It's finally happened: Hackers are coming for home routers en masse Cybercrooks are increasingly targeting routers in consumers’ homes. Fortinet reports that attacks of this type have regularly figured as entries in its daily top 10 IPS (intrusion prevention system) detection list over the last three months since July. The security vendor reckons that home routers have become a favoured target …
Time to go and find out if your router is supported by one of the open source alternatives - DD-WRT, Open-WRT, Tomato, etc. You'll get better functionality and new features such as iPv6 support, better firewall functionality, multiple VLAN support, etc.
Obviously Joe Public isn't going to bother until they can't do something they want to as someone is stealing all their bandwidth / data allowance.
I've spent some time looking at third party firmwares and sadly I have to say they are not ready for prime time. Only a small number of models are fully supported "yes you can install OpenWRT on your Blah+ router, 0h by the way, the modem won't work" etc. Even on 'fully supported' models the install process can be extremely difficult (for instance the BT Homehub 2 version b. I bricked mine). It's time for a better way. Someone like Canonical or iXsystems need to put out an open-source hardware platform with a default open source firmware. Until then your best route is to look for a pre-installed system. Ebay has a few, but Ebay...
@Caps
You mean like the ones already provided by say Asus or Netgear - picking two names from the hat. Some (smarter) vendors have realised that there is market share out there for professional consumer grade routers, however the prices can be a lot higher - up to £400 for top end ones with high spec components multiple AC grade wireless module, good spec multi-core CPU's, plenty of FLASH and RAM etc, but plenty of middle-of-the-road routers with reasonable prices are also available say around the £150-£200 mark. Some vendors such as Buffalo even provide pre-installed dd-wrt routers
The install process is only difficult on some models as the vendors have deliberately made it hard to install anything except their own firmware. Part of this is to stop 3rd party firmware and part of it is to prevent users uploading non-firmware images and bricking their devices (ie a .zip rather than a .bin)
Hardware support is limited in some products as the vendors will not release or cannot release due to licencing terms the full details of their devices / components within them.
All the open source alternatives include images to break out of the OEM firmware, but you might have to do two re-flashes, one to break out and one to install the full feature set firmware, it all depends on the amount of resources in the router you are upgrading since many home grade devices are skinned down to absolute minimum FLASH, RAM and CPU spec.
De-bricking, at least on broadcom based platforms is easy since the CFE is protected and this can be used to de-brick, either using a vendor supplied tool, or if you know to look for the ttl=100 in the pings to the routers default IP address during boo that shows the CFE is active, you can then initiate a tftp with the correct firmware to get the device back up. Debrick processes are often detailed for each model, some are more involved than others, again it depends on what the OEM did to save a few $ during manufacture, some even remove the JTAG resistors, but even that can be overcome.
None of this is difficult, but it does require a basic set of background research and knowledge on what you are doing, but I assume that's not an issue for the majority of the readers here !
"None of this is difficult, but it does require a basic set of background research and knowledge on what you are doing, but I assume that's not an issue for the majority of the readers here !"
But what about the average Joe out there who expects a turnkey solution?
>But what about the average Joe out there who expects a turnkey solution?
Three buttons:
1. factory reset to ROM
2. My periodic automated checks of the vendors website indicate an update firmware is available for installation. Press to update. (Has flashing status lights, maybe an annoying beep, maybe a QR code for a "more information" website).
3. TFTP boot from a configured IP (default: 192.168...) for experts
Actually, I like the idea of smartphone-router links. It could provide a separate verification channel in case the router is compromised. It also provides more sophisticated systems which would cost too much to put on the router - camera, screen, alternative external connectivity.
(default: 192.168...) for experts - is probably the safest way to go now. Surprised nobody has covered this before although its been on going for a year now. Already have screenshots of hackers on the router - be very scared especially of you are a developer or have an online business, or work in ecommerce.
... most unusual and welcome. Have an upvote. BTW after my Homehub debacle (that's five pounds wasted) I went the ADSL modem (Daytek Vigor, 10UKP off Tatbay - protip install a fan to prevent the power supply burning out) and pFsense, on an old Atom box, route. Most satisfactory and informative.
Hey, question - ASUS sold the same router I bought with a DD-WRT firmware, but charged a lot more than with their own firmware.
Since DD-WRT is based on Linux, wouldn't the GPL mean that ASUS has to make their official ASUS-supported firmware for that model available? Without having to putz around on the DD-WRT website.
Yes, and as I understand Asus does comply with GPL. GPL doesn't say it needs to be easy to find...
For Asus there is also the Merlin versus of AsusWRT which has fixes asnd improvements over stock Asus firmware. No more difficult to install than normal firmware update via the web interface.
Agreed. I set up DD-WRT on an RT-AC68U. The firmware, which I found somewhere on the site, is DD-WRT v3.0-r284xxM std (Dec 2015). The router database, which I would expect to show the latest and greatest, points me to build 23940, dated 2014-04-22. So... 2.5 years old and older than the firmware I somehow found on the same site.
My firmware is IIRC, the Brainslayer Build or somesuch. There are other builds, more linked to the nickname of the person responsible (Kong for example) than to anything clearly relevant to my router.
Combining much ado about "not bricking your router" and "recovery procedures in case you brick your router" with rather unclear guidance about what files exactly applies to your router, means, IMHO, that DD-WRT is not for the network noob.
Open-WRT... does not apply to my hardware.
Now, many of you will know your way around this and that's fine. Just don't expect Joe Schmoe to be thrilled. IMHO, at the least, you need to be diligent, patient and own a backup router just so you can go online to figure out how to recover from glitches.
Add to a now very stale firmware that my one killer bit of supposed functionality, per-MAC parental URL lockouts*, does not work with https** and the whole thing, while interesting and certainly very well designed, delivered a lot less capability than I was expecting.
How about having the routers initialize to factory defaults, with factory passwords, on first bootup? But then force the user to change the password before actually connecting to the internet? In case the user forgets his password or somesuch, just tell them to factory reset via direct physical access and go back to the change password step.
P.S. Great article - this crap needs to be taken more seriously.
* I was trying to lockout my daughter from wasting her time on Facebook, with her agreement.
** I really don't understand why the router could not just block DNS lookups for certain domains for the restricted MACs, rather than only providing a service to block URLs which needs those requested URLs be in cleartext for it to work. Very 1999, with our new found drive to always encrypt everything.
Obviously Joe Public isn't going to bother until they can't do something they want to as someone is stealing all their bandwidth / data allowance.
Before you can get Joe Public to bother, you're first going to have to get them to understand. To many a router is just a box they get from their ISP that gives them "the Internet", very much like the boxes on their outer wall give them gas and electricity. "I'm connected, why should I have to worry about it? That's TalkTalk/Virgin/etc's problem."
"Before you can get Joe Public to bother, you're first going to have to get them to understand."
Why? As a user of gas or electricity, I'm relying on my service provider to ensure that my connection to his distribution network is safe. Why should my ISP be different? The onus should be on ISPs to provide "safe" (i.e. properly secured) equipment. The ISPs have the budget to do this right, it is only a fraction of their operating costs as an ISP, but until the government makes them do it they won't spend the money.
Making ISPs liable for damage or loss caused by insecure hardware would be a start. ISPs would then have a choice, either provide secure kit or be at a market disadvantage to those that do.
There will always be a relatively small number of customers who want to use their own equipment, and in that case the liability will be with themselves or, if they can get it, with the hardware manufacturer.
Expecting "Joe Public" to secure his router is like expecting him to ensure that his hosepipe is properly isolated from the drinking water.
Making ISPs liable for damage or loss caused by insecure hardware would be a start.
I totally agree. Now persuade Parliament to pass a law to that effect, and when you've managed that, work out how you could prove to a court of law's satisfaction what damage was caused and which ISP was responsible ("but it was a DDoS, what came from us was negligible"), given that it's in the ISP's interest not to provide any instrumentation that could prove their liability.
@Anonymous Blowhard - But if ISPs did that then you would get another section of the consumers - mostly the people on here I imagine (me among them) - complaining that they need to do X, Y, Z and the hardware is locked down and it is too restrictive, etc., etc.
@John Mangan
That's what I meant in the final(ish) paragraph; as long as the ISP is OK with you using your own equipment then you should be able to do as you want.
In which case the liability is with you and the manufacturer of the equipment you choose to use.
There may be some ISPs who then mandate the equipment you must use, but if that's a deal breaker you're free to choose another who's OK with third-parts gear.
The intention is that the "Average Joes", who make up 99% of the users on the Internet will be more secure, leaving only the 1% of techno-fetishists as the pool of candidates for botnets (hopefully most of these will be the ones who care about and have the ability to secure their own individual solutions).
Making ISPs liable for damage or loss caused by insecure hardware would be a start.
Devil's advocate and so on but... Wouldn't that be like making the local councils/roading contractors etc responsible for idiotic driving or people driving unsafe cars on the roads? Especially certain "home-taught" mechanics who drive a "perfectly safe, I know what I'm doing" death-trap?
Arthur the cat
I agree with all of that comment, except the last sentence overestimates how much the public understand of their box. Think more of that box that the phone wires plug in to.And to be fair, at a functional level, for a real non-techie that's exactly what it is.
I moved to my own custom router nearly 10 years
Ditto (pfSense on a mini-ITX board with 5 Intel ethernet interfaces, LAN, DMZ, WiFi and AV kit all on separate subnets[*]), but people like us are weird by normal standards. I doubt whether custom routers handle 0.1% of home connections, certainly not 1%.
[*] Paranoid, me? Yes.
Don't know about "custom router". Sounds like you're doing the hardware too. I'm sure that can have advantages, especially with the low power consumption computers like Raspberry Pi and such. However, lots of off-the-shelf routers support Linux. I've never had to run the proprietary software on my home routers, choosing instead to install Tomato immediately upon getting the device. My main router is currently an older Asus RT N-16. Has lots of memory for extra stuff too.
Separately, security software firm ESET warned today that in a test of more than 12,000 home routers, 15 per cent (a little under one in seven) use weak passwords, with “admin” left as the username in most cases
So this security by obscurity thing is now back in vogue then? I remember being told that it was pointless changing the administrator name on Windows it was the password that counted. Changing the name was only obscuring it.
Is this different now for routers?
But it is the wrong solution.
The correct solution is not to allow external access. Have a dedicated physical port (ethernet or probably more likely, USB) for admin. You might be allowed to enable other management access, but stick to that as the default.
But considering where these things could be installed (as in out of the way), there are many instances where external access is a PREREQUISITE because physical access may not be possible. But then, why is it that the device can't differentiate between the internal and external ports and simply not allow ANY remote access (at some hardware level) from the external port?
The correct solution is not to allow external access. Have a dedicated physical port (ethernet or probably more likely, USB) for admin.
Problem is a) most bog-standard (ie cheap and not even worth the price paid for them) home routers don't have this functionality. And b) many of them had things like undocumented telnet access with hard-coded "admin+admin" logins, so even if you knew the thing had telnet you probably couldn't do bugger all about it (unless you had one which let you forward specific ports including telnet to a specific IP on the network - not all would let you do that and some wouldn't let you do it with telnet.
And as expected, very few home users would actually know that there's an issue, and many of those who did wouldn't bother.
Icon.. What should be done to some of the coders involved in these devices, or at least their management. Or the factory they came out of, just to be sure...
@Joe Harrison
you should use AD for normal admin access and a static admin account whose password changes frequently for when AD is not available.
Make sure the AD account named "Administrator" is set to nologin & has no password. this stops people logging into that account if AD is available.
There are a few routers that have, by default, enabled "management" for world+dog on the internet-facing side of the router. Most, though, have that off by default. And if the router is vulnerable on the inside, then that means that the miscreant is also already on the inside of the network. Which means that all of the security precautions have been circumvented. At that point, does it matter that much that the router is still secure?
"Malicious traffic on a residential connection needs to be detected and filtered away by the ISP. The user needs to be warned and, if all else fails, disconnected"
until it's actually 'windows update' and it causes your win-10-nic machine to refuse to boot...
Or, worse, your streaming video from hulu stops playing. 'false hits' seem to be more common than REAL ones, like spam filters by Micro-shaft. They miss the spam, and round-file e-mails from Mom. And you can't "just shut it off"...
Yeah, 'just filter' the malicious content. if it were only THAT easy...
While not ideal, I've faced this situation in the past. The solution:
1. Find a "cable" router (one with an RJ45 ethernet port for it's Internet connection)
2. Plug it into the crappy ISP router
3. On the crappy ISP router's config, give your router a static IP
4. Configure your router as the DMZ on the crappy ISP router
5. Plug your devices into your router
You may need to change one of the routers networks, i.e. to 192.168.2.0/24 so they can route properly. This also has the bonus of providing a network to plug other crappy untrusted (IoT) devices into, away from your equipment.
My ISP would not give me logon credentials so using a 3rd party router is impossible.
My ISP doesn't seem to use log in credentials. My router is still configured with the default one that tele$cum uses (now AKA "Spark"). That said, maybe my ISP knew that people moving to them from telescum would have UN "xtrabb@xtra.co.nz" password XXXX (can't recall it off hand) and to make things easier just left it as is, access is determined by which phone line you're connected to. I could, if I could be bothered since the last factory reset, put in my actual details but the default ones work.
You might find it not so hard to get in. That or cultivate a friendship with someone on their technical staff. They could be desperate for decent people to talk to!
No shit? Coming after routers are they? Jesus Christ! People get paid for the most stupid shit! OF COURSE they're coming for the fucking routers because of all the juicy IoT shit stupid fucks allow in their house.
I mean motherfuck, this is a fucking progression thing. Dumb fucks. </rant>*
Nothing personal, John. I know you have a business to run. Maybe I shouldn't be here right now, been dealing with fucking idiot corporate types all fucking day.
I mean the owner, not a hacker. I am guessing that nearly all network terminating equipment is owned by an ISP, not the user. Surely the responsibility for securing this equipment, and the liability for not keeping it secure, is with the ISP. This could be very expensive if a large web retailer suffers a DDOS attack that can be blamed on insecure equipment belonging to another company.
Depends on the ISP, but as a general rule in the UK:
Cable: Virgin Media own the cable modem (which now includes the router). They fix it if it breaks and they upgrade/replace it when necessary due to network upgrades.(not aware of other domestic cable providers); Virgin has a "modem mode" which makes it the NTE if you want to use your own router and disable theirs.
ADSL: the "network termination" is the Master socket and the user owns the ADSL modem and router. Most ISPs will sell you a modem/router (or give it to you for free as part of your contract) but if it breaks it's your problem to replace it. If you use the one they send it's usually configured for the correct settings and they'll usually help configure the NTE settings of the modem part of common models, but ultimately the customer owns it.
in my village, there are still completely plain-text Wi-Fi packets flooding in from the less IT enabled citizens. That's not using my rotatable 30dBi antenna, just an Apple handheld
I haven't looked, [no I haven't,] just in case it is a tar-pit, but I'm sure it's just an completely open Wifi - at a guess, it won't even have a trivial attempt at MAC filtering, and it will be running ~1998 firmware, with 8 telco remote admin logins. . .probably all online somewhere like (http://www.pcwintech.com/default-router-modem-passwords2) or root/admin/administrator/telecom with password "service@mprs643"
or for the reasonably paranoid - check here (from 2011) http://pastebin.com/BMNZxKdp/trends
does that equal WEP access?
I retired my WRT54GL router a few years ago.
My ISP provides one, that's good enough.
I changed the admin name from "admin" and gave it a good password and disabled remote administration. What else can you do?
I suppose some guy could come "sniff" my Wi-Fi activity and deduce my login credentials. Sigh.
Except - jeesh, I never log into the thing. I just set it up one time and left it at that, "sorted". Am I wrong?
eBay "FoOL" buy em en-mass from China pre-loaded with DD-Wrt, just try to remember to change the password from Admin:Admin!
Who the hell buys Routers they can't unlock and firmware examine?
Cisco, Juniper?! Yeah, that proprietary noncense worked out so well for them!
Apple used to sell home routers in the Airport Extreme and Airport Express (and a router/NAS in Time Capsule) all of which were controlled using special software: Airport Utility. No webpages. You had to log in using APU, and the first login used the username and password written on the side of the box. APU would not let you get past the startup page until you changed the username and password. You could set the username and password to whatever you wanted to, even something stupid, Apple basically cared only that you changed the default so that they could not be held responsible if someone hacked your network, and could then configure the thing to you heart's content. Encryption, WEP (they warned you that this might not be a good idea) or WPA or WPA2; you could set up WPA2-Enterprise if you had an appropriate athent server hanging around. The device could NAT or be set in bridge mode, newer ones do IPv6, wireless AC, 1000baseT, etc. The main problem (for me, anyway) was the truly impressive price. Some here might have a problem with the definitely non-open-source software and the way that no, you can't flash the firmware over and put an open-source system onto it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
