Sigh...
I have one of these. So not only is it a cr@p router, but it's also insecure. Time to move on, methinks... in the mean time, it only gets turned on when in use. Fortunately I am a light user on the domestic front.
BrightBox routers supplied by UK telco EE as standard kit to its broadband and fibre customers are riddled with security shortcomings that make the devices hackable, a UK security researcher warns. Scott Helme warns that security vulnerabilities expose WPA encryption keys, passwords and ISP user credentials. Hackers might also …
"We treat all security matters seriously (no personal data will be compromised by the device itself), we would like to reassure customers that we are working on a service update which we plan to issue shortly, and which will remotely and automatically update customers’ Brightboxes with enhanced security protection."
So.. your WPA key and login details for your broadband don't constitute personal data? It would feel pretty personal to me if someone used it as a stepping stone to owning my home network. This is the kind of crap that demonstrates just the kind of nightmare the 'Internet of things ' will become. If they cut these sorts of corners for routers, who knows what they'll do with domestic appliance firmware.
Nope not personal at all. Held jointly by you and your ISP. Or I'd bet that's how they'd argue it. And not quite in public view. If I'm reading this correctly, someone up to no good needs physical, or at least guest wi-fi access, which put this in the class of trusting your neighbour not to take a soap impression of your keys while you're on the bog.
And that's as far as it goes. Without special effort on your part, your privacy in the modern world is pretty much entirely dependent on the size of your profile and the amount of interest you attract.
I just discovered my (not by my choice mind you) ISP stores passwords using reversible encryption. And worse their lost password procedure is to send it to you plaintext in an SMS message, in my case to a phone number I'd just given the tech not two minutes earlier.
And that my friend is an improvement. In my previous lost password conversation with them, the tech read my password out to me off their screen.
Better still, up until very recently all email logins were clear text only, and the last to be upgraded to encrypted logins were of course the primary logins for each account. Their argument was that it wasn't an issue because the connection from the modem to their server was secure. I asked what about remotely accessing email from another computer and the response was essentially, they provided what they contracted to provide - A HOME broadband internet connection, and they couldn't be held responsible for what I did with their credentials on a third party's network.
I suspect that the only router you can trust is your own Linux system. (And that's only a maybe).
Paranoid mode on. They used to come from China with an NSA-approved backdoor in the flash with the vendor's secretly compelled acquiescence, plus a Chinese government backdoor without such acquiescence. Now, in order to provide plausible deniability, they've degraded the firmware so that they can blame their activities on organised slime, or indeed on any old Tom, Dick or Harrietta with a router.
It also lets the manufacturers sell "enterprise" routers at 20x the profit margin, which come with the better-engineered backdoors.
Ten years and more ago that suggestion was a show stopper, too many discrete components required, too little under-utilised bandwidth to hide in. Today, not so much, the silicon real estate necessary for such a "feature" would represent only a small percentage of a monolithic device managing a dozen communication protocols over hundreds of I/O channels, directly connected to a "pipe" the size of the Mersey Tunnel.
Fortunately, such attacks on the underlying physical hardware must be done at the front end of the manufacturing process. The blue prints themselves have to be altered, and opportunities for being found out subsequently are myriad all the way through the manufacturing process and even the junk bin. Any lazy college student with electron microscope time on his hands might find it.
Now, when the next layer of abstraction plus encryption gets offloaded to the I/O chipset all bets are off.
However, it's all somewhat moot when we know that a spread spectrum digital radio transmitter can be hidden inside a USB connector. We should just thank our lucky stars that RJ-45 connectors are transparent. the size of my mouse dongle tells me there might well be room for a "listening" bug in even that ethernet connector waved about by the talking head last week.
You can only trust you own linux based router, if you've personally downloaded the source code, checked it complies to the checksums, read it all, understood it all and compiled it yourself on your own machine and even then you require the compiler to be trusted.
That the source code is available to all, does not mean that it is free from errors or intentionally inserted exploits that have gone un-noticed. See the recent 20 odd year old privilege escalation exploit in X.11 and the Debian random number generator problem from last year (IIRC). On top of that you've actually got the NSA contributing to Linux.
Me? I'm rather less paranoid than that and just download CentOS with a "Meh, it'll probably be fine."
Telecom Italia, in years 2000-2003, gave their BUSINESS users a router from "Telindus" that exposed its password in plain text to anyone that sent the right "request" to it. Both on LAN and on WAN. So hacking Telecom Italia business users was as simple as sending the right request packet (simple and identical for every router, no MAC address hash involved) to every Telecom Italia public IP address, and you could collect all of the router's passwords in plain text. Then you telnet to the router and you are in.
I discovered this vulnerability while trying to access a router (locally) for a customer who lost the password. (http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html)
When I told Telecom Italia (and then Telindus) about it, they asked me if I was going after a ransom, if I was some sort of criminal. I just wanted to warn them. Anyway, 6 months later, they changed the firmware so that now you needed to apply a XOR to have the password in plain text.
Double Fail!
ISP supplied routers are a spectrum of "not bad for nowt" to "nuclear waste crap".
For every half decent ISP router (usually a netgear or D-link crippled with crap firmware) there's at least 10 technicolor/huawei/no-name crapboxen that don't even let you view their configuration settings, let alone adjust them.
I'm currently running a BT HomeHub 3. Now, before anyone whinges it came free with my connection and surprisingly enough has been trouble free for the last 18 months, even dealing with port forwarding etc. The pain in the arse however is that it doesn't let you change the DNS server address on the router, you have to do it manually on each device.
http://www.astorianetworks.com/astoria/IMPRESSUM.html
Neighbour had one of these in a room next to my computer. Brightbox's main claim to fame is strong wireless signal -- and it certainly interfered with our network.
At least now, if a similar issue arises with one, I might be able to hack into it and change password then turn off wireless.
One is always wary of more regulation, but - since the average punter can't help themselves much on this - maybe ISPs should have a legal obligation to ensure their kit is secure. At the risk of annoying UKIP, this might be a job for Steely Neelly.
Oh - and the shotgun video was a brave move. I don't suppose NSA will get stressed, but will GCHQ report him to about 96 different agencies?
"Oh - and the shotgun video was a brave move. I don't suppose NSA will get stressed, but will GCHQ report him to about 96 different agencies?"
I think the shotgun stunt may turn off ordinary people, and its those we have to get asking/phoning &c to move large companies. The shotgun thing lets mainstream media bracket the guy off as some nutjob.
The tramp: I recently got a haircut because I was beginning to look too like the icon. If I stick a suit on and carry my sandwiches in a briefcase, I could pass for a 'normal concerned citizen' now. Just about.
"Access to the ISP user credentials might be abused to hijack a target's broadband account."
So EE don't use any form of physical authentication to ensure you're connecting from the right line?
I thought that was why all BT HomeHubs used exactly the same username and password - BT don't care, they authenticate you physically. I'm not sure I'd trust any ISP that didn't.
Here in the magnificent USA, I get a Motorola SURFboard cable modem with one ethernet port on the back, and no firewall or other security whatsoever. It's an upgrade over the previous POS in that it has a web page with some troubleshooting info on it. I have to go buy my own router if I want one.
I have to bang rocks together for packets... School is uphill both ways... yadda, yadda, yadda.
40Mb, Awwww I feel sorry for you now, we get 72/19 in our house, for less than £30 / $50USD per month. So I think I can put up with not using the crap router my ISP sent me!
I joke, but when you look at the state of internet access in America, we really cant complain too loudly!
I was quite interested in Sky's broadband as a secondary service to my main AAISP, but was put off because it seems they don't like you using your own router, and don't support bridged mode on their router. There are apparently ways around it, but it looked like a proper pain in the rear, so have given it a miss. I currently use a TP-Link router running OpenWRT bridging to a pfSense firewall. I trust community code more than a narrow team of developers with their employers interests at heart.
Oh look I think someone's been doing embedded systems programming in Javascript.
I'm guessing some fresh clueless graduate at some coding sweatshop in a 3rd s**thole.
What could possibly go wrong with that plan?
The only way this starts to get fixed is if people start switching ISP's as a result.
The only way this starts to get fixed is if people start switching ISP's as a result.
And then we learn ALL the ISPs are just as vulnerable in different ways, leading to a sadistic choice: bend over or stay off the Internet, which is becoming less of an option by the day?
"And then we learn ALL the ISPs are just as vulnerable in different ways, leading to a sadistic choice: bend over or stay off the Internet, which is becoming less of an option by the day?"
No.
That's round one.
Let's face it the days of having the same ISP for life are over.
So if people start making the point that their privacy matters and that good privacy protecting ISP's are rewarded (by new customers).
"Let's face it the days of having the same ISP for life are over.
So if people start making the point that their privacy matters and that good privacy protecting ISP's are rewarded (by new customers)."
Welcome to REALITY. Incumbents are ALWAYS against upstarts AND can use their experience to push off upstarts. ESPCIALLY in an industry like telecommunications where there is a naturally high barrier of entry: you can't run an ISP without a telecommunications infrastructure.
Ask this: Why are there so many ISP monopolies in place? Because the ISPs were unwilling to put down for the infrastructure without a captive market with which to recoup the investment. For many communities, it was an "evil vs. eviler" choice: a market of ONE or a market of NONE.