[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 24/07/18 10:35, Paul Sutton wrote:
My router is an Asus RT-AC68U; I have no idea what it is/isn't vulnerable to. What I do know is that when I get a yellow flashing icon on the status page there is a firmware update available, so my current firmware is about a week or so old. For actual network security I have changed the default IP, changed the default password, changed the WiFi ESSID and password now is ridiculously long, and set up MAC filtering so only devices I know about can connect to the network. Is the latter a pain in the bum when a family member has a new device? Well yes but as long as I know their MAC address no drama.On 24/07/18 10:15, Simon Waters wrote:The problem with routers is market failure. It’s almost impossible to buy a broadband router which has decent security stance or updates, it is just it hasn’t been exploited much. The recent example would be the “VPNFilter” malware. This is malware that runs on a broad selection of SoHo routers that use Busybox on Linux as their OS. The innocuous name is one chosen by the authors, don’t be fooled this is almost certainly written by actors working for Russian Intelligence and is being used against the Ukraine. It can be used to target specific traffic, or to DDoS websites, or to brick vulnerable routers (I suspect bricking is there as a feature mostly to hide their tracks, why destroy your own bots). But it is just a symptom of a bigger problem. These aren’t deep hacks that only an intelligence agency could find, indeed some are patched already if you upgraded... But the manufacturers aren’t fixing issues generally. My TP-Link router was vulnerable to XSS via DHCP as per my post in Full Disclosure 2014(?). They’ve sent me a beta copy with a fudged fix for the issue, they’ve not yet released it for other TP-Link users. As far as I know they haven’t fixed the other issues I reported. But the other Security folk tell me their routers and manufacturers aren’t any better. I think some of the ISP managed routers are a bit better, but only because security folk tested them independently and BT and Virgin have buying power. And BT has abused their access to people’s routers, so not sure I’d recommend that route. As an end user there is little you can do. Sure keep it up to date, change the default password, avoid exposing the admin interface externally, will help. Changing the default IP address is probably a good idea for obscuring the vulnerabilities but we are stepping out of the typical end user’s comfort zone (heck we lost 90% of average users at login, let alone change password), and it’ll only stop those attackers after the low hanging fruit. We take the practical approach at work, we assume the router is compromised and engineer our use of the Internet to avoid trusting it, but realistically that only gets you so far. If it is being used to attacker others, or if it is being used to target other devices in your house like a Smart TV (something say with microphone, cameras, or maybe something you enter your credit card details on...), simply keeping our work kit clean doesn’t stop all the issues of interest. As a buyer you can take security and patching into consideration, but once you’ve bought it is hard to influence anything.Thanks for this, makes things a little clearer and that there is also little i can do other than what I have done already. There is an article in one of the recent linux magazines saying the biggest problem with things isn'[t that these problems are not being fixed, but people are not patching their systems, which confirms what you have said. With the rise of pi jams, tech jams, CoderDojos etc is there a way we can help the next generation? I think even just having this conversation helps. Paul
I'm under no illusion that this setup is bullet-proof, but to continue that analogy I'm hopeful any attacker would need closer to a .44 Magnum than a pellet gun. As usual it's the old thing about being chased by a bear, and running faster than the person next to you.
Of course the bits I mentioned are designed to stop access to my network not router vulnerability which I know is what you're all discussing. Incidentally I am on Virginmedia and have a first generation Superhub [SH] which I run in Modem Only mode and use it as the gateway for my Asus.
Random question about VM SHs just on the off-chance someone here has a thought. Several months ago my connection was behaving like a tortoise crawling through wet concrete, with an average speed - across seven broadband speed sites - of about 60Mb/sec. I am on a 152Mb/sec cable connection so that was obviously wrong. Their website claimed there was no problem - as usual - but tested my connection, and said to turn everything off and back on in ten minutes while their checks continued.
When I powered everything back up the connection had not improved, in fact it was stone dead. The Asus reported that my ISP's DNS service was not running properly, and I had /no Internet connection at all/, so I rang TS, told them to fix what their automated system had broken, and my connection came back.
This is the weird part - which VM were totally unable to explain bar blatantly false comments. Prior to this foul-up at their end, my Asus reported the WAN IP address as you would expect, the external IP assigned to my connection, fed to it by the SH. However, ever since it has reported the WAN IP as 192.168.0.3 which is obviously wrong. I have queried this with VM TS and was told 'That's because it's a dynamic IP address' - the aforementioned blatantly false comments - so I replied 'Yeah OK' and hung up knowing I was talking to somebody who didn't have a clue what they were doing.
My first thought was that the SH had defaulted to full Router Mode, but that seems not to be the case. At the same time they have stuffed up my password to access it, as neither their default password, nor the one I setup for it work any more, but the IP address for Modem Only mode works so I assume it is in that mode.
Any thoughts on this? Obviously the Internet connection works, but there is obviously something wrong somewhere.
Kind regards, Julian -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq