Actually the big problem isn't tech vendors of SOHO routers doing this. They have actually already been doing this for years. The WAY they have been doing it in the past has not in general been much of a problem either.
For example most of the Linksys Exxx routers auto-update themselves to the latest firmware when connected to the Internet. The latest firmware will not allow 3rd party firmware to be flashed to the router - "taking ownership" you might say. However, during boot there's a 500 ms period where the bootloader listens for incoming TFTP to the LAN side. If it gets a file via incoming TFTP at that time - it overwrites the router firmware with it. Linksys has known about this since the router was released and has continued to include this feature in later routers. So all they have effectively done is make it impossible to flash the router for a regular user. Anyone who takes the time to learn about the device won't have a problem. The BIG problem is the tech vendors of routers abandoning support of older devices. That is, the router vendors release a device, support it for 5-10 years, then decide it's not worth the effort to keep releasing patches for it. Someone buys an old router out of support from a fea market, uses it as is, and then now you have a security hole and potential pest on the Internet that can be pwned and used to hose down other sites with attacks. And this isn't limited to SOHO routers. For example take the Cisco Firepower firewall. This is a high end very expensive device. Cisco has Done The Right Thing, you might say, by making the device license locked to Cisco. If someone stops paying a service contract on it, thus stops getting security updates to it, the device will go into read-only mode and not allow configuration changes. However the loophole is you can factory reset the device, then completely configure it before you plug it into the Internet, and then plug it in and start using it. The device will then continue to operate on obsolete Cisco code - forever. (as long as you don't need to make changes) Now, you can buy old Cisco ASA5512's 5515's and boot Linux and run the latest OpenSense on them. In fact people have even reported doing this with an Ironport C170. All of these are devices that had vendor-locked firmware to lock the device into being owned by the vendor. My guess is you can also do this with a Cisco Firepower but I have not dug into it. THAT sort of thing ISN'T the problem because the owner is running current pfsense or whatever code on it. It's when the owner does NOT do that and just runs the device forever and ever and ever, never updating it. Even devices that are - as recommended by the CISA - "claimed ownership of their customer's security outcomes". You see, it's not possible for a commercial entity to consider someone a "customer" who buys something of theirs then uses it forever, never paying them a cent - unless possibly the device breaks and they buy a new one. I don't trust vendors either but one thing you can depend on is that a vendor is only interested in their product for a short time. Even the vendors of large very expensive products - like automobiles. For example Ford Motor Company manufactured the Super High Output V8 from 1996-1999. It worked really well until it became known that Ford had used a weird attachment design for the cam sprockets that over time would allow them to slip, causing the engine to destroy itself when the valves then hit the pistons on the interference engine. But by the time this was well publicized, Ford has stopped producing the engine. The aftermarket fix is to weld the sprockets to the cams. But Ford issued a lame TSB saying to glue (locktite) the sprockets to the cams. This is very typical of any commercial vendor. Once the product is sufficiently far back in their rear view mirror they don't give a tinker's damn who does what to it, who flashes what to it, etc. And they don't give a crap if the owner just keeps running it forever, using antique holey code that every cracker on the Internet is exploiting. Pushing the vendors to "take over" products like the CISA is saying to do is going to work about as well as pushing Ford to take responsibility for the SHO v8 flaw. It just ain't gonna happen, folks. Ted -----Original Message----- From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of Russell Senior Sent: Saturday, February 3, 2024 6:18 PM To: Portland Linux/Unix Group <plug@lists.pdxlinux.org> Subject: Re: [PLUG] Router Vulnerability >>>>> "Russell" == Russell Senior <russ...@pdxlinux.org> writes: >>>>> "Dick" == Dick Steffens <d...@dicksteffens.com> writes: Dick> There was a news item recently that talked about a number of Dick> home routers susceptible to a hacking attack. Russell> Do you have a link to the news item? I'm guessing it was this basic story (repeated across many outlets): https://thehackernews.com/2024/02/us-feds-shut-down-china-linked-kv.html <paranoid-conspiracy-theories> One thing I find not particularly helpful is for the government to encourage vendors to paternalize their customers along the lines of: https://www.cisa.gov/securebydesign "Technology manufacturers must increasingly embrace their role in putting consumer safety first. Technology providers and software developers must take the first step to shift this burden by *claiming ownership of their customers’ security outcomes*." (emphasis mine) To me, this sounds like code for "make sure your customers can't modify the firmware", which: a) as a firmware modifier, I don't like; and b) unless it comes with strict liability for their negligence, doesn't align the incentives very well. As a user, I don't TRUST the vendor to begin with. </paranoid-conspiracy-theories> There is ample evidence, readily available, that vendors don't have users' interests at heart. -- Russell Senior russ...@pdxlinux.org