Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Wireless Networking Security

Nine WiFi Routers Used by Millions Were Vulnerable to 226 Flaws (bleepingcomputer.com) 74

"Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them," reports Bleeping Computer, "even when running the latest firmware." Slashdot reader joshuark shared their report: The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people... Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users. "For Chip's router evaluation, vendors provided them with current models, which were upgraded to the latest firmware version," Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email. "The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues...."

While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:

- Outdated Linux kernel in the firmware
- Outdated multimedia and VPN functions
- Over-reliance on older versions of BusyBox
- Use of weak default passwords like "admin"
- Presence of hardcoded credentials in plain text form....

All of the affected manufacturers responded to the researchers' findings and released firmware patches.

The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.

jd (Slashdot reader #1,658) shares another perspective on the same study from Security Week: Not all of the identified weaknesses are considered real security flaws, and for some bugs it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from 2 in AVM devices to nearly a dozen in other routers) were classified as high- and medium-severity.
This discussion has been archived. No new comments can be posted.

Nine WiFi Routers Used by Millions Were Vulnerable to 226 Flaws

Comments Filter:
  • by RitchCraft ( 6454710 ) on Saturday December 04, 2021 @11:38PM (#62048409)
    ... should be done BEFORE they go out for sale, not AFTER.
    • by Z00L00K ( 682162 ) on Sunday December 05, 2021 @01:11AM (#62048543) Homepage Journal

      The threat pattern evolves too, so some tests aren't possible until the new threat arises.

      However I also see that many manufacturers have a very short support lifetime of their products, so they can't be fixed unless you run stuff like DD-WRT or Open Wrt on them. The hardware evolves also quite a bit every year with new bands and processor cores so it's not easy to keep up the support for every product version - and some units comes in v1, v2 and v3 generations that aren't even firmware compatible which adds to the headache even though they have basically the same functionality.

      • Right. This. However, some of the issues could be resolved fast if just as a normal course of business, routers updated themselves to newest versions of open source software components. I get that regression testing is needed, but at least point releases should be downloaded. I -HATE- it when routers or devices make you hunt for firmware. With services like YUM, every manufacturer should at this point be putting up repositories of firmware and give the user an option of auto-updating on a schedule, like Sun
    • This is yet another story that exhibits the all-too-frequent pattern of omitting the "Surprising Exactly Nobody..." wording at the start of the headline...
    • Following theme of wrong order.. The first i.t. bubble burst because too many savvy users existed with a lack of apathy. The "create content -???- profit" model did not work until a slew of viruses were introduced through paid adds which owned people's boxes and utilized them through ddos attacks and crypto mining. It's great to suss out these vulnerabilities and isp's providing routers to customers should be held to account as well as manufacturers since much hardware is ages old. But the malicious sou
    • by antdude ( 79039 )

      Companies don't care about QA these days. They just use its users as free testers. :(

      • by Sique ( 173459 )
        The usage of "these days" is so predictable these days!

        General rule: The usage of "these days" turns a valid statement into a meaningless rant.

    • by AmiMoJo ( 196126 )

      I wonder how effective tools like Metasploit are at detecting these kinds of flaws. Ideally it would be possible to just point a tool at the router and have it test everything, on every interface. Then another tool goes over the source code looking for issues, and another over the filesystem checking for things like outdated kernels and software.

    • The firmware and software need to be updated on an ongoing basis. So yes, AFTER is important not just before release; in case the firmware and software writers missed something in their tests. For example, many companies use dd-wrt as the basis for their routers. And as noted in TFA, other software like BusyBox is used. And of course the manufacturers should be updating the firmware and software as security patches are released. To that end, the new German law holding the manufacturers of IoT devices respon

  • English please (Score:5, Interesting)

    by Snotnose ( 212196 ) on Saturday December 04, 2021 @11:49PM (#62048443)
    If you aren't going to translate the thing from German to English at least provide a list of which routers were tested and how many issues they had.
    • Yea, it's actually linked under "found a total of 226 potential vulnerabilities in them" what routers were tested and how many "issues" each had. However the important part is "automatically analyzed by IoT Inspector" so the fact that one had 25 "vulnerabilities" versus 21 or 6 versus 10 high risk ones is COMPLETELY pointless without knowing how many are actually exploitable. The whole thing is some very lazy marketing for this "IoT Inspector", yes we do know these things have outdated software, put togethe

    • by AmiMoJo ( 196126 )

      Asus ROG Rapture GT-AX11000
      AVM FritzBox 7530 AX
      AVM FritzBox 7590 AX
      D-Link DIR-X5460
      Edimax BR-6473AX
      Linksys Velop MR9600
      Netgear Nighthawk AX12
      Synology RT-2600ac
      TP-Link Archer AX6000

      All of them had at least 20 vulnerabilities, usually more. TFA claims that all of them have now issues patches to fix these issues.

      • And every single vendor on that list have at least 20 other models each on the market that most likely have the very same number of vulnerabilities but of course they only patched the specific ones that the researches looked at...
  • by fredrated ( 639554 ) on Sunday December 05, 2021 @12:08AM (#62048475) Journal

    I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?

    • That's why I use ALTERNATIVE firmware instead of manufacturer. None of these problems, and better features.

      • by fahrbot-bot ( 874524 ) on Sunday December 05, 2021 @01:12AM (#62048549)

        I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?

        That's why I use ALTERNATIVE firmware instead of manufacturer. None of these problems, and better features.

        So... yarn instead of string?

      • by AmiMoJo ( 196126 )

        I use DD-WRT but I'm thinking of switching to pfSense. DD-WRT is okay but consumer grade hardware tends not to be very good, and pfSense appears to get a lot more development. The only issue is finding some good, reasonably cheap hardware to run it on. You really need a fairly modern CPU to push gigabits of traffic through, with a few things on top like VPN and intrusion detection.

        • I'm also looking into this. In my case, I hate giving control of my router to a cloud service and not being able to control other things like a backup internet line.

          I'm considering building a full desktop with pfsense and multiple eth cards. Should be more costly to run but otherwise good.

        • No you don't. I ran pfSense recently on a core 2 duo box from 2007. It barely used any cpu on my 300mbit connection. Unless you have terribly cheap network cards that tax the cpu it doesn't take much power.

        • Netgate, the sponsors of pfsense, spec 2-4 Gbps for their Netgate 3100 hardware. It has a dual core ARM v7 Cortex-A9 @ 1.6 GHz. So a little less than half of a Raspberry Pi.

          An older Pi will have a CPU that's a little faster per core, and four cores rather than just two.

          If does help to run a decent network card if you're handling gigabits of traffic. The cheapest cards offload a lot of the work to the CPU.

    • I think I'm going to buy 2 cans and a length of string. Anybody want to join my new internet?

      25 critical vulnerabilities found in string and can routers. Number 5 will astound you.

  • by wierd_w ( 1375923 ) on Sunday December 05, 2021 @12:31AM (#62048503)

    This seems to happen quite a lot.

    Most consumer routers I have seen, live on linux kernel versions in the 2.5 era, 3.0 era, or 3.5 era.

    I have YET to see any consumer firmware that is based on an actually recent kernel. Hell, I haven't seen a consumer device with even a 4.x era kernel.

    Usually, this means all manner of kernel features are missing, and setting up a toolchain to compile a new firmware (tools are required to be available to comply with GPL licensing) to try and backport to fix it yourself is a royal PITA.

    While I would gladly accept consumer devices using more recent kernels and toolchains, I wont hold my breath. I am fairly sure that the insistence on using these kernel trees from the early 2000s is done on purpose, because those trees are NOT receiving update patches, and thus are "static", and so, more amenable as a static target. Further, I suspect that the higher resource requirements for more recent kernels also factors into this breakdown. (More capable SoCs needed for more recent kernel support, which then increases unit costs, which the bean counters insist is not acceptable, et al.)

    That this also means that they are frozen in time in terms of having CVEs, in a world where attacker sophistication only grows, seems to just get no notice.

    I wont hold my breath on actual reforms from the likes of NetGear and co, in terms of them actually being truly interested in securing these devices, vs just shitting something "functional" out into the market, and then depreciating them to evade having any liability later.

    • Could it be because the more current kernels will not fit?

      • by Z00L00K ( 682162 )

        That's probably one of the reasons. Another reasons is that each generation is basically built from open software found on the net in various packages and only a small piece is built by a specialist, the rest is likely compiled by fresh employees so the build environment becomes like a spaghetti with meatballs and sardines. Sometimes boiled, sometimes fried.

    • by Anonymous Coward

      Perhaps it is due to SoC drivers not being available?

      Most consumer devices use a cheap SoC... and the drivers are binary blobs, only working with a new kernel. Think the SoC maker cares if their $3 CPU can't be used by recent Linux versions? They don't. In fact, there is no SoC line out there that can use the latest kernels, or has open source kernel drivers that can be used with newer or unstable kernels.

      • by wierd_w ( 1375923 ) on Sunday December 05, 2021 @02:52AM (#62048665)

        This would fall under the "More recent/costly SoC needed for more recent kernel" case, no?

        It gets shot down by the beancounters during product design phase, which then cripples future update cycles.

        Ideally, the SoC makers would stop with the "NO! ITS OUR SECRET SAURCE!!!" bullshit, and just release the information on how they give the hardware definition files needed to properly configure and use the SoC with any arbitrary kernel--- and in so doing, honor the spirit of the open source software they are trying to work with, instead of trying to rule lawyer like a bad D&D player... but we both know that wont happen any time soon. (If they did that, then the mainline kernel devs would likely allocate some resources for ensuring function on these older SoCs, which would be effort and man-power the SoC vendor does not have to pay for, AND we would still have recent kernel features possible on these older network appliances, but the idea that they need to lock the silicon down more securely than a nun's underwear seems to always prevail, and so we cannot have nice things.)

        I am well aware of this issue, which is why I lamplit it. Sorry if that was not completely clear.

        *shrug*

        • The biggest problem typically preventing upgrades is not enough RAM, followed by not enough flash. Or maybe I have that backwards, but that's been my experience.

        • Support "Right to Repair".

          And looking at you, Broadcom.

    • by Kazymyr ( 190114 )

      Depends on how you define "outdated Linux kernel". If that means "any kernel which is not the latest in the Linux git tree" then most if not all Linux distributions are culpable. Because unless they download, compile and distribute nightly the latest git kernel, all will be at least a few revisions behind.

      And no, I'm not advocating for the nightly compiles either, because in-house testing for compatibility, stability and security is a thing. My distribution is currently on 5.10.46 and that is fine with me.

  • Not were. Are. (Score:4, Insightful)

    by Opportunist ( 166417 ) on Sunday December 05, 2021 @01:50AM (#62048607)

    Because how many of those that are in circulation now will get patched, realistically? Even if (and that's a big if) the manufacturer actually puts out a patch, how many consumer grade routers are administrated by people who give half a shit about them?

    To most consumers, the router is a box they put up once, exactly as the instruction manual says, and as soon as that manual is lost, which happens usually when the Christmas hangover passes, they don't even know how to reconfigure it anymore.

  • "... The researchers didn't publish many technical details about their findings, except for one case concerning the extraction of the encryption key for D-Link router firmware images. ... By analyzing the corresponding variables and functions, the researchers eventually extracted the AES key used for the firmware encryption. Using that key, a threat actor can send malicious firmware image updates to pass verification checks on the device, potentially planting malware on the router. Such problems can be solv
  • by Krishnoid ( 984597 ) on Sunday December 05, 2021 @02:22AM (#62048645) Journal
    If you load third-party firmware (Tomato, OpenWRT, DD-Wrt) on them, how do they fare? Sure would be a good argument for running more standard firmware than what the manufacturers load onto them.
    • Re: (Score:2, Informative)

      There is a strict hardware compatibility list for those software projects. You can't just grab a random router and install. If you're going to use those, you have to buy a specific router with the intention of installing. Oh, and Tomato is something like 10 years out of date. It's long dead. DD-WRT runs on ancient hardware.
    • These are relatively new routers, 802.11ax/Wifi6 usually, some with Broadcom SoC (with traditionally poor support in Openwrt). Didn't look into all of them but again at least with openwrt the support is between not at all to DECT/DSL modem not supported. The routing part that can be standardized the community has it nailed (actually there are many people running x86 machines with Openwrt or even the Raspberry Pi4 is a fantastic machine) but once you need very good/new Wifi or modems or DECT, outside the bea

    • Comment removed based on user account deletion
    • by Chiny ( 839355 )
      My third-party maintained Asus-Merlin appears pretty good. An earlier poster wrote "I haven't seen a consumer device with even a 4.x era kernel." so let me see... uname -sr... Linux 4.1.27... Merlin also updates many of the open source packages as well, so many/most/all of them are up-to-date. Of course, anything might be happening with the closed source stuff.
  • by Anonymous Coward
    The more interesting question is, which router models are secure / manufactures provide timely security updates?

    And please do not reply with the empty set.

    • The honest answer?

      The DIY model. EG, those based on pfsense, or on a user-maintained linux installation, that gets mainline kernel updates for CVEs.

      https://www.pfsense.org/downlo... [pfsense.org]

      You know, the kind made out of your old, discarded motherboard, and some cheap NICs.

      Alternatively, a commercial class border router, that has a current support contract agreement.

      The "easily purchased" models you get online from the likes of NetGear and co., all suffer from the "SoC it is based on, only works using an outdated l

    • Sorry to disappoint but the answer is an empty list. There is not a single vendor for cheap home WiFi routers that does any of this unless forced to by articles such as this. And you can take this very article as proof of that, note that the researchers only chose one model from each vendor and that the vendors then only released new firmware for those specific models while all their other models are suffering from the very same vulnerabilities.

      The only ones that care seems to be the 3d party firmware dist

  • This is yet another slashvertisement for a bug finder, most little things help, but these findings are mostly unimportant.
  • I don't know if more regulation will result in a better state of affairs, but it's easy to imagine how it could.

    For instance, the EU could disallow sales of any product with internet capability without the source and method to build and upload the code to the device being safely stored in the hands of, for instance, the EU department of communication (or whatever it's called). Then when devices aren't tended to for an X period of time after a security bug becoming known, or a Y period in general, the info

    • I don't know if more regulation will result in a better state of affairs, but it's easy to imagine how it could.

      For instance, the EU could disallow sales of any product with internet capability without the source and method to build and upload the code to the device being safely stored in the hands of, for instance, the EU department of communication (or whatever it's called). Then when devices aren't tended to for an X period of time after a security bug becoming known, or a Y period in general, the information is made public. Depending on severity etcetera.

      Known critical security bugs in Android, no update within 1 month? Bootloader unlock becomes public, alongside custom ROM building info. Or, no more updates since more than 12 months? Same.

      Known minor security bug in a router, no update within 6 months? Data gets made public.

      Company goes bankrupt? Data gets published. Etcetera.

      Right. Put all the information needed to find and exploit bugs in a single location, making it a target for anyone who wants to attack as well as a treasure trove for state actors. What could go wrong there... "...safely stored in the hands of, for instance, the EU ... is an oxymoron, just ask tthe Cybersecurity Atlas project, for instance.

      • Why would that information help exploiting the devices out in the field? It doesn't have to have the current ROM source code, it merely has to enable people to construct their own custom ROM and upload that to those devices that don't get fixed.
        • Why would that information help exploiting the devices out in the field? It doesn't have to have the current ROM source code, it merely has to enable people to construct their own custom ROM and upload that to those devices that don't get fixed.

          The P suggested requiring the source code for devices, which would be open to analysis and exploitation; that' different from being able to roll your own ROM and upload it.

          • It would open it a tiny bit, most exploits are found without access to the source code.
            • It would open it a tiny bit, most exploits are found without access to the source code.

              Good point; but having the source available would make that a lot easier; plus the repository would be a tempting target not just for exploitation but to gain commercial advantage.

              • Not really. Finding an exploit is often far more easier to just send random data to ports and see what happens, reading millions of lines of code in the hope of finding something is extremely time consuming. This is why open source software are not hit worse than closed source software when it comes to exploits.
                • Not really. Finding an exploit is often far more easier to just send random data to ports and see what happens, reading millions of lines of code in the hope of finding something is extremely time consuming. This is why open source software are not hit worse than closed source software when it comes to exploits.

                  Perhaps, but I would not discount the ability of state actors to find the software source useful and have the talent and resources to exploit it. Having it al in one location would be a tempting target. Even beyond the exploitation it would have commercial value as well. Why develop if you can steal the source and build cheap knockoffs?

  • All my routers are untrusted, even with open / no-encryption WiFi. As it connects me just to ADSL/VDSL which also cannot be trusted so why does it matter? I run openvpn between those my machines I want trusted connection even besides ssh/https. openvpn is good anyway to get static IPv6 across connections + working single (not chained/multiple) NAT for IPv4.
    • why does it matter?

      Your router can be compromised and inducted as the newest member of a botnet. Also, it could then go on to be used to probe and attack everything connected to your network.

      If you think you are immune because you use a VPN then your complacency will be your undoing.

      • by short ( 66530 )
        > Your router can be compromised and inducted as the newest member of a botnet. That's true. Still I have never seen that despite I use many different flavors of WiFi routers some even 15 years old. > Also, it could then go on to be used to probe and attack everything connected to your network. The local unprotected network (when not in VPN) is untrusted so I do not care. The same probing can be done by anyone outside of my house who connects to my open WiFi. > If you think you are immune becau
      • I don't think the idea is that you become immune using the VPN. I think the idea is that you need to secure every device, not just the routers. And every connection. At that point, the WiFi network security becomes a nice-to-have, not critical to the security of your network.

  • I am only concerned about this if running Windows or a un-rooted smart phone. And even with windows it may not be a huge concern.

    Why, with Linux and the BSDs, you can lock down your system to prevent break-ins. And for all desktop/laptop systems, if you are on the edges of the tinfoil crowd, you can get a VPN. Thus the cesspool that routers are, you should be protected.

  • openwrt or other opensource router software. Upgrade your router to open source code router. With proprietary you not only will not be able to fix found bugs, but you will not be able to detect deliberate backdoors! Their have been cases where backdoors have been reported to companies and the result was that the company replaced the old backdoor with a new one which was hidden by even more smoke and mirrors! I believe that that one of the 3I agencies is going around coercing proprietary router companies
  • That crap being the Broadcom reference firmware. With stupid bugs like not allowing you to use the same ports for multiple outbound rules, even if the IP ranges differ, having poor quality ALGs for ancient protocols on unusual port numbers and having stupid regional lockdowns on WiFi by default which prevents the use of channels which are legal for low-power indoor use.

    Sky routers (both the old Sagem ones and the newer ones), Netgear, Linksys and many others have the same bugs and the same outdated kerne
  • For sure the manufacturers updated the routers in the study. But who wants to take a bet that all their other products were ignored other than keeping the status quo. And I bet that in a year when things quiet down, they will go back to status quo. Except maybe for a small number of products they keep updated that are sell to Germany. And the number of IoT devices offered for sale in Germany decrease substantially because of the new law. Still a win for the Germans.

  • It's been very low effort for a very long time and was an old idea when I ran FREESCO of a CF card on my P133 to share dialup over my Jaton 56K modem.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...