Your Router's Security Stinks

For discussions about security.
Post Reply
Message
Author
labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Your Router's Security Stinks

#1 Post by labbe5 »

https://www.tomsguide.com/us/home-route ... 19245.html

Routers are the essential but unheralded workhorses of modern computer networking, yet few home users realize they are computers, with their own operating systems, software and vulnerabilities.

Most gateway routers used by home customers are profoundly not secure, and some routers are so vulnerable to attack that they should be thrown out.

"If a router is sold at [an electronics chain], you don't want to buy it," independent computer consultant Michael Horowitz said in a presentation. "If your router is given to you by your internet service provider [ISP], you don't want to use it either, because they give away millions of them, and that makes them a prime target both for spy agencies and bad guys."

Horowitz recommended that security-conscious consumers instead upgrade to commercial routers intended for small businesses, or at least separate
their modems and routers into two separate devices. (Many "gateway" units, often supplied by ISPs, act as both.) Failing either of those options, Horowitz gave a list of precautions users could take.


If you are the tech-savvy individual in your house, do not fail to read this from start to finish to help your family stay secure online.

Further reading :
https://routersecurity.org/
https://www.ipaddress.com/articles/change-ip-address
https://www.vpnranks.com/how-to-protect-wi-fi-network/
Brute force and dictionary attacks
https://www.techrepublic.com/article/br ... eat-sheet/
Home Network Security
https://www.us-cert.gov/ncas/tips/ST15-002
Routersploit
https://linuxsecurityblog.com/2019/09/2 ... -container

Video tutorial (in french) :
Comment sécuriser votre "Box"
https://invidio.us/watch?v=J08AFSkqQnE
Last edited by labbe5 on Thu 26 Sep 2019, 19:39, edited 4 times in total.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Germany proposes security guidelines for routers

#2 Post by labbe5 »

Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.

Time and time again users have been warned that their routers are vulnerable because of a software flaw, or because they shipped with weak default passwords.


Guidelines : https://www.bitdefender.com/box/blog/io ... y/#new_tab

s243a
Posts: 2580
Joined: Tue 02 Sep 2014, 04:48
Contact:

Re: Germany proposes security guidelines for routers

#3 Post by s243a »

labbe5 wrote:Online criminals have woken up to the power they can exert through hijacking large numbers of routers into botnets, launching devastating distributed denial-of-service (DDoS) attacks, stealing WiFi credentials, or changing DNS settings to make unwanted pop-up ads continually appear.

Time and time again users have been warned that their routers are vulnerable because of a software flaw, or because they shipped with weak default passwords.


Guidelines : https://www.bitdefender.com/box/blog/io ... y/#new_tab
It sounds like they are blaming the user rather than the manufacture for poor router security. This sounds odd to me.

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

Re: Germany proposes security guidelines for routers

#4 Post by nosystemdthanks »

s243a wrote: It sounds like they are blaming the user rather than the manufacture for poor router security. This sounds odd to me.
i think when you start a dd-wrt router, it encourages you to change the default password. they should all do that.

blaming the user isnt the best route, the best route is better security. but they know this. im not saying every manufacturer cares-- i dont think cisco cares, or they wouldnt help the chinese government be monstrous. if they dont ship the way they do, im guessing they will lose business to people that do. and users are kind of to blame for that.

pointing this out isnt as good as good security by default, but it does encourage people to practice better security. default passwords are a common point of attack for routers. then again, they could have done those too with better security. but even that wouldnt be as good as people choosing good practices.

counterargument: if every router told you to change your password the first time you used it, many would have even weaker passwords. counter-counterargument-- unless they required password strength-- counter-counter-counterargument: which brings us back to the part about competing routers that would sell better. they already create security updates. but most people dont use them. you dont want automated firmware updates. windows 10 does that. keeping it secure by default = risk of bricking by default. automated firmware updates could also be hijacked for installing malware. its not a simple problem to solve. the beginning of security is good design, but even if its your primary goal, bad laws and irresponsible users are going to come into play at some point regardless of the design.
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: Germany proposes security guidelines for routers

#5 Post by belham2 »

nosystemdthanks wrote:
s243a wrote: It sounds like they are blaming the user rather than the manufacture for poor router security. This sounds odd to me.
i think when you start a dd-wrt router, it encourages you to change the default password. they should all do that.

blaming the user isnt the best route, the best route is better security. but they know this. im not saying every manufacturer cares-- i dont think cisco cares, or they wouldnt help the chinese government be monstrous. if they dont ship the way they do, im guessing they will lose business to people that do. and users are kind of to blame for that.

pointing this out isnt as good as good security by default, but it does encourage people to practice better security. default passwords are a common point of attack for routers. then again, they could have done those too with better security. but even that wouldnt be as good as people choosing good practices.

counterargument: if every router told you to change your password the first time you used it, many would have even weaker passwords. counter-counterargument-- unless they required password strength-- counter-counter-counterargument: which brings us back to the part about competing routers that would sell better. they already create security updates. but most people dont use them. you dont want automated firmware updates. windows 10 does that. keeping it secure by default = risk of bricking by default. automated firmware updates could also be hijacked for installing malware. its not a simple problem to solve. the beginning of security is good design, but even if its your primary goal, bad laws and irresponsible users are going to come into play at some point regardless of the design.

Irresponsible, lazy users not taking the extra 15 mins to set up a new, 12+ character---special and otherwise---length password for their router's login nor setting up a decent WPA2 password......vs........ irresponsible, lazy ISPs where they keep demanding backdoor administrative access to all their routers that they have put out to most of their customers, which is the achilles heal of everything they do.

Until a better solution comes along, it pays to make yourself not irresponsible, not lazy, and also overcome your ISP by putting their unit in bridge-mode (which all current routers in the world allow, AFAIK) and setting up & using your own hardened router (commercial-level, dd-wrt, tomato and/or a combo of these, along with dedicated guest wifi networks, different subnets, and more).

Jmho....

User avatar
nosystemdthanks
Posts: 703
Joined: Thu 03 May 2018, 16:13
Contact:

Re: Germany proposes security guidelines for routers

#6 Post by nosystemdthanks »

belham2 wrote:vs........ irresponsible, lazy ISPs where they keep demanding backdoor administrative access to all their routers that they have put out to most of their customers, which is the achilles heal of everything they do.
no disagreement there, none at all.
Until a better solution comes along, it pays to make yourself not irresponsible, not lazy, and also overcome your ISP by putting their unit in bridge-mode (which all current routers in the world allow, AFAIK) and setting up & using your own hardened router (commercial-level, dd-wrt, tomato and/or a combo of these, along with dedicated guest wifi networks, different subnets, and more).
beyond the capability of most users, but very good advice.
[color=green]The freedom to NOT run the software, to be free to avoid vendor lock-in through appropriate modularization/encapsulation and minimized dependencies; meaning any free software can be replaced with a user’s preferred alternatives.[/color]

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Router Hardening Checklist

#7 Post by labbe5 »

A compromised router for example can be devastating to the whole security of the enterprise since it can be used to gain access to data, reconfigured to route traffic to other destinations, used to launch attacks to other networks, used to gain access to other internal resources etc. Therefore, hardening the network devices themselves is essential for enhancing the whole security of the enterprise.
Source : https://www.networkstraining.com/cisco- ... ion-guide/

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

RouterCheck

#8 Post by labbe5 »

RouterCheck is the first consumer tool for protecting your home router, which is the gateway to your home network. Your home router is the computer in your home with the least protection, but the greatest vulnerability. If it is attacked, all the devices connected to your router are at risk. RouterCheck is like an anti-virus system for your router. It protects your router from hackers around the world, who have begun to target and attack routers.
https://www.routercheck.com/

What is RouterCheck :

RouterCheck is a system for ensuring the well-being of your router and home network. It’s offered as a smartphone app, but is far more than just a simple smartphone app. RouterCheck communicates with a powerful server that helps to check whether your router is vulnerable to any of the latest attacks that hackers are launching.
http://www.routercheck.com/what-is-routercheck/

Further reading :
This site actively determines the DNS servers that your computer uses by observing how your DNS requests are processed on the internet.
http://www.whatsmydnsserver.com/

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by carrying out DNS hijacking
https://securityaffairs.co/wordpress/75 ... razil.html

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Down With UPnP

#9 Post by labbe5 »

https://www.wired.com/story/upnp-router ... exploited/

Over the last decade, reports have increasingly detailed the flaws and vulnerabilities that can plague insecure implementations of a set of networking protocols called Universal Plug and Play. But where these possibilities were largely academic before, Akamai found evidence that attackers are actively exploiting these weaknesses not to attack the devices themselves, but as a jumping off point for all sorts of malicious behavior, which could include DDoS attacks, malware distribution, spamming/phishing/account takeovers, click fraud, and credit card theft.

To pull that off, hackers are using UPnP weaknesses in commercial routers and other devices to reroute their traffic over and over again until it's nearly impossible to trace. This creates elaborate "proxy" chains that cover an attacker's tracks, and create what Akamai calls "multi-purpose proxy botnets."

peterw
Posts: 430
Joined: Wed 19 Jul 2006, 12:12
Location: UK

Are all ISP provided modem routers insecure?

#10 Post by peterw »

Just to throw in an argument for ISP provided modem routers. ISPs have got a lot more responsible over the years and their equipment now has much better security. For example, for the last 3 and maybe 6 years the modem routers provided by the ISPs I know about, have come with individual random passwords already pre-installed so that if the user is too lazy or does not know how to change it then it will take a good while for any hacker to try all the random combinations they come with. And I have noticed that my ISP has updated the firmware without me requesting that.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Re: Are all ISP provided modem routers insecure?

#11 Post by belham2 »

peterw wrote:Just to throw in an argument for ISP provided modem routers. ISPs have got a lot more responsible over the years and their equipment now has much better security. For example, for the last 3 and maybe 6 years the modem routers provided by the ISPs I know about, have come with individual random passwords already pre-installed so that if the user is too lazy or does not know how to change it then it will take a good while for any hacker to try all the random combinations they come with. And I have noticed that my ISP has updated the firmware without me requesting that.
There is one major--or "massive"---downside to ISPs having access to your router without you being able to turn it off. Hackers have turned their attention onto the ISPs themselves, and are attacking, constantly attacking, employees of the ISPs using social media tricks, email tricks, even cellphone messaging tricks.

Why?

All they need is one compromise, into the ISPs systems and back doors (thru an ISP employee)---JUST ONE----and then those hackers have access/control to literally however many thousands/millions of customers that ISP may have. If a person thinks this battle isn't currently happening and/or ongoing, then you also believe that Equifax & others have never been compromised. Ask yourself, which side do you think will win over the next few years? Honestly, it is not even close, as hackers, especially $$$-sponsored hackers, will find a way in with they way the "human" (Customer Service-Help Desks-Employee-Collabs) are set up at ISP providers worldwide.

It is a spooky thought, and something that ISPs haven't yet fully grasped. They still approach "remote-administration-of-their-routers" as a savings $$$ vehicle. Savings as in no technician ever needs travel to the house.

Until ISPs flip their mindset and start approaching "remote-administration" as a first "SECURITY" aspect, and build their internal/back-end and customer-interaction-end systems as such, I will do my best to always use my own routers that forbid access to/by the ISP (and/or anyone) and also I, and I alone, will be responsible for updating & maintaining it.

I believe this "mindset flip" day will come, but not without some serious breaches first occurring in a few major ISPs with regards to this "remote-administration" where users cannot disable it and/or turn it off.

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

WPA2

#12 Post by labbe5 »

This wireless security system might now be breached with relative ease by a malicious attack on a network. They suggest that it is now a matter of urgency that security experts and programmers work together to remove the vulnerabilities in WPA2 in order to bolster its security or to develop alternative protocols to keep our wireless networks safe from hackers and malware.

The convenience of wireless network connectivity of mobile communications devices, such as smart phones, tablet PCs and laptops, televisions, personal computers and other equipment, is offset by the inherent security vulnerability. The potential for a third party to eavesdrop on the broadcast signals between devices is ever present. By contrast a wired network is intrinsically more secure because it requires a physical connection to the system in order to intercept packets of data. For the sake of convenience, however, many people are prepared to compromise on security. Until now, the assumption was that the risk of an intruder breaching a wireless network secured by the WPA2 system was adequately protected. Tsitroulis and colleagues have now shown this not to be the case.
https://www.sciencedaily.com/releases/2 ... ceDaily%29

Further reading :
How to Fix Your Awful Wifi
https://gizmodo.com/how-to-fix-your-awf ... 1831780709

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

Turris Omnia

#13 Post by labbe5 »

https://www.turris.cz/en/omnia/

Further reading :
Turris: secure open-source routers
https://lwn.net/Articles/782886/

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#14 Post by 8Geee »

I will opine this... there are some national/regional ISP's that provide a pswd to access the router for things like reconnect, Spec changes, new micro-code updates, etc.

The unfortunate aspect of this is that pswd is only good on that exact modem/router. The end user CANNOT change it, else the unit fails to connect. I know of several different CATV/Telco providers doing this, and I dare say, the pswds are shorter than one would wish. I find in a world that needs 16+ characters, 10 or less is almost negligent, 12 or less is not good. /MHO

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

labbe5
Posts: 2159
Joined: Wed 13 Nov 2013, 14:26
Location: Canada

D-Link home routers : security flaws

#15 Post by labbe5 »

https://supportannouncement.us.dlink.co ... e=SAP10124

Currently, D-Link has been informed that the following D-Link Branded Devices may be affected:

- DIR-655 Hardware Revision Cx Firmware 3.02b05 and below (older)

- DIR-866L Hardware Revision Ax Firmware 1.03b04 and below (older)

- DIR-1565 Hardware Revision Ax Firmware 1.01 and below (older)

- DIR-652 Hardware Revision Ax (non-US Product :: Pleas consult your regional support site)

These products have entered End of Service Life. There is no support or development for these devices. We recommend replacing the device with an new device that is actively supported. Using these devices are at your own risk, D-Link does not recommend further use.

Post Reply