Tuesday, June 3, 2014

Your home Internet router: the second circle of Security Hell

It's why we can't have nice things on the 'Net:
This unpatchable hell is a problem with many fathers, from recalcitrant vendors to customers wary of -- or hostile to -- change. But with the number and diversity of connected endpoints expected to skyrocket in the next decade, radical measures are fast becoming necessary to ensure that today's "smart" devices and embedded systems don't haunt us for years down the line.

Trouble close to home

The problem of unsupported or undersupported devices hits close to home for millions of broadband users in the United States and Europe. Broadband routers humming away peacefully in attics and home offices have become the latest targets of sophisticated cyber criminal groups.

A string of incidents in recent months have underscored the vulnerability of this population of loosely managed and configured devices. In March, the security consultancy Team Cymru warned that hackers had compromised some 300,000 small- and home-office broadband routers made by firms D-Link, Micronet, Tenda, and TP-Link, among others.
This is a real problem.  As desktop security has improved over the last decade (and improved it has, despite being spotty at best), the Bad Guys have looked for easier targets.  A home router is a natural target, for several reasons:
  1. There is typically very little (or no) effort put into security by the manufacturer.  Security work costs money, and that raises the price in a market where profit margins are wafer thin,
  2. ISPs are notorious for having terrible technical support, because good tech support costs money and a support call can easily burn through an entire month's revenue from that customer.  Support personnel who understand security raise this cost, and very possibly increase the number of calls. 
  3. "If it's working don't screw with it" is everyone's preferred approach - the manufacturer, the ISP, and the subscriber.
The Bad Guys love this - it's a target rich environment that is institutionally resistant to security improvement.

So what do you do?  Probably the only thing that you can do is to assume that the Internet router is already compromised.  Get your own router and put it between your home network and the router your ISP sent you.  Disable WiFi in the ISP router, and use your own.  Run an Open Source OS on the router (these projects will almost always be more responsive to security issues than the manufacturers).

Oh, and read this post from way back.


Old NFO said...

Reminds me, I need another router, mine is on it's last legs...

juvat said...

DD-WRT, SSID turned off. Admin name changed and strong password. I still assume the worst.

Regarding the 2009 posting. MAN, the comments were unbelievable.

Dan said...

Sometimes, you're scary. But thanks for that.

George said...

Full disclosure, I work for Dell, in another part of the business, but the OS in the Sonicwall firewalls is essentially the same is used in the enterprise boxes. Real security, including deep packet inspection, etc. The small boxes are more expensive that what you would get from the home vendors, but not prohibitively so.

This guy, for example, is suitable for a (savy) home user and is orders of magnitude more secure:


lee n. field said...

Don't you need an ongoing support contract for that? That's been my experience w/ sonicwall.

George said...

Maybe...I stay away from the licensing. :)

Colin said...

pfSense and the Sophos UTM (free for home use) are great options for those with a little knowledge.