So vendors have been told about this and they've known for a few months but according the advisory only one manufacturer seems to have done something about it.
'Millions' of routers open to absurdly outdated NetUSB hijack
SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which …
COMMENTS
-
-
Wednesday 20th May 2015 08:45 GMT David Gosnell
Sounds about par for the course. I remember raising a query with the rebadger of an old router of ours regarding what they planned to do about patching a security flaw in Busybox (the psyb0t worm, back in 2009), and needless to say my message was deleted without reading. Sadly with so much badge-engineering going on like this, the accountability trail in both directions for actually getting anything fixed is ghastly - any complaints or bug reports haven't got a hope in hell of making it back to the manufacturers, and even if the manufacturers do issue patches, the chances of the rebadgers bothering to make them available to us is about nil.
-
-
Wednesday 20th May 2015 09:26 GMT Lee D
"NETGEAR told us, that there is no workaround available, the TCP port can't be firewalled nor is there a way to disable the service on their devices."
Well... that's just incredibly stupid.
That said, this is presumably only a local attack - on sensible routers - because you're not going to be exposing USB functionality to the raw Internet now, are you? Are you?
Well... that's just incredibly stupid too.
-
Wednesday 20th May 2015 15:28 GMT emmanuel goldstein
from SEC Consult Vulnerability Lab:
"While NetUSB was not accessible from the internet on the devices we own, there is some indication that a few devices expose TCP port 20005 to the internet. We don’t know if this is due to user misconfiguration or the default setting within a specific device. Exposing NetUSB to the internet enables attackers to get access to USB devices of potential victims and this would actually count as another vulnerability."
-
-
Wednesday 20th May 2015 10:59 GMT Richard42
So the attacher has to gain physical access to the router and plug a hacked USB device in to, I assume, gain root access to the router?
After which they can find out the wifi password with a bit of memory dumping?
To a router they're standing next to, that will very likely have free network ports, that they can plug into to gain access to the network they're trying to gain access to?
I know doing it this way will give them network access remotely once they've done it, but I'm sure there are other ways of doing the same that are a lot easier (plugging your own AP in that doesn't transmit it's SSID?)
Just doesn't seem that realistic an attack to me, so the "Millions" in the article title is the usual headline grabbing drivel.
-
Wednesday 20th May 2015 11:17 GMT Androgynous Cupboard
Nope
By the looks of it, all they have to do is connect (remotely) to the service on port 2005 and send data that will smash the stack to do whatever - fork a shell listening on port X is the obvious one. Don't see any reason why anything has to be plugged into a USB socket to exploit this.
-
-
Wednesday 20th May 2015 13:13 GMT Dan 55
Re: Nope
Depends. First the router database on dd-wrt is absurdly out of date so if you want an up-to-date build you need to download one from the ftp site. If you want to do that you have to read the forums to see how a modern build did with your router because many builds have something wrong with them on certain routers.
Secondly the firewall may block testing of the WAN IP from inside the LAN. You may have to trust a third party (Steve Gibson probably).
-
-
-
-
Wednesday 20th May 2015 13:20 GMT Anonymous Coward
That's why i hate multifunctinal devices...
... I by far prefer multiple devices each doing one function only (router, switch, file server, etc.), so I can select each one separately, but I understand such setup is more expensive and complex to configure.
But cobbling together a lot of functions into a single device while squeezing costs will inevitably lead to a lot of low quality code written or borrowed here and there inside those devices. And each attack surface will probably compromise the other functions as well.
IMHO they should 'virtualize' or 'containerize' each function within the device so one vulnerability in one module won't affect the whole device, or at least will make it harder to compromize the whole device, and, if needed, you can wholly turn off one module.
-
-
Wednesday 20th May 2015 20:31 GMT Anonymous Coward
When will they learn that it is free and you are getting what you are paying for?
I shudder to think how much these router makers paid KCodes for their NetUSB module. Evidently too much for what it was worth.
Thankfully it isn't a part of the mainline Linux kernel, so none of my devices are infected with it.
-
Wednesday 20th May 2015 15:03 GMT Anonymous Coward
Are there any routers available to buy that run code written by anyone who has even the smallest clue?
Nowadays routers are easily the most buggy, flakey and unreliable part of all of our IT landscapes and they seem to be getting worse. Are all routers developed in cheap developer shops by people simply not paid enough to care? Any premium, well designed, reliable routers out there?
-
-
Wednesday 20th May 2015 17:03 GMT Mark Allen
Everyone wants "cheap"
Trouble is everyone wants "cheap" or "free" routers. I have clients who get upset if I tell them a router is over £100 so instead they end up with sub-£40 devices. Devices that attempt to be routers, modems, wireless AP, print servers, USB Backups, make the tea whilst juggling three balls in the air.
Not surprising these cheap bits of kit keep failing. Is there any profit in these silly devices? At this end of the market I can see why support is a PITA. If they have to chase a firmware update out of the manufacturer they must burn that profit away.
It is also noticeable that even among the trusted brand names the exact same router is sold at the bottom end just with a different logo in the corner of the control panels. I get a feeling some of these companies build their own expensive kit, but bring in cheaper stuff to fill in the holes at the bottom end of the market.
The only reason everyone is now noticing these security issues is because finally people are actually *looking* for the problems. These issues have always been there, but now we have companies who make money shouting about it.
-
Thursday 11th February 2016 07:28 GMT Kevin McMurtrie
Re: Everyone wants "cheap"
Cheap isn't the problem. Expensive "Small Business" networking gear is the worst possible mix of half-assed features, blatant flaws, and no hope for upgrades. The problem is that it's not easy to get a refund for severe software defects. They're usually treated as "dissatisfied customer" returns with a 14 day period. Require security vulnerabilities to be in the same category as manufacturing defects and then deadbeats like Netgear and whatever "Linksys" is will vanish overnight.
Nuke icon because I have, on multiple occasions, bought and returned every single router at an electronics store.
-
-
-
Friday 22nd May 2015 09:51 GMT Anonymous Coward
Even DrayTeks...
I have a client I visit whose VOIP system uses the cheapest Draytek router available. And that has been hit by the DNS compromise. Something is in that router and change the DNS server over. By luck these people are only running VOIP over that router, but the idiot company who supplied it are refusing to do anything about it...
-
-
Wednesday 20th May 2015 18:32 GMT Badger Murphy
And feed MORE kit to these jackals?
...and that is why any viable IoT solution must NOT use an IP transport protocol. If manufacturers of home routers, the gate and gatekeeper of our home networks, can't be arsed to even pay lip service to network security, what do you think the chances are that manufacturs of, say, smart coffee makers will be any better? Soon, every piece of electronics in our whole homes can join in on the bot nets.
-
Wednesday 20th May 2015 20:33 GMT InfiniteApathy
Re: And feed MORE kit to these jackals?
IoT will use IP, that's already a given.
What would you suggest in it's stead?
I prefer a well known protocol for this as it's easier to spot the nasties & squash em. Your comment leads me to think you're after security by obscurity though I won't put words in your mouth.
-
Thursday 21st May 2015 23:10 GMT YetAnotherLocksmith
Re: And feed MORE kit to these jackals?
What do you suggest? Anything you do will be tied to an IP gateway in about 15 minutes by someone, even if you don't allow it.
Even without, you'll end up with entire streets daisy chained together with BTLE devices paying data, or with ad hoc networks, or turning the lights on and off to get data transferred, or even, the weird virus idea bright to life, the devices communicating by ultrasound.
So once compromised, there will still be plenty of routes for stuff to hack other stuff. After all, you'll just Google the exploit for the bit of kit you are looking at, & it will tell you what comms paths it has.
-