Re: [LUG] Routers was Re: [OT maybe] CVE-2016-5195 vs Amazon FireOS 5.6.2.0

[Paul Sutton <zleap@xxxxxxxxx>]

On 24/07/18 10:15, Simon Waters wrote:
> The problem with routers is market failure.
> 
> It’s almost impossible to buy a broadband router which has decent security stance 
> or updates, it is just it hasn’t been exploited much.
> 
> The recent example would be the “VPNFilter” malware. This is malware that runs on 
> a broad selection of SoHo routers that use Busybox on Linux as their OS.
> 
> The innocuous name is one chosen by the authors, don’t be fooled this is almost 
> certainly written by actors working for Russian Intelligence and is being used 
> against the Ukraine.
> 
> It can be used to target specific traffic, or to DDoS websites, or to brick 
> vulnerable routers (I suspect bricking is there as a feature mostly to hide their 
> tracks, why destroy your own bots).
> 
> But it is just a symptom of a bigger problem. These aren’t deep hacks that only an 
> intelligence agency could find, indeed some are patched already if you upgraded...
> 
> But the manufacturers aren’t fixing issues generally. My TP-Link router was 
> vulnerable to XSS via DHCP as per my post in Full Disclosure 2014(?). They’ve sent 
> me a beta copy with a fudged fix for the issue, they’ve not yet released it for 
> other TP-Link users. As far as I know they haven’t fixed the other issues I 
> reported.
> 
> But the other Security folk tell me their routers and manufacturers aren’t any 
> better. I think some of the ISP managed routers are a bit better, but only because 
> security folk tested them independently and BT and Virgin have buying power. And 
> BT has abused their access to people’s routers, so not sure I’d recommend that 
> route.
> 
> As an end user there is little you can do. Sure keep it up to date, change the 
> default password, avoid exposing the admin interface externally, will help.
> 
> Changing the default IP address is probably a good idea for obscuring the 
> vulnerabilities but we are stepping out of the typical end user’s comfort zone 
> (heck we lost 90% of average users at login, let alone change password), and it’ll 
> only stop those attackers after the low hanging fruit.
> 
> We take the practical approach at work, we assume the router is compromised and 
> engineer our use of the Internet to avoid trusting it, but realistically that only 
> gets you so far. If it is being used to attacker others, or if it is being used to 
> target other devices in your house like a Smart TV (something say with microphone, 
> cameras, or maybe something you enter your credit card details on...), simply 
> keeping our work kit clean doesn’t stop all the issues of interest.
> 
> As a buyer you can take security and patching into consideration, but once you’ve 
> bought it is hard to influence anything.



Thanks for this,   makes things a little clearer and that there is also
little i can do other than what I have done already.

There is an article in one of the recent linux magazines saying the
biggest problem with things isn'[t that these problems are not being
fixed, but people are not patching their systems, which confirms what
you have said.

With the rise of pi jams,  tech jams,  CoderDojos etc is there a way we
can help the next generation?  I think even just having this
conversation helps.

Paul

> 

-- 
Paul Sutton
http://www.zleap.net
Friendi.ca :zleap@xxxxxxxxxxxxxxx

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq