Routers: The bad news and the good news

[Chicog]

I get various bits of news in my email each morning, and these two caught my eye, so I thought I'd share them.

The bad news

It should come as no surprise that a recent hacking competition unearthed no fewer than 15 zero-day vulnerabilities in residential and small business routers.

The Electronic Frontier Foundation and Independent Security Evaluation set up the SOHOpelessly Broken competition to demonstrate what a poor job internet router providers do of keeping their firmware up to date from a security perspective.

We're talking about big name router brands like Asus, Netgear, D-Link, Belkin and Linksys, whose kit can be prised open with little effort by any moderately skilled hacker.

Read more: http://www.itnews.com.au/BlogEntry/396745,router-rooting-shooting-fish-in-barrel.aspx#ixzz3G5w6hC9O

Interest that they should mention the iGuardian, since I got a progress update from them today, too.

The good news

Samsung preps 4.6Gbps millimetre-wave WiFi devices.

Wireless Gigabit Alliance member Samsung is readying multigigabit per second Wi-Fi devices, the company announced overnight, using millimetre-wave transmissions and advanced beam-forming technology.

Known as WiGig, the 802.11ad standard transmits in the unlicensed 60GHz frequency band for high performance up to 4.6 gigabits per second in Samsung's designs, while remaining backwards compatible with the previous 2.4GHz and 5GHz Wi-Fi standards.

Compared to today's 802.11ac which provides a maximum throughput of 867 megabits per second per stream under ideal conditions, 802.11ad devices can reach speeds as fast as 7 gigabit/s.

The high frequency used for WiGig results in path loss and poor wall and floor penetration of the signal, leading to shorter reach than existing Wi-Fi.

Samsung said it has solved these issues with millimetre-wave circuit design, improved transmission technology and a wide-coverage beam-shaping aerials. This, the company said, would make WiGig commercially viable in retail devices.

The Korean company said it plans to incorporate WiGig into a wide range of products that include audio-visual equipment, medical devices, and communications kit.

Several other companies such as Qualcomm and its subsidiary Wilocity are working on bringing out WiGig devices for high-speed short range connectivity of networked devices.

Intel is also throwing its hat into the WiGig ring. The US company demonstrated WiGig circuits last year and showed off a wireless docking system that Intel said can be used to replace cables between devices at its September 2014 developer forum in the United States.

Read more: http://www.itnews.com.au/News/396733,wigig-coming-to-samsung-devices.aspx#ixzz3G5vZDN6q

I like the last one. Could we at last be on the verge of Wireless everything (except the power cables of course!)?

[Chicog]

Added: The researcher in the article at top posts Six tips to make your router more secure from outside attack, and they all make perfect sense:

• Don’t enable remote management over the Internet: Embedded web servers are the source of many flaws. Your corporate security policy should mandate that routers used to con­nect to a corporate VPN have remote management features disabled. In situations where it is necessary to manage the router remotely, it is safer to employ NAT rules allowing SSH or VPN access to manage the router. Vulnerability and configuration scanning products and services can be used to determine if employees are connecting through routers with exposed management interfaces.

• Don’t use the default IP ranges. Predictable addresses make CSRF attacks easier. Rather than 192.168.1.1, consider 10.9.8.7 or something else which is not commonly used. This is a simple but effective technique for decreasing the likeli­hood of a successful CSRF attack.

• Don’t forget to log out after con­figuring the router: Several of the routers VERT examined will not automatically log out when not in use. This can result in a situation where the web browser used to configure the router remains authenticated, opening the door for CSRF attacks. Although some CSRF attacks can be successful without authentication, this simple step will thwart traditional CSRF attacks which rely upon that authenticated browser session.

• Turn on encryption and turn off WPS: It’s much easier for a router to be attacked if someone can connect to it. Turning on AES backed WPA2 protected with a strong (26+ character) pre-shared key is ideal. WPS is a service which makes it easier for authorized clients to connect but also makes it much easier for attackers to determine your wireless passphrase, regardless of its complexity or “strength”.

• Passwords matter: Default passwords are often the same for an entire product line or are generated from a common algorithm making a device easy prey for an attacker. It is imperative that you and other users change passwords rather than using defaults. Using default or weak passwords can make it possible for malicious applications, or even web pages, attack the router.

• Keep the router firmware up-to-date: Up-to-date firmware fixes known product issues, including security problems. Routinely logging into the router to check for firmware updates makes it more likely that users may notice unusual behavior that could indicate compromise.

http://www.tripwire.com/state-of-security/vulnerability-management/wireless-router-vulnerabilities-leave-enterprise-networks-vulnerable/

[dddave]

Consider a less anxiety inducing morning read:

http://www.sunnyskyz.com/

[Chicog]

Consider a less anxiety inducing morning read:

http://www.sunnyskyz.com/

Consider posting on topic, or just go back to wasting time on the Internet looking at picture of gnats and chimps.

[IMHO]

Not surprising for anyone that's ever discovered a bug in a router, only to find that the last ever firmware update was a couple of months after the thing was launched.

Even Linksys' flagship model (WRT1900AC) hasn't had a firmware update since August, and it's not like they've ironed out the bugs yet.. At least it's able to support OpenWRT (actively maintained open source router firmware) - which after all my experience over the years is now a must-have feature. Manufacturers simply cannot be relied upon to support products as they age.

[Chicog]

Not surprising for anyone that's ever discovered a bug in a router, only to find that the last ever firmware update was a couple of months after the thing was launched.

Even Linksys' flagship model (WRT1900AC) hasn't had a firmware update since August, and it's not like they've ironed out the bugs yet.. At least it's able to support OpenWRT (actively maintained open source router firmware) - which after all my experience over the years is now a must-have feature. Manufacturers simply cannot be relied upon to support products as they age.

I think a lot of them are at the price point where they would rather you just upgrade.

[IMHO]

Not surprising for anyone that's ever discovered a bug in a router, only to find that the last ever firmware update was a couple of months after the thing was launched.

Even Linksys' flagship model (WRT1900AC) hasn't had a firmware update since August, and it's not like they've ironed out the bugs yet.. At least it's able to support OpenWRT (actively maintained open source router firmware) - which after all my experience over the years is now a must-have feature. Manufacturers simply cannot be relied upon to support products as they age.

I think a lot of them are at the price point where they would rather you just upgrade.

I'm sure everyone in the computer industry would prefer you just throw away the old, and buy new, but it's still poor form

With routers, you're talking about something that really ought to be able to give you a reasonable functional life - given most people use them to route only 100mbps or less internet connections, or maybe stream some HD content from a local source, so it's not like you need to stay on the bleeding edge with them.

In any case, once you're tired of buying a new router every year just because the vendor won't support it anymore, make your next purchase one that's supported by OpenWRT and give the vendor's firmware a delete

[Chicog]

I couldn't agree more, but the AC3200 I'm getting this week doesn't support it yet.

[Chicog]

Not surprising for anyone that's ever discovered a bug in a router, only to find that the last ever firmware update was a couple of months after the thing was launched.

Even Linksys' flagship model (WRT1900AC) hasn't had a firmware update since August, and it's not like they've ironed out the bugs yet.. At least it's able to support OpenWRT (actively maintained open source router firmware) - which after all my experience over the years is now a must-have feature. Manufacturers simply cannot be relied upon to support products as they age.

I think a lot of them are at the price point where they would rather you just upgrade.

I'm sure everyone in the computer industry would prefer you just throw away the old, and buy new, but it's still poor form

With routers, you're talking about something that really ought to be able to give you a reasonable functional life - given most people use them to route only 100mbps or less internet connections, or maybe stream some HD content from a local source, so it's not like you need to stay on the bleeding edge with them.

There comes a time when these vendors have to realise that being labelled a big security threat in the media is bad for business, so hopefully more press on this subject will give them the appropriate kick up the rear.