1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

SOHOpelessly Broken 2.0

Discussion in 'General Network Security' started by WiFiNemesis, Sep 16, 2019.

  1. WiFiNemesis

    WiFiNemesis Regular Contributor

    Joined:
    Aug 10, 2017
    Messages:
    51
    "Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries."

    Looks to be a well-documented report from ISE: vulnerabilities found in ASUS RT-AC3200, Netgear Nighthawk R9000, and several NAS products.

    SOHOpelessly Broken 2.0

    Among the conclusions...

    "We have seen that the vendors of Internet of Things devices have increased their presence in the security community, albeit without any substantial increases to device security. "
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,415
    Location:
    UK
    At least they worked with Asus to fix the bugs. :)
     
  3. CrystalLattice

    CrystalLattice Regular Contributor

    Joined:
    Jan 9, 2017
    Messages:
    150
    Do not use a consumer router because they are insecure. Only use a business class router with vetted and updated firmware. That's why most of you are subject to invasion. This dead site has no advice on security, except possibly the old PfSense article. Openwrt is updated, pfsense is ok, mr. super expert says Peplink, Turris Omnia, and Draytek. Everything on this site is consumer junk, so is cisco. Beware. Get your routing knowhow elsewhere to survive router insecurity. asus is junk, netgear is junk, merlin is junk!
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,415
    Location:
    UK
    @CrystalLattice It's a bit early in the day to be hitting the liquor. Perhaps you'd better switch to beer for a while. :D
     
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,154
    Location:
    Canada
    I can't speak about the other devices they checked, but for their reported Asuswrt issues, this report is nothing but clickbait. The whitepaper dated today reports findings in a firmware released in January 2018 (nearly two years old), and which were already fixed almost a year ago.

    What's next, will they publish a report on security issues found in Windows Vista?
     
    AndreiV, royarcher, umarmung and 5 others like this.
  6. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,957
    Location:
    texas
    Cisco tracks it and reports all the vulnerabilities on their web site for each piece of small business hardware. They write fixes for all hardware still being supported. Cisco also posts work arounds until the code is fixed. Cisco is aware of what is going on. So I believe you are wrong. Yes Cisco pro gear is better but is too expensive for home use. I do like IOS better.

    Cisco layer 3 switches are great for the price. I don't think you can beat them.
     
  7. HairyA00

    HairyA00 Regular Contributor

    Joined:
    Jul 13, 2019
    Messages:
    107
  8. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,154
    Location:
    Canada
  9. HairyA00

    HairyA00 Regular Contributor

    Joined:
    Jul 13, 2019
    Messages:
    107
    Yeah, that's what I thought. Not sure why everyone is in a tizzy. And why is it being reported now? 3.0.0.4.382.50010 is well over a year ago...
     
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,154
    Location:
    Canada
    Because a lot of "security researchers" are more interested in the mass publicity to sell their professional services than in genuinely trying to help the software world become a safer place for everyone. Find a catchy names, then rush to a few public outlets. Then general news sites who do zero validation of the information will just keep parroting the report. And you get what you have here. A lot of people suddenly thinking that their router/NAS is a security disaster.

    Linus Torvalds had quite a few choice words about today's security researchers a year or two ago...

    I only validated their Asus findings (which were made on a firmware released in January 2018 - 21 months ago), but I wouldn't be surprised if their reports for the other manufacturers were mostly just as outdated.
     
    thelonelycoder, netware5 and HairyA00 like this.
  11. HairyA00

    HairyA00 Regular Contributor

    Joined:
    Jul 13, 2019
    Messages:
    107
    Asus isn't exactly slow to react, either; before I even knew Merlin existed, I was drawn to Asus for their open-source aspect. I got sick and tired of other manufacturers leaving gigantic holes and never patching a $300 router. Routers made by some of the 'big manufacturers' aren't patched ever; imagine using a combo unit from your cable company? Was surprised to see Asus thrown under the bus, figured I'd share here.
     
    thelonelycoder likes this.
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,154
    Location:
    Canada
    And one reason why it bothers me so much is because I have to waste a good amount of time and energy every time such reports come out to a) validate them, and b) reassure the end-users if it turns out there is nothing to worry about.

    Mind you, I'm not blaming you or any other regular end-user reaching to me asking me about this, but I blame the original researchers, and the media outlets reposting the news with no proper validation, often putting their own dramatic spin on top of it to make it into even more attractive clickbaits.

    I actually forwarded that info to one of my contacts at Asus who deals with actual security issues, a couple of days ago. He said he would look into it.
     
    HairyA00 likes this.
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,154
    Location:
    Canada
    Asus used to be just as bad as most of them (tho not as bad as that manufacturer who frequently got caught with backdoors in their routers). It's only after the AiCloud disaster (which was internally dubbed "Asusgate") and the FTC settlement that they started taking it more seriously.

    These days they are doing a pretty good job at handling any reported issues.

    In a few recent cases the reporter who found a flaw would contact me first (since I'm quite visible within the community), and I'd put him in touch with the proper contact back at Asus HQ. And usually we'd both hear back within a few days about their own investigation. As far as I can remember, all reported issues were taken care of, and fixed in the next firmware release (unless they were found out not to be exploitable issues - it has happened once or twice).
     
    HairyA00 likes this.
  14. HairyA00

    HairyA00 Regular Contributor

    Joined:
    Jul 13, 2019
    Messages:
    107
    Oh I don't care, I don't take it personally. If you take things on the internet personally, might as well just unplug your modem. I sense the frustration and it appears that it is founded. I wasn't even really asking a question, albeit I formed it as one. I looked at the date of the firmware image in question AFTER I posted here, and started scratching my head as to why on earth it was "news" for Asus.

    I am no router expert (I'm a DNS guy!); by a stroke of luck I found Asus a few years ago.
     
  15. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    903
    It's not liquor , his cat peed in his cornflakes again.;):D
     
  16. AndreiV

    AndreiV Very Senior Member

    Joined:
    Aug 25, 2015
    Messages:
    903
    I doubt they've finished evaluating Windows ME yet.