The problem that Dan Geer pointed out at his NSA talk [1] isn't that they have some surface level vulns, it's that they are mostly all running linux from 5 years ago and rarely get security updates. Home routers are insecure by default. The problem is that even if your home router gets hacked and bricked, you go to BestBuy or Newegg to buy a new router and they are all running the same old broken OS by default - not including the questionable services and awful vendor-created software included (ie Asus cloud management software with 5x CVEs).
So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
The router manufacturers really need to step up here. And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
I'm curious if the gov will ever pressure these companies for better security, although they seem to prefer insecure-by-default.
There are better options. There are custom firmwares available such as Tomato, OpenWRT, FreeWRT and DDWRT. These all have more dedicated developers issuing regular updates and are generally more secure, current and feature complete than the original firmwares. Many of these are open source and have active communities even. Problem is that these all require some technical knowledge to install. Some are pretty simple though and can be installed once by a semi-technical person then left alone. But that's not enough for mass adoption.
What we need is more manufacturers simply to give up on developing router firmware and simply pay the devs on these quality projects to do the work for them. They've proven their dedication and can surely adapt to new hardware with relative ease. Some router manufacturers are already doing this. I know at least Buffalo was for some time.
I have three different routers running DD-WRT (I couldn't manage to find usable packages of the other three firmwares you mention). Of those, one is running kernel 3.2.12, one is running 2.6.34, and one is running 2.4.37. I know for a fact that the one running 3.2.12 (firmware build 2012) is never going to be updated, as newer builds are larger and do not fit in the router's flash. The others are in a similar situation, with their builds not having been updated since 2011 and 2010 respectively.
I appreciate what the DD-WRT people are doing, but I would hardly hold them up as the paragon of updated, secure firmwares.
I have this exact same problem. I used to run an Asus Router with DD-WRT and it was awesome.
However, the firmware version I needed never got updated again for whatever reason. Along with the barrier to contribute back to the DD-WRT project I moved on.
Are any other Firmware versions out there more actively maintained?
OpenWRT seems to be fairly well maintained but I haven't used it long enough to have run into devices being dropped. It doesn't have as wide a range of support to begin with either from what I understand. I've heard lots of good things about tomato that way also but it doesn't support the devices I have.
I think OpenWRT's hardware support is limited primarily by the availability of open-source drivers. They'll ship proprietary firmware where necessary, but proprietary drivers prevent them from updating the kernel at will.
One of my spare routers (came free with purchase of a cable modem) has only 4MB of flash storage, and recent builds of OpenWRT have had to strip out the web interface but in exchange gained IPv6 support. It's also got only a 350MHz MIPS 24k processor, so it's too slow for serious use with any connection faster than ADSL2. There's a lot of router hardware out there that's just not up to the task of being a home gateway anymore.
It's down to the binary drivers. They lock firmwares to a specific kernel.
Your only option is to backport fixes. I read in forums that devs aren't interested do to introducing bugs and citing lack of free time. I roll my own Tomato kernel but I've only included a couple backports.
x86 is really your best bet as an enthusiast. I'm waiting for Braswell hw, personally.
No need to compile your own kernel, or get a huge x86 board. You can use an Atheros-based TP-Link router with 100% free software, bootloader and firmware included. There's no reason you can't update this.
Now you've doubled your RAM requirements, because all but the newest consumer routers use NOR flash and can directly execute code from the flash without having to copy it to RAM first. If you have to start using RAM to hold code and static data in addition to transient stuff, you're going to need to bump up a size and that's going to ruin the profit margins on all the dirt-cheap low-end routers out there.
And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
This is a pretty active market already. It's called "Unified Threat Management" by the analyst firms. Keep your support up-to-date and they (ought to) take care of keeping the latest firmware on the device for you. Here are a bunch: http://mosaicsecurity.com/categories/68-unified-threat-manag...
> So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
That's just plain old FUD, nothing new under the sun!
I realize this is not a very constructive comment, but the fact of the matter is that some people in the information security business likes these types of extravagant displays of "this is the end of the world as we know it!"
Not many SOHO-routers have capabilities exposed to the outside world.
I mean, yes, it would be nice if the world was a safer place, but it's all about risk management, and risk is a factor of probability and cost, and the probability level here is very low.
> That's just plain old FUD, nothing new under the sun!
LOL. AVM, biggest german manufacturer of soho routers (Fritzbox) suffered from a RCE vulnerability; hackers pwned the boxes and made highly expensive premium calls.
There's no doubt that some particularly bad routers out there are vulnerable to RCE by default (usually because they have remote management enabled by default and have an authentication bypass issue or some other dumb flaw on the login page), but it's definitely FUD to speculate that someone can wipe "all the routers on the Internet".
Most routers are incredibly insecure, but a good portion of those vulnerabilities can only be triggered if you share a LAN with the router or have and can widely deploy a XSS/CSRF exploit.
> home routers get hacked and wiped in a mass attack against a country
Who would want to do that, I wonder. I mean, it's not a one-click process, on that scale, diversity will be an important factor (FW and HW versions, manufacturers, OpenWRT and stuff).
It seems to me that this would require a lot of effort and the result will be questionable. What will be achieved by this?
I think if someone cares about security, they've already flashed DD-WRT by now and those who don't... well, router (in)security will not stop their systems from being overtaken.
> I think if someone cares about security, they've already flashed DD-WRT by now and those who don't... well, router (in)security will not stop their systems from being overtaken.
Nonsense.
a) People shouldn't have to flash their firmware to have an adequate level of security. If we're creating software we should hold some at least responsibility to provide basic security. Engineers in other fields take safety extremely seriously, why should software only provide it to a small percentage of people with technical knowledge?
b) Using up-to-date operating systems with update processes and security-conscious decision-making when packaging 3rd-party software is not a huge cost to these companies.
c) The goal of any security is to significantly increase costs and complexities of attacks. No solution will completely eliminate possibilities for attack but that doesn't negate need for security.
a) People shouldn't have to flash their firmware to have an adequate level of security. If we're creating software we should hold some at least responsibility to provide basic security. Engineers in other fields take safety extremely seriously, why should software only provide it to a small percentage of people with technical knowledge?
I think you are comparing fundamentally different threat levels.
Say you're designing a car. A cool, safe car in which passengers survive head-on collision with a wall at 100km/h with 100% chance. That's a nice car, but it can't save you if someone shoots you in the head with a 9mm through the windshield, unfortunately. You want that kind of protection? You go and buy special car with bulletproof glass and additional security measures.
Your router may save you against someone typing 192.168.0.1 in browser and getting full rights without password. But it won't (and probably can't) save you from someone with enough tech knowledge and determination by default.
> b) Using up-to-date operating systems with update processes and security-conscious decision-making when packaging 3rd-party software is not a huge cost to these companies.
Well they won't want to spend it. People will buy them anyway like they do now.
I think the difference here is that your hypothetical gunman taking potshots at passing cars/routers (i.e. random hackers) is a lot more of a clear and present danger in the post-Snowden world than real gunmen in the real world.
In other words, that armor glass should come standard, and there's no excuse for it not to.
Microsoft learned this lesson - you either design for security up front or you design for security after the fact, the hard way, breaking things as you go and annoying users.
Here's another way to look at it: Should a router be at least as secure as a modern (evergreen) browser? Specifically, is it acceptable to have known trivial remote exploits going unpatched forever?
Some people just want to watch the world burn. But you're right, it'd be an extremely difficult task on that kind of scale. It's like saying someone could just brick every PC in existing using some magical Windows 0-days.
yeah, they'd need something like a botnet spread out over multiple branches of the internet, to prevent backbone-level shutoffs of the attack, and a metasploit-like framework that could extend the attack vehicle as the number of known vulnerabilities grow leading up to the attack.
... I'm pretty sure the infrastructure exists for organized crime to do this, just going by what I've read in the news.
I would not be surprised if the various cyber-warfare teams for government players have contingency plans in place for doing exactly what you describe. Except they might have more strategic plans in mind than merely bricking the owned devices.
I wonder if there might already be sleeper code in place for this purpose?
Botnet zombies seems to be the most obvious use-case, though. Or create your own TOR-type network to obscure the origin of criminal activity.
With sufficient density of vulnerable devices, you could setup your own mesh network to send your nefarious packets through someone else's Internet gateway miles away.
Fortunately for us, the folks who would want to do that (hacktivists) lack the skills necessary to execute. The threat here would come in the form of an opposing nation-state, and from their perspective you're right -- there's not a lot of incentive to actually perform this attack.
I think it'd be fun, so that's one reason a lot of people may share. And, it's not hard to see it as a good thing: By bricking these routers, you're bringing light to a serious issue, before it gets even more serious (more reliance on the Internet).
With their renewed public stance on privacy and security, do Apple AirPorts have any better track-record regarding router security, or do they suffer from the same types of flaws?
While I can't speak to many specific vulnerabilities, I do know that Apple issues software updates for their routers.
More importantly, they provide their own router management utility (Mac/Windows only), which everyone will have installed when they set up their router. It notifies you of new firmware releases and prompts you to install them. Yes, you could do something similar on an admin panel at 192.168.1.1, but nobody's every going to check it. As much as I loved my WRT54GL and its various 3rd party firmwares, I think Apple's approach is better for general use.
As an addendum to my own thoughts, this approach is better from Apple, but I don't have much faith in Belkin, Linksys, Netgear, etc. being able to pull it off.
Given all of the issues we've seen recently with their router firmware, the router "cloud" features, and the number of different models, I don't think they could do this successfully.
Netgear has (at current count) 97 wireless routers for sale on Newegg, including some duplication for refurbs. Whatever the exact number is, it's a lot more than 3.
Yes, it's a completely different business model. Retrofitting security into organizations that view software/firmware as disposable is probably so expensive that they will argue that it's impossible.
I'm not aware of any serious vulnerabilities for AirPort routers. They run a pretty clean version of NetBSD with very few services. However, there are some internal Apple services (presumably written in C) running on the router to facilitate configuration, AirPlay, Back to my Mac, Time Machine, and maybe others.
The minor things I know offhand:
- The old configuration protocol transmits your password (and everything else) in pretty much plain-text, which can be theoretically intercepted by someone connected to your network (and anyone listening when you set it up for the first time). I think the newest configuration protocol uses Secure Remote Password, but I don't know if anyone's audited their implementation.
- When new AirPort routers first come online, they broadcast a public open WiFi hotspot to allow wireless setup. This can be accessed by anyone within range. An attacker could make a device (say, a WiFi Pineapple) automatically connect to every AirPort it sees and configure it maliciously. Using only public information, you mostly be able to annoy the owner (maybe intercept some traffic by updating their DNS settings). I won't rule out someone dropping a rootkit on your router during the open configuration period, but the simplest method (a firmware update) at this point will cause the router to reboot so it's at least a bit conspicuous.
Sounds like a good idea until you realise that openwrt does not support a fair few routers, such as my classic WRT54GL. It requires more disk space than is available on it.
First of all, a Linux box from 10 years ago is no less or more secure than Linux box from 2 days ago. I'm positive I could put a Linux 2.2 box on the Internet today and it'd never get hacked.
Second, your hypothetical mass attack would be easy to fix. Reinstall Windows on your malwared-up desktop, buy a new router, plug them both in, and update the router using approved vendor sites. There's no WAN hacks and the client machine wouldn't have any malware on it, so it could update safely.
The router manufacturers just need to disable all remote administration features and require a USB or CAT5 "admin port" to access setup functionality. Honestly, a bare-bones firewall with no features other than DHCP and NAT is all 99% of people use anyway.
I think the widespread insecurity of home routers will not improve anytime soon.
Background: I work at a company which makes a "home router". It's not one you will find at a big box store, but internally it's not much different.
Most of these routers are built from a MIPS SoC manufactured by Broadcom, Atheros, or Marvell. Since their business is selling chips, not routers, these SoC companies need to make it easy for your LanWan Company startup to choose to use their chipset.
So these SoC companies will give you a reference hardware design. They will also give you a completely functional software package with Linux kernel, drivers for all the peripherals (Wi-Fi, ethernet, etc.), all the necessary user space utilities, a complete GCC cross-compiler toolchain binary which runs on Ubuntu, and a bad web app. You can literally unzip this package, run 'make', and end up with a functional filesystem image ready to flash onto the reference board.
So LanWan startup can start manufacturing routers with only one or two software devs who know some C and a part-time hardware engineer. Manufacturing is contracted out to China.
The vendor-supplied C code is not written by expert programmers. It's obvious when you (try to) read the source. It's also a huge and messy pile of code.
Where I work we use the vendor-supplied kernel but we wrote all the user space ourselves. All this stuff is written in C. The software devs here have more than a few years of experience writing C, but are very uneducated about how to write secure code. They don't think about it. And management does not think about it. The only thing that matters to management is that the box passes the tests.
I've been around long enough to have figured out that things are like this in most places. Whether small companies or big companies doesn't matter.
I believe this is the premise behind EFF's open router project. Provide a higher quality base router distribution that can be used by anyone, including SoC and router manufacturers.
Every SoC has a different kernel, heavily patched, with drivers specific to the SoC. The SoC vendor has an army of paid programmers developing this software for every SoC they make.
These Soc vendors have to start working on a new kernel long before the chip is released, as they need working software by the time the chip goes to market (to offer the router makers). Broadcom's business depends on this. They will not simply hope some loose-knit group of volunteers will timely produce software which will help them sell their new chips.
And it's not realistic for the open router project to do this much work. It would require cooperation from the SoC vendors, providing free and early access to their kernel driver source and complete documentation for their chips. I don't see this happening.
At best the open router project could release software for hardware which is already a year or two old.
Sorry to be such a pessimist, but the incentives to make this work are just not there for the businesses involved.
Many years ago I went hunting for CSRF attacks in SOHO routers and found it in all of them. Most of them completely ignored me when I reported it, one accused me of accessing an internal dev-only version (when it was simply in the office of a friend of my boss). Checkpoint followed through like professionals.
(To be fair, I was working at a place selling all-in-one firewalls to SMB, so many of those boxes were our competitors.)
I own and am currently using an Actiontec Q1000 with a CenturyLink DSL connection.
I'm trying to work out just how exposed I am, and whether there's anything practical I can do about it.
Presumably I can:
1) buy a different device not currently known to be vulnerable
2) reflash with an alternate firmware
3) disable as many admin options as possible to reduce surface area
4) pray
Are there other alternatives for the luckless home router owner?
They gave the exploit a "1337 compromise" award, so it is almost as bad as it gets.
While you still have the Q1000, be sure that you have the remote interface disabled and use the NoScript browser plugin. Those two items will mitigate a lot of the risk.
I replaced my Actiontec Q1000 with a used Zyxel Q1000Z I got for $30. I haven't had time to assess the Q1000Z yet, but it does not have any known 0-day vulnerabilities.
Actually the parent should firewall off both sides of the router and turn off internal management, Samy has been p0wning routers from inside the network since 1989.
> Unfortunately, fixes have been slow to roll out. Because each of the bugs have been disclosed to the manufacturer directly, there may not be pressure to push an emergency patch, but manufacturers have a chance to address the issues.
Responsible disclosure for the win. It's a good thing nobody else is looking for vulnerabilities in these routers.
I demonstrated the Actiontec Q1000 exploit on Track 0. As a security professional I am very interested in responsible disclosure, and had already reported the vulnerability to Century Link 6+ months before Defcon (slight correction to the article, the ISP is not Verizon). I first read about the SOHOplessly broken contest on HN the week before Defcon and figured I'd apply since I already had a 0-day in my back pocket.
As the article says the manufacturer has acknowledged the vulnerability, but I have not heard from them for quite a while. I've begun to wonder how much time has to pass without a fix before it would be irresponsible of me not to fully disclose the vulnerability. Lately I've been thinking that full disclosure may be the only responsible way to disclose a vulnerability. But I am still conflicted.
Be aware that there is likely someone over there who thinks it's serious and worth fixing, but their manager won't let them fix it because their manager doesn't think it's an issue and would rather invest in features and make more money for the business.
If you release it, you force the manager to do the right thing, and the developer will then be officially allowed time to fix it.
Give them a deadline and drop it. Even ZDI does this now. Some companies will sit on reports for years, because no one cares.
There's a much higher barrier to entry for security research on AirPort routers.
The only configuration method is over a custom binary protocol, so you can't just fuzz HTTP headers and input fields. The firmware downloads are encrypted, so there's no easy way to pull binaries from the device.
The only public way to do any analysis on the software requires soldering to the board.
The early models run VXWorks, the N models run NetBSD 4.3 on ARM (Express) and MIPS (Extreme), and the AC models (Extreme and Time Capsule, the weird tall ones) run a fork of NetBSD 6.0 on ARM. The AC versions actually contain a single-core binned ARM Cortex A9 from the iPhone 4S like you would find in the Apple TV.
That said, at least one group has root, firmware dumps, and is doing active research. Come hang out #theairportwiki on freenode if you're interested.
I think you are referring to the description of Track 1 and 2. Seems like you were one of the contestants. Sorry, we didn't mean to label anyone a newbie. It is just that Track 1 and 2 had goals of bringing in newbies. Of course many of the contestants were even experienced hackers. Indeed one of the winners of Track 1 was also the Track 0 winner.
I apologize if the phrasing in the blog post seemed like a put down of contestants' expertise in any of the Tracks.
So he posed the question: What if all home routers get hacked and wiped in a mass attack against a country? People can't go out and buy new ones since they are just at risk and will probably just get hacked again. This puts a large amount of any countries technical infrastructure at risk.
The router manufacturers really need to step up here. And even technical users could benefit from more options on the market for secure routers, instead of just DIY OpenBSD boxes.
I'm curious if the gov will ever pressure these companies for better security, although they seem to prefer insecure-by-default.
[1] http://geer.tinho.net/geer.nsa.26iii14.txt