Nine WiFi Routers Used by Millions Were Vulnerable to 226 Flaws (bleepingcomputer.com) 74
"Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them," reports Bleeping Computer, "even when running the latest firmware."
Slashdot reader joshuark shared their report:
The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people... Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users. "For Chip's router evaluation, vendors provided them with current models, which were upgraded to the latest firmware version," Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email. "The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues...."
While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:
- Outdated Linux kernel in the firmware
- Outdated multimedia and VPN functions
- Over-reliance on older versions of BusyBox
- Use of weak default passwords like "admin"
- Presence of hardcoded credentials in plain text form....
All of the affected manufacturers responded to the researchers' findings and released firmware patches.
The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.
jd (Slashdot reader #1,658) shares another perspective on the same study from Security Week: Not all of the identified weaknesses are considered real security flaws, and for some bugs it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from 2 in AVM devices to nearly a dozen in other routers) were classified as high- and medium-severity.
While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:
- Outdated Linux kernel in the firmware
- Outdated multimedia and VPN functions
- Over-reliance on older versions of BusyBox
- Use of weak default passwords like "admin"
- Presence of hardcoded credentials in plain text form....
All of the affected manufacturers responded to the researchers' findings and released firmware patches.
The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.
jd (Slashdot reader #1,658) shares another perspective on the same study from Security Week: Not all of the identified weaknesses are considered real security flaws, and for some bugs it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from 2 in AVM devices to nearly a dozen in other routers) were classified as high- and medium-severity.
This kind of testing ... (Score:5, Insightful)
Re:This kind of testing ... (Score:5, Interesting)
The threat pattern evolves too, so some tests aren't possible until the new threat arises.
However I also see that many manufacturers have a very short support lifetime of their products, so they can't be fixed unless you run stuff like DD-WRT or Open Wrt on them. The hardware evolves also quite a bit every year with new bands and processor cores so it's not easy to keep up the support for every product version - and some units comes in v1, v2 and v3 generations that aren't even firmware compatible which adds to the headache even though they have basically the same functionality.
Re: This kind of testing ... (Score:2)
Re: This kind of testing ... (Score:2)
Then they'd get sued for bricking people's routers.
Re: (Score:2)
Re: This kind of testing ... (Score:1)
Re: (Score:3)
Companies don't care about QA these days. They just use its users as free testers. :(
Re: (Score:2)
General rule: The usage of "these days" turns a valid statement into a meaningless rant.
Re: (Score:2)
Yep useless rANTS these days. :P
Re: (Score:2)
I wonder how effective tools like Metasploit are at detecting these kinds of flaws. Ideally it would be possible to just point a tool at the router and have it test everything, on every interface. Then another tool goes over the source code looking for issues, and another over the filesystem checking for things like outdated kernels and software.
You Missed A Big Part Of The Point (Score:2)
The firmware and software need to be updated on an ongoing basis. So yes, AFTER is important not just before release; in case the firmware and software writers missed something in their tests. For example, many companies use dd-wrt as the basis for their routers. And as noted in TFA, other software like BusyBox is used. And of course the manufacturers should be updating the firmware and software as security patches are released. To that end, the new German law holding the manufacturers of IoT devices respon
Re:You Missed A Big Part Of The Point (Score:4, Informative)
Vint Cerf and Dave Taht made an official submission to the US FCC about this very subject, when the FCC inadvisedly proposed that only the original vendor should be able to update the software. Considering that they don't, that would hacve been a A Very Bad Thing. See https://docs.google.com/docume... [google.com]
It was accepted by the FCC, and they forced at least Asus to fix their security bugs: https://yro.slashdot.org/story... [slashdot.org]
If the authors care, they'll pass the information on to the FCC, and a US citizen can probably then ask for an enforcement order...
English please (Score:5, Interesting)
Who cares about "how many"?! (Score:3)
Yea, it's actually linked under "found a total of 226 potential vulnerabilities in them" what routers were tested and how many "issues" each had. However the important part is "automatically analyzed by IoT Inspector" so the fact that one had 25 "vulnerabilities" versus 21 or 6 versus 10 high risk ones is COMPLETELY pointless without knowing how many are actually exploitable. The whole thing is some very lazy marketing for this "IoT Inspector", yes we do know these things have outdated software, put togethe
Re: (Score:2)
Asus ROG Rapture GT-AX11000
AVM FritzBox 7530 AX
AVM FritzBox 7590 AX
D-Link DIR-X5460
Edimax BR-6473AX
Linksys Velop MR9600
Netgear Nighthawk AX12
Synology RT-2600ac
TP-Link Archer AX6000
All of them had at least 20 vulnerabilities, usually more. TFA claims that all of them have now issues patches to fix these issues.
Re: (Score:3)
OMG it never stops. (Score:5, Funny)
I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?
Re: (Score:3)
That's why I use ALTERNATIVE firmware instead of manufacturer. None of these problems, and better features.
Re:OMG it never stops. (Score:5, Funny)
I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?
That's why I use ALTERNATIVE firmware instead of manufacturer. None of these problems, and better features.
So... yarn instead of string?
Re: (Score:2)
I thought the safest way was to connect the two cans via two quantum-entangled particles?
Re: (Score:3)
I use DD-WRT but I'm thinking of switching to pfSense. DD-WRT is okay but consumer grade hardware tends not to be very good, and pfSense appears to get a lot more development. The only issue is finding some good, reasonably cheap hardware to run it on. You really need a fairly modern CPU to push gigabits of traffic through, with a few things on top like VPN and intrusion detection.
Re: OMG it never stops. (Score:2)
I'm also looking into this. In my case, I hate giving control of my router to a cloud service and not being able to control other things like a backup internet line.
I'm considering building a full desktop with pfsense and multiple eth cards. Should be more costly to run but otherwise good.
Re: (Score:2)
No you don't. I ran pfSense recently on a core 2 duo box from 2007. It barely used any cpu on my 300mbit connection. Unless you have terribly cheap network cards that tax the cpu it doesn't take much power.
Half a Raspberry Pi (Score:3)
Netgate, the sponsors of pfsense, spec 2-4 Gbps for their Netgate 3100 hardware. It has a dual core ARM v7 Cortex-A9 @ 1.6 GHz. So a little less than half of a Raspberry Pi.
An older Pi will have a CPU that's a little faster per core, and four cores rather than just two.
If does help to run a decent network card if you're handling gigabits of traffic. The cheapest cards offload a lot of the work to the CPU.
Re: (Score:2)
I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?
25 critical vulnerabilities found in string and can routers. Number 5 will astound you.
Re: (Score:2)
outdated linux kernel... (Score:5, Insightful)
This seems to happen quite a lot.
Most consumer routers I have seen, live on linux kernel versions in the 2.5 era, 3.0 era, or 3.5 era.
I have YET to see any consumer firmware that is based on an actually recent kernel. Hell, I haven't seen a consumer device with even a 4.x era kernel.
Usually, this means all manner of kernel features are missing, and setting up a toolchain to compile a new firmware (tools are required to be available to comply with GPL licensing) to try and backport to fix it yourself is a royal PITA.
While I would gladly accept consumer devices using more recent kernels and toolchains, I wont hold my breath. I am fairly sure that the insistence on using these kernel trees from the early 2000s is done on purpose, because those trees are NOT receiving update patches, and thus are "static", and so, more amenable as a static target. Further, I suspect that the higher resource requirements for more recent kernels also factors into this breakdown. (More capable SoCs needed for more recent kernel support, which then increases unit costs, which the bean counters insist is not acceptable, et al.)
That this also means that they are frozen in time in terms of having CVEs, in a world where attacker sophistication only grows, seems to just get no notice.
I wont hold my breath on actual reforms from the likes of NetGear and co, in terms of them actually being truly interested in securing these devices, vs just shitting something "functional" out into the market, and then depreciating them to evade having any liability later.
Re: (Score:2)
Could it be because the more current kernels will not fit?
Re: (Score:2)
That's probably one of the reasons. Another reasons is that each generation is basically built from open software found on the net in various packages and only a small piece is built by a specialist, the rest is likely compiled by fresh employees so the build environment becomes like a spaghetti with meatballs and sardines. Sometimes boiled, sometimes fried.
Re: (Score:1)
Perhaps it is due to SoC drivers not being available?
Most consumer devices use a cheap SoC... and the drivers are binary blobs, only working with a new kernel. Think the SoC maker cares if their $3 CPU can't be used by recent Linux versions? They don't. In fact, there is no SoC line out there that can use the latest kernels, or has open source kernel drivers that can be used with newer or unstable kernels.
Re:outdated linux kernel... (Score:4, Interesting)
This would fall under the "More recent/costly SoC needed for more recent kernel" case, no?
It gets shot down by the beancounters during product design phase, which then cripples future update cycles.
Ideally, the SoC makers would stop with the "NO! ITS OUR SECRET SAURCE!!!" bullshit, and just release the information on how they give the hardware definition files needed to properly configure and use the SoC with any arbitrary kernel--- and in so doing, honor the spirit of the open source software they are trying to work with, instead of trying to rule lawyer like a bad D&D player... but we both know that wont happen any time soon. (If they did that, then the mainline kernel devs would likely allocate some resources for ensuring function on these older SoCs, which would be effort and man-power the SoC vendor does not have to pay for, AND we would still have recent kernel features possible on these older network appliances, but the idea that they need to lock the silicon down more securely than a nun's underwear seems to always prevail, and so we cannot have nice things.)
I am well aware of this issue, which is why I lamplit it. Sorry if that was not completely clear.
*shrug*
Re:outdated linux kernel... (Score:4, Insightful)
Here's the deal with that:
It would adversely impact the bottom line of both SoC makers, and device manufacturers.
Here's a product to showcase: the garbage tier 2-bay NAS products from Western Digital. These run on a marvel SoC, that supports some pretty fantastic features. These features are disabled by WD's firmware. Among those features, is hardware support for SATA port replicators. The device lives in the 3.x kernel era.
The processor and RAM compliment of the SoC is pretty decent for what it is-- A low grade offer. (2gb of RAM and a multicore ARM processor in the 1.5ghz range) Due to the crippled nature of the WD firmware, many things this device COULD do are prevented: No BTRFS support, No Zram compressed swap, no hardware SATA port replication.
Should this device be opened up all the way, and run a modern kernel, and modern drivers for the SoC it is based on, with a user-configured kernel feature set- this device could have dozens of drives slaved on it using an inexpensive hardware port replicator (as the SoC supports hot-swap eSata operation mode! Also disabled!), and then use inexpensive eSata shelves full of drives stuck to it. That would directly compete with the manufacturer's intended upgrade path, to the EX4 and larger models. Disk compression and deduplication features of BTRFS would make the array more useful for midsize transition area deployments or power users, et al....
Likewise, the SoC maker would suffer from the reduced sales of the higher end models, driven through the purposeful crippling of the low and mid tier offers.
All the money-centric thinking involved conspires to prevent this kind of thing.
This is precisely why it does not happen, and you have "SECRET SAURCE!!!"
Ideally, it would be labelled for what it is-- anticompetative behavior-- and strongly punished.
But that wont happen any time soon, because the govt officials needed to gt on board with that would rather play cozy games with the lobbyists that look presentable and offer nice lunches and other perks in exchange for their time, than listen to us smelly neck-beards who are broke, have unkempt hair, and smell vaguely of beer, stale pizza, and BO.
It does not matter one iota that we are right, and provably so.
Re: (Score:3)
This is going to take the force of government coming in and saying that their shit can't be made obsolete, and that they need to provide source code for their drivers, have a usable emulation mode that allows all features to be used without significant performance or feature loss, or some other way to ensure the SoC is usable. Either the threat of regulation, like what allowed us to have only 2-3 different phone cables rather than hundreds, each with a different pinout, polarity, voltage, amperage, and capacitance is needed... or it needs to be done.
If there are "trade secrets" in the drivers, that is BS. If there is some mode that is so secretive, have some hypervisor or other layer to protect it, but allow use by any OS.
I service a lot of electronics, and often run into older devices that can't be effectively repaired due to a blown $3 microcontroller. I rather think that part of the right-to-repair stuff, in addition to requiring manufacturers to make parts available for a reasonable time, should also require that the moment they stop making parts available they have to release any firmware contained in those parts (even if it's as a binary blob) so a repair tech can source the part, program it and install it. I've call
Re: (Score:2)
The biggest problem typically preventing upgrades is not enough RAM, followed by not enough flash. Or maybe I have that backwards, but that's been my experience.
Re: (Score:2)
Support "Right to Repair".
And looking at you, Broadcom.
Re: (Score:2)
Depends on how you define "outdated Linux kernel". If that means "any kernel which is not the latest in the Linux git tree" then most if not all Linux distributions are culpable. Because unless they download, compile and distribute nightly the latest git kernel, all will be at least a few revisions behind.
And no, I'm not advocating for the nightly compiles either, because in-house testing for compatibility, stability and security is a thing. My distribution is currently on 5.10.46 and that is fine with me.
Not were. Are. (Score:4, Insightful)
Because how many of those that are in circulation now will get patched, realistically? Even if (and that's a big if) the manufacturer actually puts out a patch, how many consumer grade routers are administrated by people who give half a shit about them?
To most consumers, the router is a box they put up once, exactly as the instruction manual says, and as soon as that manual is lost, which happens usually when the Christmas hangover passes, they don't even know how to reconfigure it anymore.
D-Link firmware encryption - no proper signature? (Score:1)
How about third-party firmware? (Score:3)
Re: (Score:2, Informative)
Re: (Score:3)
These are relatively new routers, 802.11ax/Wifi6 usually, some with Broadcom SoC (with traditionally poor support in Openwrt). Didn't look into all of them but again at least with openwrt the support is between not at all to DECT/DSL modem not supported. The routing part that can be standardized the community has it nailed (actually there are many people running x86 machines with Openwrt or even the Raspberry Pi4 is a fantastic machine) but once you need very good/new Wifi or modems or DECT, outside the bea
Re: (Score:3)
Re: (Score:2)
The more interesting question ... (Score:1)
And please do not reply with the empty set.
Re: (Score:2)
The honest answer?
The DIY model. EG, those based on pfsense, or on a user-maintained linux installation, that gets mainline kernel updates for CVEs.
https://www.pfsense.org/downlo... [pfsense.org]
You know, the kind made out of your old, discarded motherboard, and some cheap NICs.
Alternatively, a commercial class border router, that has a current support contract agreement.
The "easily purchased" models you get online from the likes of NetGear and co., all suffer from the "SoC it is based on, only works using an outdated l
Re: (Score:2)
Re: (Score:2)
Sorry to disappoint but the answer is an empty list. There is not a single vendor for cheap home WiFi routers that does any of this unless forced to by articles such as this. And you can take this very article as proof of that, note that the researchers only chose one model from each vendor and that the vendors then only released new firmware for those specific models while all their other models are suffering from the very same vulnerabilities.
The only ones that care seems to be the 3d party firmware dist
Mostly non-issues (Score:2)
Regulation options? (Score:2)
For instance, the EU could disallow sales of any product with internet capability without the source and method to build and upload the code to the device being safely stored in the hands of, for instance, the EU department of communication (or whatever it's called). Then when devices aren't tended to for an X period of time after a security bug becoming known, or a Y period in general, the info
Re: (Score:2)
I don't know if more regulation will result in a better state of affairs, but it's easy to imagine how it could.
For instance, the EU could disallow sales of any product with internet capability without the source and method to build and upload the code to the device being safely stored in the hands of, for instance, the EU department of communication (or whatever it's called). Then when devices aren't tended to for an X period of time after a security bug becoming known, or a Y period in general, the information is made public. Depending on severity etcetera.
Known critical security bugs in Android, no update within 1 month? Bootloader unlock becomes public, alongside custom ROM building info. Or, no more updates since more than 12 months? Same.
Known minor security bug in a router, no update within 6 months? Data gets made public.
Company goes bankrupt? Data gets published. Etcetera.
Right. Put all the information needed to find and exploit bugs in a single location, making it a target for anyone who wants to attack as well as a treasure trove for state actors. What could go wrong there... "...safely stored in the hands of, for instance, the EU ... is an oxymoron, just ask tthe Cybersecurity Atlas project, for instance.
Re: (Score:2)
Re: (Score:2)
Why would that information help exploiting the devices out in the field? It doesn't have to have the current ROM source code, it merely has to enable people to construct their own custom ROM and upload that to those devices that don't get fixed.
The P suggested requiring the source code for devices, which would be open to analysis and exploitation; that' different from being able to roll your own ROM and upload it.
Re: (Score:2)
Re: (Score:2)
It would open it a tiny bit, most exploits are found without access to the source code.
Good point; but having the source available would make that a lot easier; plus the repository would be a tempting target not just for exploitation but to gain commercial advantage.
Re: (Score:2)
Re: (Score:2)
Not really. Finding an exploit is often far more easier to just send random data to ports and see what happens, reading millions of lines of code in the hope of finding something is extremely time consuming. This is why open source software are not hit worse than closed source software when it comes to exploits.
Perhaps, but I would not discount the ability of state actors to find the software source useful and have the talent and resources to exploit it. Having it al in one location would be a tempting target. Even beyond the exploitation it would have commercial value as well. Why develop if you can steal the source and build cheap knockoffs?
Why to trust the router? (Score:2)
Re: (Score:2)
why does it matter?
Your router can be compromised and inducted as the newest member of a botnet. Also, it could then go on to be used to probe and attack everything connected to your network.
If you think you are immune because you use a VPN then your complacency will be your undoing.
Re: (Score:2)
Re: Why to trust the router? (Score:2)
I don't think the idea is that you become immune using the VPN. I think the idea is that you need to secure every device, not just the routers. And every connection. At that point, the WiFi network security becomes a nice-to-have, not critical to the security of your network.
sucks to be a cell phone (Score:2)
I am only concerned about this if running Windows or a un-rooted smart phone. And even with windows it may not be a huge concern.
Why, with Linux and the BSDs, you can lock down your system to prevent break-ins. And for all desktop/laptop systems, if you are on the edges of the tinfoil crowd, you can get a VPN. Thus the cesspool that routers are, you should be protected.
Don't buy a consumer router unless it supports (Score:2)
Re: (Score:2)
In the early 2000s, for years my firewall was a linux box that I ran a custom IPTables script on to configure on startup. It's really the only I've ever trusted. I don't use it now, but it was good. I realized I'm not that important to hack, but do keep certain precautions. The only time I had issues with money being stolen was when someone stole my wallet last year and convinced the bank to change my online password (during the beginning of COVID when they were first having their people work from home inst
Most routers use the same crap... (Score:2)
Sky routers (both the old Sagem ones and the newer ones), Netgear, Linksys and many others have the same bugs and the same outdated kerne
I Bet Nothing Changed In Routers Not Studied (Score:2)
For sure the manufacturers updated the routers in the study. But who wants to take a bet that all their other products were ignored other than keeping the status quo. And I bet that in a year when things quiet down, they will go back to status quo. Except maybe for a small number of products they keep updated that are sell to Germany. And the number of IoT devices offered for sale in Germany decrease substantially because of the new law. Still a win for the Germans.
This is Slashdot, build your own router (Score:1)
It's been very low effort for a very long time and was an old idea when I ran FREESCO of a CF card on my P133 to share dialup over my Jaton 56K modem.