Actually the big problem isn't tech vendors of SOHO routers doing this. They
have actually already been doing this for years. The WAY they have been doing
it in the past has not in general been much of a problem either.
For example most of the Linksys Exxx routers auto-update themselves to the
latest firmware when connected to the Internet. The latest firmware will not
allow 3rd party firmware to be flashed to the router - "taking ownership" you
might say. However, during boot there's a 500 ms period where the bootloader
listens for incoming TFTP to the LAN side. If it gets a file via incoming TFTP
at that time - it overwrites the router firmware with it. Linksys has known
about this since the router was released and has continued to include this
feature in later routers. So all they have effectively done is make it
impossible to flash the router for a regular user. Anyone who takes the time
to learn about the device won't have a problem.
The BIG problem is the tech vendors of routers abandoning support of older
devices. That is, the router vendors release a device, support it for 5-10
years, then decide it's not worth the effort to keep releasing patches for it.
Someone buys an old router out of support from a fea market, uses it as is, and
then now you have a security hole and potential pest on the Internet that can
be pwned and used to hose down other sites with attacks.
And this isn't limited to SOHO routers. For example take the Cisco Firepower
firewall. This is a high end very expensive device. Cisco has Done The Right
Thing, you might say, by making the device license locked to Cisco. If someone
stops paying a service contract on it, thus stops getting security updates to
it, the device will go into read-only mode and not allow configuration changes.
However the loophole is you can factory reset the device, then completely
configure it before you plug it into the Internet, and then plug it in and
start using it. The device will then continue to operate on obsolete Cisco
code - forever. (as long as you don't need to make changes)
Now, you can buy old Cisco ASA5512's 5515's and boot Linux and run the latest
OpenSense on them. In fact people have even reported doing this with an
Ironport C170. All of these are devices that had vendor-locked firmware to
lock the device into being owned by the vendor. My guess is you can also do
this with a Cisco Firepower but I have not dug into it. THAT sort of thing
ISN'T the problem because the owner is running current pfsense or whatever code
on it.
It's when the owner does NOT do that and just runs the device forever and ever
and ever, never updating it. Even devices that are - as recommended by the
CISA - "claimed ownership of their customer's security outcomes". You see,
it's not possible for a commercial entity to consider someone a "customer" who
buys something of theirs then uses it forever, never paying them a cent -
unless possibly the device breaks and they buy a new one.
I don't trust vendors either but one thing you can depend on is that a vendor
is only interested in their product for a short time. Even the vendors of
large very expensive products - like automobiles.
For example Ford Motor Company manufactured the Super High Output V8 from
1996-1999. It worked really well until it became known that Ford had used a
weird attachment design for the cam sprockets that over time would allow them
to slip, causing the engine to destroy itself when the valves then hit the
pistons on the interference engine. But by the time this was well publicized,
Ford has stopped producing the engine. The aftermarket fix is to weld the
sprockets to the cams. But Ford issued a lame TSB saying to glue (locktite)
the sprockets to the cams.
This is very typical of any commercial vendor. Once the product is
sufficiently far back in their rear view mirror they don't give a tinker's damn
who does what to it, who flashes what to it, etc. And they don't give a crap
if the owner just keeps running it forever, using antique holey code that every
cracker on the Internet is exploiting.
Pushing the vendors to "take over" products like the CISA is saying to do is
going to work about as well as pushing Ford to take responsibility for the SHO
v8 flaw.
It just ain't gonna happen, folks.
Ted
-----Original Message-----
From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of Russell Senior
Sent: Saturday, February 3, 2024 6:18 PM
To: Portland Linux/Unix Group <plug@lists.pdxlinux.org>
Subject: Re: [PLUG] Router Vulnerability
>>>>> "Russell" == Russell Senior <russ...@pdxlinux.org> writes:
>>>>> "Dick" == Dick Steffens <d...@dicksteffens.com> writes:
Dick> There was a news item recently that talked about a number of
Dick> home routers susceptible to a hacking attack.
Russell> Do you have a link to the news item?
I'm guessing it was this basic story (repeated across many outlets):
https://thehackernews.com/2024/02/us-feds-shut-down-china-linked-kv.html
<paranoid-conspiracy-theories>
One thing I find not particularly helpful is for the government to encourage
vendors to paternalize their customers along the lines of:
https://www.cisa.gov/securebydesign
"Technology manufacturers must increasingly embrace their role in
putting consumer safety first. Technology providers and software
developers must take the first step to shift this burden by *claiming
ownership of their customers’ security outcomes*." (emphasis mine)
To me, this sounds like code for "make sure your customers can't modify the
firmware", which: a) as a firmware modifier, I don't like; and b) unless it
comes with strict liability for their negligence, doesn't align the incentives
very well. As a user, I don't TRUST the vendor to begin with.
</paranoid-conspiracy-theories>
There is ample evidence, readily available, that vendors don't have users'
interests at heart.
--
Russell Senior
russ...@pdxlinux.org
