[Novalug] All tested SOHO routers seriously insecure -- Linux Pro Magazine, April

Derek LaHousse dlahouss@mtu.edu
Wed Apr 16 22:43:39 EDT 2014


I personally use OpenWRT Barrier Breaker (trunk) for my home router,
with custom IPTables and IPSet rules for firewall.  I keep the overlay
files in a separate tree, and include them when I build the whole set.
I upgrade the whole block about every two months, and with my SSH key on
the router, it's relatively painless.  Did it remotely for heartbleed,
the wife only barely noticed the internet blip as it rebooted.

I like the Netgear WNDR3700v2, though it's getting old.  I think the v4
is supported by OpenWRT, but do not get the v3.  Other people may
suggest similar.  Does anyone know of an 802.11ac router with OpenWRT
support?  I seem to think even the Atheros chips with ac were
problematic.

Derek

On Tue, 2014-04-15 at 22:22 -0400, Jameson Burt wrote:
> [see Linux Pro Magazine quotes further below]
> 
> For router security, Novalug members previously suggested using DD-WRT or OpenWRT on wireless routers (most routers).
> I'm in the middle of doing this -- each upgrade is about as awkward as the initial install, 
> requiring a whole image be put onto the router 
> -- one doesn't ssh (secure shell) into the router and upgrade packages.
> That awkwardness is expected with an embedded box having no monitor or keyboard.
> So, one is unlikely to update with later DD-WRT version changes.
> 
> I consider constructing my own "iptables" (becoming "nftables" in latest kernel) for a firewall/router 
> on a mini-ITX computer constructed from parts at
>    http://mini-box.com  
>    Jetway JNC9NDL-2550 -- motherboard including Atom chip
> While small, a mini-ITX is much larger than a SOHO router.
> On the other hand, the mini-ITX lets me initially install with a monitor and keyboard,
> and later upgrade by ssh (secure shell) -- straight forward.
> 
> I welcome further suggestions.
> 
> EXTRACTS FROM THE ARTICLE FOLLOW:
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> I read this week in Linux Pro Magazine, April 2014 ($13.00 at Microcenter), pages 14-18, the article
>    SO HOpelessly Broken
>    by Jacob Holcomb, Baltimore with Independent Security Evaluators
> 
> Here are some of his comments,
>    "All routers we tested had serious security issues."
> 
>    "services with serious vulnerabilites (eg, ACSD, HTTPD) were found running and could not be deactivated"
> 
>    "the routers all provided a range of services that lack secure channels 
>    or authentication mechanisms, such as FTP, Telnet, and SMB."
> 
>    "manufacturers are prioritizing ease-of-use and obtaining the highest variety of features possible"
> 
>    "The majority of the routers were vulnerable to web-based attacks, 
>    such as cross-site scripting, cross-site request forgery, directory tranversal, and command injection."
> 
>    "we obtained administrative shell or web portal access 
>    on all routers examined while in their hardened state"
>    "...we discovered buffer overflow, improper system permissions, 
>    service misconfigurations, insecure cryptograhic storage, and web-based vulnerabilities"
> 
>    On the Asus RT-AC66U ($125 and gets PC Magazine award), 
>    "the Broadcom ACSD network serviced is used to scan for 
>    and select low-interference 802.11 channels ... 
>    (which listens on a port open to the local network) is susceptible to multiple remote, 
>    unauthenticated buffer overflow attacks" 
>    ... we used a technique known as Return-Oriented Programming (ROP) 
>    to exploit these buffer overflows.  ROP alters the programs' execution flow 
>    and redirects it to the attacker's injected code by assiging 
>    small instruction sequences of the program's existing code, known as ROP gadgets. 
>    We successfully leveraged ROP to exploit the buffer overflow vulnerabilities
>    in the Broadcom ACSD and the ASUS HTTPD network service."
>    ...
>    "we use gadget four to direct the program's execution to the $t9 register, 
>    which points to our custom shellcode that, when executed, 
>    starts an unauthenticated Telnet server by calling the system() function located in the standard C library"
> 
> ** "Develpers should ... refrain from using unsafe functions 
>    (eg, strcpy, sprintf, memcpy, gets), and perform bounds checking 
>    before copying user input" 
>    [prescient of this week's Heartbeat problem that reached Washington Post's front page Tuesday]
> 
> 
> On Tue, Apr 01, 2014 at 10:52:14PM -0400, Jameson Burt wrote:
> > I'm looking for a router (with firewall) brand/model less likely to have vulnerabilities.
> > Suggestions?
> > 
> > (After 15 years reverse-telecommuting from work (federal work), 
> > with an ssh connection from office to home,
> > my employer decided that inappropriate, 
> > and my office Debian Linux computer's ethernet connection was halted [probably at some switch/router].
> > At the same time my home router went down -- hmm, I wonder who was mucking around.
> > Rebooting the router got it working again, 
> > but I suppose my router had some vulnerability my employer or those looking after my employer [some fed agency] attacked.)
> 




More information about the Novalug mailing list