FTA: "Last year, researchers at ISE found that a staggering 100% of SOHO routers they evaluated were vulnerable to remote attacks."
However, the linked study[1] shows that:
1. 2 of the routers did not have remote exploits
2. All but 2 of the other routers required authenticated access to exploit remotely
Authenticated attacks "require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack."
While default passwords may be common, virtually all routers have remote admin turned off by default as well.
There's a lot of ways to access internal interfaces. By executing javascript on an internal computer for example. An img src is enough for simple requests.
If the home router implements uPnP (many do), and if that implementation is insecure (all are), you can often pop holes from the outside.
And that's just the two ideas to try first... Don't expect a disabled remote admin to protect you from anything else than automated bots.
I really don't understand why they feel they need to develop their own full firmware rather than contribute to another project like OpenWRT or CeroWRT? Anyone involved care to tell us why?
Yea, that's surprising. Looking at their github repo it looks pretty hopeless to backport their improvements into LuCI/OpenWrt/CeroWrt.
To me it would make more sense to either a) help improve LuCI/OpenWrt/CeroWrt or b) educate consumers about which commercial Wi-Fi routers are good/bad from a security perspective. Their current approach seems to do neither.
Does anyone know the rough economics of router manufacturing? At what quantity could you get reasonable enough prices to sell it at an acceptable (to consumers) premium?
Build your own, only open hardware (if that's even feasable..soooo much closed stuff) and sell as EFF approved/privacy friendly whatever. EFF probably has enough brand recognition with the right folks to pull it off as a sponsor or something.
Seems like a couple of million kickstarter or similar project to me. Especially if they also serve the non-US market which is currently rather security/privacy concerned.
[unfortunately I know very little about hardware cost/closednes but last time I did a rough check it seems like somewhat of a nightmare field to be in]
Edit: Heck YC could think about opening a spot specifically for a startup that improves privacy (i.e. open wifi router). After all they did enter the nonprofit market. Seems like a reasonable PR/goodwill move.
Router boards these days are a commodity, with all the available consumer access points using the same SoC and hardware on a different PCB with their own plastic case.
A single SoC often provides 1) MIPS processor, 2) Ethernet MAC, 3) Switch in ASIC, 4) WiFi MAC
You can buy off-the-shelf complete systems ready to be dropped in a plastic case, or even complete (and very commodity) systems: http://routerboard.com/
I'd love to see a RaspberryPi-style approach to home access points using the popular MIPS SoCs, with pfsense (https://pfsense.org/).
At least one of the attack, the CSRF on the Asus RT-N56U, seems to need the IP address of the router. Does this mean that this attack is useless when the attacker doesn't know the IP of the router? Or is there a way to know it remotely? (I happen to have this router and the IP of the router is not the same, and I don't think that the default config has been changed as the admin interface has the default password.)
Also, an attack necessitating a user to be logged in to the admin interface has probably a very small chance of success. I don't know any "normal" person who would log into their router admin interface (unless maybe they are asked for with social engineering).
PS: but having an Open Wireless Router is a good idea anyway. We could imagine one having upgradeable hardware and just switch the mini PCIe card to have 802.11 ac instead of 802.11 n for instance.
Sure enough, that's a real problem when the attacker is on the local network, but what if the attacker is not on the local network? Because I think that this attack is supposed to work from an external network, or the Internet.
All an attacker needs to do is have an array of [192.168.0.1, 192.168.1.1, 192.168.2.1, ...] and attempt the CSRF against all of them. 5 different local IPs will probably cover 90% or more of consumer routers, since nearly all of them are on 192.168 RFC 1918 networks and will generally always be a .1 host.
If they were going after a small or large business, it'd be a different story. But even then there'd be a lot of opportunity for likely guesses.
If you just need their external IP address, you can probably easily coerce that out of them by getting them to click a link. Send an IM to a bit.ly link that logs an IP and forwards on to some random image, an email, a tweet, etc.
One thing I realized is that you can share several safe internet sites on a public SSID.
For example you could share Google and duckduckgo searches
you can also share Wikipedia. You can also share access to well known VPN services.
So you put in an iptables rules for the guest SSID interface.
This is not a fully open net and all respect to those who build it but I am a bit affraid what sites users might surf on and as it now law enforcement assume ip==user who did things.
However, the linked study[1] shows that:
1. 2 of the routers did not have remote exploits
2. All but 2 of the other routers required authenticated access to exploit remotely
Authenticated attacks "require that the attacker have access to credentials (or that default router credentials are used—an all-too-common situation) or that a victim is logged in with an active session at the time of the attack."
While default passwords may be common, virtually all routers have remote admin turned off by default as well.
[1] https://securityevaluators.com/knowledge/case_studies/router...