely possible that it was just a matter of a different default configuration too.

I am missing some features with most stock firmware though. I first wanted this because I wanted to know how much bandwidth I used and other stats. AT&T did NOT provide this information, they had a web page for this info but it

Re:

[dunkelfalke]

I have bought a BT router specifically because openwrt ran on it, even though it wasn't officially compatible with German networks. Turns out 100 mbit VDSL only worked with the stock firmware with hardware acceleration so openwrt was capped at 50 mbit. After six months or so a beta version changed a couple of things and about 80 mbit was possible but the whole thing was flaky and complicated to configure and every update was a hassle, things just never worked wuite right so I retired it and used a tp link w

Re:

[Darinbob]

I bought my latest router specifically because it worked with OpenWRT. Well, hardware v1 and v2 did, except what showed up in the mail was v3 :-(

I think even an ancient version of OpenWRT is better than most manufacturer's stock firmware.

WTF...

[Bert64]

Their evaluation process seems to be based on downloading the firmware image, and comparing the version of the linux kernel contained within - and then generating a list of CVEs which are reported to affect that kernel version.

They mention the possibility that the vendors produce their own patches, but then discount this. What they don't mention is the fact that the CVEs are applicable to the whole kernel, yet these routers run custom compiles with unnecessary features disabled. If a feature has not been compiled into the kernel, then any vulnerabilities in that feature are not relevant.
Also the exact nature of each vulnerability needs to be considered, a local privilege escalation vulnerability for instance is very important on a multiuser server, but on a router the severity is much lower. The likelihood of an attacker gaining access to an unprivileged shell and needing to privesc to root is very low on such devices. Many embedded devices don't even make use of low privilege users, so if you get a shell it's already going to be root.

They also mention exploit mitigation, but don't mention that these mechanisms have performance overhead. Decreasing performance is not what you want in a cheap embedded device, and given the limited attack surface this may have been a conscious decision to exclude such features. Some of the features may not even be possible on the hardware in question. Such features may also be enabled selectively only on binaries which process user input.

Private keys - it doesn't mention what the keys are used for - they might not pose any risk?

Hard coded passwords - mentions that hard coded passwords were found, but doesn't mention if they could actually be used - if they cant be used then they don't pose any risk - eg everyone knows the default root password on an iphone is "alpine" but under the default configuration this password cannot be used for anything.

OpenWRT or DD-WRT

[aglider]

Use them. You've been warned.

Re:

[amorsen]

Is there any useful hardware that runs OpenWRT today?

One of the main reasons the WRT54GL was great for OpenWRT was that everyone used that model. The developers pretty much all had access to them and the large user base meant that you were rarely the first person to hit a bug. They were low on flash and memory, but apart from that they were amazing.

I don't know anyone who uses OpenWRT now. The hardware database is full of random crap, but there is no obvious way to find a device with a reasonably large inst

Re: OpenWRT or DD-WRT

[c6gunner]

Is there any useful hardware that runs OpenWRT today?

Hundreds of them.

I don't know anyone who uses OpenWRT now. The hardware database is full of random crap, but there is no obvious way to find a device with a reasonably large install base, semi-modern WiFi, and not too many known bugs.

Last time I wanted a router upgrade it took me all of 15 minutes with amazon open in one tab and the openwrt site open in another. Ended up getting a refurbished WRT1900AC at about half the MSRP. Plenty of RAM and storage, a peppy CPU which handles VPN encryption without a hickup, and it's fully supported with no bugs that I've seen. Openwrt took about 2 minutes to install. Massive improvement over my previous Archer C7 which also ran openwrt but was a bit sluggish.

Re:

[blackomegax]

Netgear R7800 It's wave2 AC, not AX, but it's rock solid with openwrt

Re: OpenWRT or DD-WRT

[BAReFO0t]

I just use bog-standard Linux on an ARM SBC.

Those WRT distribution are far too limited to that one purpose. Why use a separate router box at all, when your home server can do it in a bit of its spare time? (Yes, I got my security tied up. Nothing exposed to the Internet but a VPN port that will not even appear unless you send a very special one-time-pad encrypted packet to it to knock first.)

WRT54GL

[GeLeTo]

I sold my WRT54GL a few years ago after a decade of usage. It sold almost instantly after I listed it and for enough money to buy a very decent brand new router. I really don't get it - why would anyone buy such a relic?

Re:

[Retired ICS]

Because as it worked a decade ago when it left the factory, so it works today. It is not like a potato or cheesecake that will go bad and rot with time.

I have one of those. I am quite sure it is more than a decade old -- probably more like two decades, maybe two and a half. Still works like when it was new. Got upset with it once and threw it across the room and shattered the case (it was being an obstinate prick). After re-attaching the one of the antenna's (without burning down the house is the proce

Re:

[blackomegax]

" It is not like a potato or cheesecake that will go bad and rot with time."

But it's highest practical data rate is 54 mbit, of which you'll get 27mbit of real speed. I never realistically got more than 16mbit of line of sight perfect connections from mine.

A modern AC router, on a good 866mbit 2x2 80mhz channel, will deliver you 500-600mbit of real actual speed.

So no. 11g is rotten,dead, and maybe worth 5 bucks to a 3rd world household. Refurb Wifi 5 Cisco's are 30 bucks.

"Small German Brand AVM"

[BAReFO0t]

Uum, they are pretty much the *only* consumer routers ISPs are giving out and people are buying here in Germany and the surrounding region . . .

Because they are by far the best. Tons of features, far beyond others, very quick bug fixing response, great support even for techies (like help pages on how to set up unusual things) . . .

Frankly, I assumed they would be a global standard and world leader. Why would I want to buy any of that other insecure, limited-functionality crap?

I realize I sound like an ad. I mean it, though. It's weird to me to call them not industry leaders.

monkeys crank it

[AndyKron]

I'm not worried, my router is pre-2005

SBCs for the win

[Joe2020]

I've given up on the consumer routers for a while now. They don't even manage the things right they were designed to do that it's become necessary to move away from them. The market competition among the router companies has made it into a race of who can produce the cheapest product while pretending to have the most discussed features, such as speed and security.

I now run an Arm SBC as my main router with hostapd (wifi), dnsmasq (dns+dhcp), ntp, proxy, firewall (nftables) and traffic control (tc). I contro

You do have to realize...

[Gabest]

...that without the exploits you could not even install the open source firmwares.

Re:

[drinkypoo]

False. Some routers, like WRT1[29]00AC are explicitly meant to permit the user to install an alternate firmware. That's why I bought one. I got my 1200 for $100 refurb, reflashed with openwrt, and it's been a peach since.

Abandonware is not a security solution

[MSG]

"flash" your older router to run more secure open-source router firmware such as OpenWrt, DD-WRT or Tomato

WHAT!?! DD-WRT and Tomato are dead projects with no releases in many years. Suggesting them as a security solution is insane and irresponsible.

Re:

[guacamole]

DD-WRT and Tomato are dead projects with no releases in many years.

First time I heard this. DD-WRT is in constant development. The way to use it is join forums and choose a beta release.

Re:

[blackomegax]

They both have daily builds on their respective FTP servers.

The official page for dd-wrt is neglected as fuck, though.

Re:

[groebke]

"flash" your older router to run more secure open-source router firmware such as OpenWrt, DD-WRT or Tomato

WHAT!?! DD-WRT and Tomato are dead projects with no releases in many years. Suggesting them as a security solution is insane and irresponsible.

DD-WRT just pushed another build today, July 9th: ftp://ftp.dd-wrt.com/ [dd-wrt.com] [dd-wrt.com]

Not bad for, "Abandonware."

Move to a virtual router, separate access points

[knarf]

What you do is move to a virtual router on that server you stuffed in that wardrobe under the stairs, linked to a switch which you connect to a bunch of cheapo range extenders on which you installed OpenWRT.

OK, that is what I did but you might want to consider it as well. The virtual router (OpenWRT running in a container on a DL380G7) keeps up with the gigabit fiber connection, it is endlessly malleable and it takes so few resources the machines doesn't even hiccup when it is loaded. The range extenders al