Is there any easy way to check if your router is vulnerable/compromised? Or instructions for disinfecting it as well as patching it?
Like, based on actually being exploitable or compromised, not firmware versions or whatever.
I actually suspect mine is compromised, it's been behaving funny for a month or two, needing to be restarted a lot. (Which, ironically, is a signal of a _buggy_ compromise, your router of course be compromised and you'd never know it if the malware was well-behaved enough to stay out of the way of your usual use).
I can (painfully) update the firmware... but I don't trust that the vendor's most recent firmware actually solves it. Nor do I trust that once compromised a firmware update is enough to eliminate the malware.
For such a widespread compromise... we could use more user-friendly (or even relatively techy but not a network engineer user-friendly) instructions for... what to do.
I guess the reality is that most (non-techy) users will, if they notice at all (due to malware that buggily causes things not to work well for intended uses, instead of staying out of the way), will just decide their equipment is "broken", throw it out and buy new stuff... that hopefully won't get compromised again. Which I guess works for the consumer network harder vendors.
If I were you I'd check to see if your router can run one of the several open source firmware packages like OpenWRT, dd-wrt, or Tomato. In my personal experience the OpenWRT/lede team is on top of security issues, and the router web interface and tooling is completely fine.
I'd be confident that flashing your device with modern open source firmware would solve the problem, but if you're paranoid just recycle the device and get a new one. In any event, I don't see a solution for you that doesn't involve some homework.
In general, I am cautious of running my own open source thing without being an expert in the relevant area (or interested in becoming one) -- having to put something together (and maintain it) yourself seldom, in my experience, ends up _more_ secure or _more_ maintainable, when you don't know what you're doing.
However, routers may be an exception. Apparently the industry has basically no business motivation to keep consumer-grade networking hardware secure, at all. Irrelevant to their profits or reputation.
I'll consider it. When I bought my router I intentionally got one that can run OpenWRT, but never ended up installing it, cause, who's got time for that? But perhaps there isn't really an alternative, unless you want a bot-net-ed router. Which honestly, and with shame, I'd just ignore the botnet sending out spam to other people if I didn't think it was compromising the functionality (and security) of my router for me. Last thing I wanna do is spend time becoming a network engineer after a day of getting paid to write software, but i guess that's where we're at.
(Oh crap, I just realized it could be my DSL modem instead of or in addition to my (wired and wifi) router. I know even LESS about that thing. I think none of these consumer products, owned by people who know a lot less than me, are ever gonna be protected, if even I am intimidated by trying to figure it out).
You're going to have to upgrade your firmware anyway, so why not upgrade to something that actually cares about basic functionality?
Some people unused to open source solutions sometimes have this idea that all software developed by enthusiasts by necessity is hard to use or require tinkering, but that's not a fair picture. When developers share your interests, that's when software gets usable. That interest might not always be UI, but sometimes it is.
OpenWRT (and friends!) is clearly much easier to use and delivers richers functionality than any of the software it replaces. If your router is listed as supported, go for it.
It may not be as hard as you think. Doing a little homework, flashing the router with the OpenWRT firmware, and getting a basic config up and running should take most folks an afternoon. If you already understand concepts like CIDR addressing, DNS, DHCP, and NAT then it's an hour tops.
OpenWRT is not a pain to use -- it's not all that different than the web GUI that ships with most routers.
Another option is to buy a pre-configured router from someone like FlashRouters.com (not affiliated, but a customer).
They provide routers with DD-WRT or Tomato pre-installed. Yes, you should probably know how to update your router at some point in the future, but your starting point is probably much safer than depending on the poorly-tested and heavily-exploited factory firmware.
I’d recommend swapping out your consumer grade router for a commercial packaged version of pfSense. Just as easy to setup as most consumer grade routers and it auto updates (if you want) and has a decently secure base. Sure, you’ll spend $50 more, but isn’t the piece of mind worth it?
Yeah, you can start by resetting the NVRAM of the router, (30-30-30 reset) then get a flash chip clip, read the data off the router flash using a raspberry pi, and compare it to the firmware binary from the router manufacturers website.
If you wanted to see whether you could potentially be targeted by this botnet then you can check Shodan (https://www.shodan.io). Just enter your IP address in the search box and if your network has any services exposed to the Internet you will see them.
Google your router model - see if it's Broadcom based. See if you're running the uPNP service. I wish this article gave out more info - I want to know what versions of the service are affected.
And, like so many other attempts to "simplify" supposedly complex configuration, in addition to being a massive security hole to attackers, it's almost useless to the home users for whom it was meant because it only works under a very narrow, mostly undocumented set of assumptions and if any of those assumptions are invalid, it fails silently.
I disabled it after this post, but it appears Plex switches to 'indirect' mode (it goes out to the Internet and back in) without it; i.e. I am using UPnP.
It's not clear what the solution is - update firmware? I am on the latest. Use OpenWRT (or whatever it's called these days)? Every time I look into it (I really want to!) I stop at the simple 'I want to do this, I will happily buy a new router, which one do I buy and know it works well and will continue to work well with updates?'
Plex has had a major forum breach for basic user data including IP addresses [1], around the time of the botnet's first discovery in 2017, which has me greatly wondering if Plex may have been an inadvertent bootstrap vector for this attack?
UPnP wouldn't exist without NAT. The underlying root cause of UPnP is NAT (and the slow deployment of things like reliable mDNS implementations). Admittedly, Plex would have different security problems without NAT, given its model, but arguably those security problems would have simpler solutions in a world without NAT.
I'm sorry, I didn't intend to start a nit-pick on whether or not all software contains bugs. My response was too glib.
The GP asked:
> If I have UPnP disabled, am I safe?
The answer is yes: If you can disable UPnP, your router will be safe from this particular exploit. Which is, I think, what he was asking.
Everyone should disable UPnP in their routers. It won't make your router "safe" from all exploits, but it will make it safe from this one, and you can do it now, immediately, without replacing hardware or firmware.
Thanks, my reply wasn't very good either. I suspect most people can disable UPnP without ever noticing a problem. If anything, it is more used by malware than anything you actually want.
Your router is either vulnerable to this exploit, or it's not. Afaict from the article, the exploit relies on a UPnP-enabled router; if UPnP isn't enabled, I don't believe your router is vulnerable.
I think it's time for windows, and ios, and firewall / antivirus companies to scan for info about the routers used and alert people that their network is easily hacked, may already be hacked, and is in danger of being used by criminals to attack other countries and companies.
Extra info such as, the router you are using has not had any available firmware updates for 3 years and likely needs to be replaced.
It's obvious we are not going to get this info to most people from the IOT manufacturers.
This could be quite beneficial for those who hook up thier phones to different wifi networks as well - a pop up showing that their router / internet gateway model has been shown to be used in at least 100,000 other malware exploits, and should not be trusted like your cell connection -
It's time to start shaming and naming - the bad guys already know how to get this info, we need to make it easier for the end users to become aware.
A service that will email you when firmware is available for your equipment, or your equipment is listed on shodan, blackhathacksrus, or other places may be beneficial as well. Set it up to take serial numbers scanned with an app, and give notices on recalls and physical theft recovery.
We obviously need something, and possibly many things tp help with this.
I can't believe a certain router company a few years ago did not offer to send a rebate if I returned their no-longer-updated-hardware when I emailed them inquiring about a published exploit and lack of updates. I no longer use that brand or suggest it. They could of kept a customer and made things better, they did neither.
We actually offer such a monitoring service at Shodan, though it's largely aimed at companies so you need to use the API. Here's an article on how to setup a real-time monitor for your network:
In that case you're probably better off w/ a cronjob that checks Shodan for information on your IP once a day. Doing direct IP lookups is free so you wouldn't need to pay. You won't get the immediate, real-time feedback but it's fairly straight-forward to do a daily IP lookup.
You could also change/ update your private firehose every day though that would require a bit more technical skill. You could basically do:
There have been times I wondered if such a group was formed, or only working from a spot in international waters or, what would be some country names that would avoid any kind of legal or treaty or anything. What would those places be that could have such a hive running without major recourse?
I keep looking into it and keep stopping at 'what should I buy'. I'm willing to / assume I need to buy new hardware. What do I buy that will run it well, and continue to?
While I think this is a really good OpenWrt-router, with good value for money and easy installation...
It is fair mentioning that this model is discontinued from TP-Link and you will probably have to buy it second hand. It also comes in at least 5 revisions, with various levels of support, making life a little bit more difficult for the average, uninformed buyer.
As a side note: I have a 350mbps symmetrical FTTH link and I've had no issues maxing this line with regular, official OpenWRT builds.
Unless you need significantly higher speeds and can prove that official builds can't do it, I see no reason to go with unofficial, unsupported builds.
And it was flakey as f*ck. It rebooted itself roughly once a day, and would stop routing traffic to my fibre modem and need manually rebooted at least once a day.
The Openwrt support forums were... not helpful.
All this was such a shame, because the Openwrt feature set is so much capable than the stock firmware - I so wanted it to work, but had such a bad experience I haven't gone near it since and it will likely stay that way.
You have to be specific about the hardware you buy.
Throughout my time I've bought around 2 or 2 routers with the naive assumption "oh it will probably work out fine", and that's definitely not how it works. That has certainly left me with disappointment.
IME it pays off greatly to upfront research the specific model (and revision) and buy exactly that. Like in this case, the Archer C7 v2 (of which I've recently bought two).
It's running OpenWrt flawlessly and I would have zero issues recommending that particular model to anyone.
Ah, I got confused - it's a stock TP-LINK AC1750 Archer C7 that I have now, and it was an older TP-LINK I'd tried OpenWrt on. I forget the model, but I had been specific about the hardware I bought, making sure it was in OpenWrt's list of supported devices.
Strangely, the C7 I have now advertises itself as 'v2/v3'!
This will depend on what kind of Internet connection you have, or expect to have in the future. Gigabit internet connections are becoming more common here in the US, and some lower powered devices just can't route packets faster than say 100-200 Mbit/s.
I can tell you what I did, which may or may not be helpful to you. I got Linksys WRT AC3200[0]. The "AC3200" bit refers to a type of wifi 802.11ac configuration that has a theoretical bandwidth of 600 Mbit/s using the 2.4Ghz radio (good for distance and passing through interior walls) and 2.6 Gbit/s on the 5Ghz wifi radio. This is not the fastest or fanciest of the 802.11ac configurations, but it's up there.
One note about the marketing of this device, the MU-MIMO feature that you may read about is not really a thing yet. I don't have any devices that support it, and it's possible I never will.
Disregarding the radios entirely, this device can easily push 1 Gbit/s over the the ethernet ports, and can easily exceed 800 Mbit/s using the up-and-coming Linux kernel based VPN WireGuard.
This device is supported by OpenWRT, but if you don't want to compile and build it yourself you need to get it from a helpful guy on the net who maintains community builds for this router[1] and related chipsets. Support is available through a community forum[2].
I'm quite pleased with this device and firmware setup. I like that it can interface with my switch to sort out VLAN tags, I like that I can run cutting edge VPN software like WireGuard on it, I like that it's reliable and I haven't hard to reboot it randomly to "fix" it.
Search the Amazon comments and you'll see at least three folks who are running OpenWRT/Lede on this device. Pretty sure it uses the same "rango" chipset. My guess is that your instincts are right, and it's cheaper and pretty much the same thing.
I think it's roughly the same. I mean PPPoE framing like adds 8 bytes per packet, but not much you can do about that. My pal has this router and CenturyLink gigabit, which uses PPPoE, and he manages to get around 930 Mbits/s across the WAN.
So, what is the most secured option for the moment? Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.
I am currently using the open source tomato firmware. However, since there is a bug/feature in the router so that I cannot flash an image too large, or otherwise it would not work. Also, the configuration is limited to 32 KB, if configure too much, then the configuration file will become gibberish and some random feature in the router would be missing, and required a factory reset to fix. So, I am stuck with an older version of tomato which guarantee some kind of vulnerability is not fixed.
Not sure what I can get in the form size of a router. Raspberry pi may work but too few ports available. I heard that the CPU would get hot for intense network traffic.
For something really small the ubiquiti edgerouter devices which run their EdgeOS are a good choice. If there's a serious security vulnerability on the WAN-facing interface it will be patched. They run a fork of Vyatta. Ubiquiti employs most of the old Vyatta development team, who did not go to Brocade when Vyatta was acquired.
Or build a really small low power x86 system with a few Intel gigabit NICs in it and run open source VyOS.
the $48 ER-X is much faster than 99% of peoples' residential last mile broadband connections, it's good for up to about 750 Mbps of NAT and default route outbound to a gateway.
I have no problems with a gigabit symmetrical line on ERLite-3. UniFi Security Gateway is the same hardware but in a nicer interface that works with UniFi APs & Switches if you want to go that route but you have to also host a controller. You can also upgrade to a ER-4 for a much faster CPU but I don't think you need to.
fli4l [1] on an ALIX board [2] (for example) is an option.
ALIX boards are reasonably energy efficient. fli4l can run from read-only media. This is no panacea (see fileless malware) but at least you can be sure that after a reboot your system is clean. Security is a primary goal [3] of the fli4l project and they maintain a public Security Archive.
Find a not too old Cisco integrated services router, set it up to drop everything coming from outside, and run DHCP network(s) on the inside. Use WiFi routers in bridge/access point mode.
Drawback is they tend to be noisy, but if you have a basement/closet..
I think its been around 7 years since a public exploit has been dropped for the apple airport extreme. YMMV though, as Apple has stopped selling them which means support is likely going to be minimal in the future if something does pop up. Alot of it is likely security through obscurity though as obviously the code is closed source and it uses a custom management interface vs web-access.
If you want to go the modern (better) route, enterprise equipment such as ubiquity or cisco with strict rules are likely your best bet. The budget option being a openwrt install with one of their recommended routers
> Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.
If you want to go this route, used Intel NICs are cheap. I recently picked up a 4-port gigabit NIC (PCI-E) for £13.99. I'm running on a machine that would be on anyway, so the power usage is negligible.
How many home routers aren't compromised or have known vulnerabilities? It would interesting if a study looked at a random sample of the population of home routers to determine this. Go to people's homes and actually check. These articles always seem to look at it from the "how many compromised routers have we found so far" angle. I suspect that if the story was "90% of home routers have known unpatched vulnerabilities", these security issues would be taken more seriously by the companies responsible for them. And if they don't act, regulate them out of existence.
When the main players of an industry demonstrate unwillingness to take it upon themselves to resolve problems that negatively affect society at large, something needs to be done for sure.
I am generally in favor of regulation, and it might be the answer in this case also. However, I worry that the regulations that would be introduced to fight router vulnerability might lead to a situation where router owners no longer have the possibility of flashing third-party firmwares such as DD-WRT.
In my opinion, being able to flash third-party firmwares is more important than a lot of people might realize.
Firstly, router makers necessarily target the market as a whole, and as such the factory firmwares found in consumer grade routers are generally lacking in advanced features that only a small portion of the market has a need/desire for.
Secondly, open source firmwares can more readily be audited for backdoors. Of course, backdoors could still exist in parts of the router hardware that are not controlled by the main firmware though...
Anyway, the reason I worry that regulation might threaten the possibility of running third-party firmware is two-fold:
1. The regulations might specify that bootloaders need to be locked down, etc.
2. Router makers might decide to lock down the routers even if the regulations don’t directly require it, in order to be able to prove that security demands are met.
3. Router makers might use regulation as an excuse to lock down routers even if there is no real reason to do so.
> And if they don't act, regulate them out of existence.
Sounds easy but doesn't work IRL. The service providers don't build the units and rely on the supplier. The supplier might have patched it but wants money, the ISP doesn't want to pay. Maybe the patch breaks something else and the ISP don't want to put that on all their users.
Also, not all vulnerabilities are equal. Some are more serious than others and require patching urgently, others less so.
And not all ISPs can push a patch so how do you tell everyone to update and what happens when it doesn't work and 1M people are calling Customer Support?
Comcast has functionality where they will email and/or text you if your connection has botnet or other nefarious activity on it and will disconnect you until it's resolved. Not a fan of them, but it's something they get right.
If an ISP can't push reliable updates to their hardware they shouldn't be in business.
Vulnerabilities should be prioritized of course. But I honestly don't mind when someone creates a worm that bricks crappy devices that isps know are vulnerable. It's a public service at that point.
I think a solution that generalizes and has the possibility of actually working is for the result of compromised hardware to show up in the consumers' bill.
We expect to pay a low, fixed, monthly price for unlimited bandwidth, but what happens when someone else gets their hands on that bandwidth?
It's nice to hold manufacturers accountable for their woes, like shipping routers with "admin":"" creds, but what about all the other reasons devices get pwned, like users downloading malware or falling for those fake download-button ads or using something like Hola VPN that turns them into an open relay?
Some ISPs will give you a phone call or shut you down entirely if they probabilistically think your bandwidth is compromised, but that involves a lot of complexity.
If ISPs weren't racing to the bottom with the meaning of the word "unlimited", they could be honest about bandwidth prices and service levels instead of using a complicated throttling system to maintain the facade that bandwidth really is unlimited.
Also, there would be natural filtering pressure against, say, insecure IoT devices that end up impacting people's ISP bill.
They are currently talking about creating a cyber civilian corps that would be under the Department of Homeland Security. The purpose would be some yet to be defined “assisting businesses and state / local governments in crisis”.
However maybe we should have them knocking on doors having ppl set up their home network.
Obviously a lot of responsibility is being pushed back on companies to make this easier, but still we have all these old devices out there humming along.
It’s been talked about for years under DHS. I was part of one of the early iterations of it called NetGuard. I have zero hope for any such initiative after the experience despite thinking its sorely needed.
It's interesting to me that "pwn" has entered the respectable lexicon. If I were to talk about "haxxors" or "warez" I don't think I would be taken very seriously on here. I guess it's because "pwn" occupies a meaning not fully encompassed by any other word. There is "root" which is itself a slang term but it's too specific, I suppose, and "compromised" is just too long,
It depends on the age... usually for the board, we use 'compromised', because every one of those guys is scared of compromising pictures coming out (snorting milk powder off a friend's breasts for example)
I imagine that most lingo dialects have a subset of terms which export more easily. A concise hacker community-originating term for compromise seems like a prime candidate.
Flip the switch when you want to allow them (but why accept random OTA updates?).
The LED logic should signal you when there's an update coming in OTA, and you can verify for yourself if there's a legitimate update (and possibly load it yourself).
How exactly does one go about buying a router that is not going to turn evil? Is there some company with open source software and easy setup, or some other easy solution?
What if someone did that, but to use the routers for some charitable distributed computing project?
Or mining crypto currencies and giving the proceeds to the router's owners?
Or perhaps a globally distributed weather prediction system that automatically detects network enabled weather stations and predicts weather everywhere for free?
I hope your parents taught you to ask before invading somebody's personal property.
Are you okay with XYZ Tech Company snooping on your private messages, emails, or credit card transactions?
The impact that you'd see would be minimal (aside from more targeted ads, perhaps), and it's data which would otherwise be "wasted" if nobody was mining it.
I hope your parents taught you that too, thanks. Anyways, no its not okay for XYZ because they are invading the privacy of people's lives as a means to make more money. In the other circumstance, you would be using unused resources, not invading privacy, and contributing to projects such as Folding@home, which hopes to solve hard protein folding problems in order to better humanity.
I like the outside the box thinking for positive, however the environmental impact of crypto makes the latter seem like a net negative, given the compute efficiency :/
I wish this botnet would delete the infected hosts facebook accounts.
Like it asks fb for deletion, then hides the confirmation mail. After 30 days when the account is permanently deleted , it would erase itself from the host + patch the vulnerability.
I would've awarded the worm author the prize for contributing to the mental wellbeing of the society.
Is there any easy way to check if your router is vulnerable/compromised? Or instructions for disinfecting it as well as patching it?
Like, based on actually being exploitable or compromised, not firmware versions or whatever.
I actually suspect mine is compromised, it's been behaving funny for a month or two, needing to be restarted a lot. (Which, ironically, is a signal of a _buggy_ compromise, your router of course be compromised and you'd never know it if the malware was well-behaved enough to stay out of the way of your usual use).
I can (painfully) update the firmware... but I don't trust that the vendor's most recent firmware actually solves it. Nor do I trust that once compromised a firmware update is enough to eliminate the malware.
For such a widespread compromise... we could use more user-friendly (or even relatively techy but not a network engineer user-friendly) instructions for... what to do.
I guess the reality is that most (non-techy) users will, if they notice at all (due to malware that buggily causes things not to work well for intended uses, instead of staying out of the way), will just decide their equipment is "broken", throw it out and buy new stuff... that hopefully won't get compromised again. Which I guess works for the consumer network harder vendors.
If I were you I'd check to see if your router can run one of the several open source firmware packages like OpenWRT, dd-wrt, or Tomato. In my personal experience the OpenWRT/lede team is on top of security issues, and the router web interface and tooling is completely fine.
I'd be confident that flashing your device with modern open source firmware would solve the problem, but if you're paranoid just recycle the device and get a new one. In any event, I don't see a solution for you that doesn't involve some homework.
In general, I am cautious of running my own open source thing without being an expert in the relevant area (or interested in becoming one) -- having to put something together (and maintain it) yourself seldom, in my experience, ends up _more_ secure or _more_ maintainable, when you don't know what you're doing.
However, routers may be an exception. Apparently the industry has basically no business motivation to keep consumer-grade networking hardware secure, at all. Irrelevant to their profits or reputation.
I'll consider it. When I bought my router I intentionally got one that can run OpenWRT, but never ended up installing it, cause, who's got time for that? But perhaps there isn't really an alternative, unless you want a bot-net-ed router. Which honestly, and with shame, I'd just ignore the botnet sending out spam to other people if I didn't think it was compromising the functionality (and security) of my router for me. Last thing I wanna do is spend time becoming a network engineer after a day of getting paid to write software, but i guess that's where we're at.
(Oh crap, I just realized it could be my DSL modem instead of or in addition to my (wired and wifi) router. I know even LESS about that thing. I think none of these consumer products, owned by people who know a lot less than me, are ever gonna be protected, if even I am intimidated by trying to figure it out).
You're going to have to upgrade your firmware anyway, so why not upgrade to something that actually cares about basic functionality?
Some people unused to open source solutions sometimes have this idea that all software developed by enthusiasts by necessity is hard to use or require tinkering, but that's not a fair picture. When developers share your interests, that's when software gets usable. That interest might not always be UI, but sometimes it is.
OpenWRT (and friends!) is clearly much easier to use and delivers richers functionality than any of the software it replaces. If your router is listed as supported, go for it.
The good reviews of OpenWRT help. The caution is mostly because it's unclear to me how hard it would be to switch it back. But yeah, probably will.
Not to mention the idea that you might Bork your router during installation and have no internet therefore no way to install the old fw version.
It may not be as hard as you think. Doing a little homework, flashing the router with the OpenWRT firmware, and getting a basic config up and running should take most folks an afternoon. If you already understand concepts like CIDR addressing, DNS, DHCP, and NAT then it's an hour tops.
OpenWRT is not a pain to use -- it's not all that different than the web GUI that ships with most routers.
Another option is to buy a pre-configured router from someone like FlashRouters.com (not affiliated, but a customer).
They provide routers with DD-WRT or Tomato pre-installed. Yes, you should probably know how to update your router at some point in the future, but your starting point is probably much safer than depending on the poorly-tested and heavily-exploited factory firmware.
I’d recommend swapping out your consumer grade router for a commercial packaged version of pfSense. Just as easy to setup as most consumer grade routers and it auto updates (if you want) and has a decently secure base. Sure, you’ll spend $50 more, but isn’t the piece of mind worth it?
Yeah, you can start by resetting the NVRAM of the router, (30-30-30 reset) then get a flash chip clip, read the data off the router flash using a raspberry pi, and compare it to the firmware binary from the router manufacturers website.
> user-friendly (or even relatively techy but not a network engineer user-friendly) instructions for... what to do.
I am an experienced SWE and this is not something I can do without setting aside a day or two to investigate all the tools and purchase an RPi.
This is the reason IOT security should be enforced by law.
Oh, you sold a piece of shit insecure WiFi lightbulb that's mining bitcoin, here's a fine for every penny you made.
If you wanted to see whether you could potentially be targeted by this botnet then you can check Shodan (https://www.shodan.io). Just enter your IP address in the search box and if your network has any services exposed to the Internet you will see them.
Google your router model - see if it's Broadcom based. See if you're running the uPNP service. I wish this article gave out more info - I want to know what versions of the service are affected.
> Universal Plug-n-Play
And, like so many other attempts to "simplify" supposedly complex configuration, in addition to being a massive security hole to attackers, it's almost useless to the home users for whom it was meant because it only works under a very narrow, mostly undocumented set of assumptions and if any of those assumptions are invalid, it fails silently.
I disabled it after this post, but it appears Plex switches to 'indirect' mode (it goes out to the Internet and back in) without it; i.e. I am using UPnP.
It's not clear what the solution is - update firmware? I am on the latest. Use OpenWRT (or whatever it's called these days)? Every time I look into it (I really want to!) I stop at the simple 'I want to do this, I will happily buy a new router, which one do I buy and know it works well and will continue to work well with updates?'
Plex has had a major forum breach for basic user data including IP addresses [1], around the time of the botnet's first discovery in 2017, which has me greatly wondering if Plex may have been an inadvertent bootstrap vector for this attack?
Worrying, if that's the case.
[1] https://haveibeenpwned.com/PwnedWebsites#Plex
Usually a problem for things like Plex, ISPs with double NAT actually do users a favour here.
UPnP wouldn't exist without NAT. The underlying root cause of UPnP is NAT (and the slow deployment of things like reliable mDNS implementations). Admittedly, Plex would have different security problems without NAT, given its model, but arguably those security problems would have simpler solutions in a world without NAT.
You can explicitly forward the ports used by Plex.
If I have UPnP disabled, am I safe?
There's no way to be "safe". You might be safer if you disable UPnP, it certainly decreases the attack surface.
I'm sorry, I didn't intend to start a nit-pick on whether or not all software contains bugs. My response was too glib.
The GP asked:
> If I have UPnP disabled, am I safe?
The answer is yes: If you can disable UPnP, your router will be safe from this particular exploit. Which is, I think, what he was asking.
Everyone should disable UPnP in their routers. It won't make your router "safe" from all exploits, but it will make it safe from this one, and you can do it now, immediately, without replacing hardware or firmware.
Thanks, my reply wasn't very good either. I suspect most people can disable UPnP without ever noticing a problem. If anything, it is more used by malware than anything you actually want.
> There's no way to be "safe".
You're implying that all routers are vulnerable?
I think the point is that any software system is vulnerable
Vulnerable to this particular exploit?
Your router is either vulnerable to this exploit, or it's not. Afaict from the article, the exploit relies on a UPnP-enabled router; if UPnP isn't enabled, I don't believe your router is vulnerable.
No routers are invulnerable.
To this exploit?
I think it's time for windows, and ios, and firewall / antivirus companies to scan for info about the routers used and alert people that their network is easily hacked, may already be hacked, and is in danger of being used by criminals to attack other countries and companies.
Extra info such as, the router you are using has not had any available firmware updates for 3 years and likely needs to be replaced.
It's obvious we are not going to get this info to most people from the IOT manufacturers.
This could be quite beneficial for those who hook up thier phones to different wifi networks as well - a pop up showing that their router / internet gateway model has been shown to be used in at least 100,000 other malware exploits, and should not be trusted like your cell connection -
It's time to start shaming and naming - the bad guys already know how to get this info, we need to make it easier for the end users to become aware.
A service that will email you when firmware is available for your equipment, or your equipment is listed on shodan, blackhathacksrus, or other places may be beneficial as well. Set it up to take serial numbers scanned with an app, and give notices on recalls and physical theft recovery.
We obviously need something, and possibly many things tp help with this.
I can't believe a certain router company a few years ago did not offer to send a rebate if I returned their no-longer-updated-hardware when I emailed them inquiring about a published exploit and lack of updates. I no longer use that brand or suggest it. They could of kept a customer and made things better, they did neither.
We actually offer such a monitoring service at Shodan, though it's largely aimed at companies so you need to use the API. Here's an article on how to setup a real-time monitor for your network:
https://help.shodan.io/guides/how-to-monitor-network
How would this work for a consumer network which doesn't have a fixed public IP?
In that case you're probably better off w/ a cronjob that checks Shodan for information on your IP once a day. Doing direct IP lookups is free so you wouldn't need to pay. You won't get the immediate, real-time feedback but it's fairly straight-forward to do a daily IP lookup.
You could also change/ update your private firehose every day though that would require a bit more technical skill. You could basically do:
That would create an alert for your current IP and then subscribe to any events.What about building an ethical hacking company that hacks these routers, closes the holes and then shows a warning to the user?
This would quickly bypass any resources hackers have anyway, and could work closely with the governments IFF the hacking is purely ethical.
The amount of inefficiency due to these devices being freely available to the user should be a huge money-saver.
There have been times I wondered if such a group was formed, or only working from a spot in international waters or, what would be some country names that would avoid any kind of legal or treaty or anything. What would those places be that could have such a hive running without major recourse?
And OpenWrt users everywhere feel totally superior once again.
Seriously though: this is why you don’t let your device run unvetted firmware by vendors who don’t provide updates.
Load it with a Linux-distro you can update yourself to keep it rolling and secure.
Personally, I can no longer even conceive running the standard firmware on a critical piece of my home's infrastructure.
Plus: good performance, a lot of flexibility, and a nice web interface (if one wants it).
OpenWrt has really been a good experience for me.
I keep looking into it and keep stopping at 'what should I buy'. I'm willing to / assume I need to buy new hardware. What do I buy that will run it well, and continue to?
Buy the Archer C7 version 2, and install the optimized version of openwrt: https://github.com/infinitnet/lede-ar71xx-optimized-archer-c...
This build gets ~750 mbps NAT speed as opposed to vanilla openwrt, which is around ~300 mbps.
While I think this is a really good OpenWrt-router, with good value for money and easy installation...
It is fair mentioning that this model is discontinued from TP-Link and you will probably have to buy it second hand. It also comes in at least 5 revisions, with various levels of support, making life a little bit more difficult for the average, uninformed buyer.
As a side note: I have a 350mbps symmetrical FTTH link and I've had no issues maxing this line with regular, official OpenWRT builds.
Unless you need significantly higher speeds and can prove that official builds can't do it, I see no reason to go with unofficial, unsupported builds.
Do you know well this router runs Wireguard using OpenWRT?
Actually looking into Wireguard on OpenWrt[1], I don't see anything router-specific about supporting that.
As long as you have enough flash to install the modules, I can't see why this shouldn't work on any router.
[1] https://danrl.com/blog/2017/luci-proto-wireguard/
I have no idea or knowledge about wireguard.
Is that v2 as in >v1, or is there a v3+ that I don't want?
That is, can I just buy from Amazon [0] with a fairly safe assumption that a new C7 is OK?
[0]: https://www.amazon.co.uk/TP-Link-AC1750-Dualband-Zertifizier...
So, 2 or 3 years ago I did just that.
And it was flakey as f*ck. It rebooted itself roughly once a day, and would stop routing traffic to my fibre modem and need manually rebooted at least once a day.
The Openwrt support forums were... not helpful.
All this was such a shame, because the Openwrt feature set is so much capable than the stock firmware - I so wanted it to work, but had such a bad experience I haven't gone near it since and it will likely stay that way.
You have to be specific about the hardware you buy.
Throughout my time I've bought around 2 or 2 routers with the naive assumption "oh it will probably work out fine", and that's definitely not how it works. That has certainly left me with disappointment.
IME it pays off greatly to upfront research the specific model (and revision) and buy exactly that. Like in this case, the Archer C7 v2 (of which I've recently bought two).
It's running OpenWrt flawlessly and I would have zero issues recommending that particular model to anyone.
Ah, I got confused - it's a stock TP-LINK AC1750 Archer C7 that I have now, and it was an older TP-LINK I'd tried OpenWrt on. I forget the model, but I had been specific about the hardware I bought, making sure it was in OpenWrt's list of supported devices.
Strangely, the C7 I have now advertises itself as 'v2/v3'!
There are 5 versions at least. The specific HW version is easily identified by a sticker underneath the router.
Consult the openwrt table of hardware[1] for more details.
[1] https://openwrt.org/toh/tp-link/archer-c7-1750
Edit: eBay seems a lot better for this task - https://m.ebay.com/sch/i.html?_from=R40&_trksid=m4084.l1313&...
How can you make sure you're getting the v2?
It says so on a sticker underneath. You must ask seller to confirm or provide a picture.
This will depend on what kind of Internet connection you have, or expect to have in the future. Gigabit internet connections are becoming more common here in the US, and some lower powered devices just can't route packets faster than say 100-200 Mbit/s.
I can tell you what I did, which may or may not be helpful to you. I got Linksys WRT AC3200[0]. The "AC3200" bit refers to a type of wifi 802.11ac configuration that has a theoretical bandwidth of 600 Mbit/s using the 2.4Ghz radio (good for distance and passing through interior walls) and 2.6 Gbit/s on the 5Ghz wifi radio. This is not the fastest or fanciest of the 802.11ac configurations, but it's up there.
One note about the marketing of this device, the MU-MIMO feature that you may read about is not really a thing yet. I don't have any devices that support it, and it's possible I never will.
Disregarding the radios entirely, this device can easily push 1 Gbit/s over the the ethernet ports, and can easily exceed 800 Mbit/s using the up-and-coming Linux kernel based VPN WireGuard.
This device is supported by OpenWRT, but if you don't want to compile and build it yourself you need to get it from a helpful guy on the net who maintains community builds for this router[1] and related chipsets. Support is available through a community forum[2].
I'm quite pleased with this device and firmware setup. I like that it can interface with my switch to sort out VLAN tags, I like that I can run cutting edge VPN software like WireGuard on it, I like that it's reliable and I haven't hard to reboot it randomly to "fix" it.
[0]: https://www.amazon.com/gp/product/B01JOXW3YE
[1]: https://davidc502sis.dynamic-dns.net/releases/#3200acm
[2]: https://forum.openwrt.org/t/davidc502-wrt1200ac-wrt1900acx-w...
Would you happen to know if the 25% cheaper 'gaming edition' is as good? Doesn't seem to have MU-MIMO, which from what you've said might be an easy saving: https://www.amazon.co.uk/Linksys-WRT32X-UK-AC3200-Dual-Band-...
Always check reference each hardware revision with the OpenWRT wiki, sometimes chipsets and radios will change between revisions.
Search the Amazon comments and you'll see at least three folks who are running OpenWRT/Lede on this device. Pretty sure it uses the same "rango" chipset. My guess is that your instincts are right, and it's cheaper and pretty much the same thing.
Do you happen to know the throughput when using PPPoE?
I think it's roughly the same. I mean PPPoE framing like adds 8 bytes per packet, but not much you can do about that. My pal has this router and CenturyLink gigabit, which uses PPPoE, and he manages to get around 930 Mbits/s across the WAN.
I'll try a recommendation:
https://www.flashrouters.com/linksys-wrt1200ac-ddwrt-router
No need to install DD-WRT yourself, just pay a little extra and have it shipped to you pre-installed.
So, what is the most secured option for the moment? Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.
I am currently using the open source tomato firmware. However, since there is a bug/feature in the router so that I cannot flash an image too large, or otherwise it would not work. Also, the configuration is limited to 32 KB, if configure too much, then the configuration file will become gibberish and some random feature in the router would be missing, and required a factory reset to fix. So, I am stuck with an older version of tomato which guarantee some kind of vulnerability is not fixed.
Not sure what I can get in the form size of a router. Raspberry pi may work but too few ports available. I heard that the CPU would get hot for intense network traffic.
For something really small the ubiquiti edgerouter devices which run their EdgeOS are a good choice. If there's a serious security vulnerability on the WAN-facing interface it will be patched. They run a fork of Vyatta. Ubiquiti employs most of the old Vyatta development team, who did not go to Brocade when Vyatta was acquired.
Or build a really small low power x86 system with a few Intel gigabit NICs in it and run open source VyOS.
So the ERLite-3?
https://www.ubnt.com/edgemax/edgerouter-lite/
the $48 ER-X is much faster than 99% of peoples' residential last mile broadband connections, it's good for up to about 750 Mbps of NAT and default route outbound to a gateway.
I have a gigabit fiber line with no PoE from the fiber box. Between the 2 I think the ERLite-3 should work better.
I have no problems with a gigabit symmetrical line on ERLite-3. UniFi Security Gateway is the same hardware but in a nicer interface that works with UniFi APs & Switches if you want to go that route but you have to also host a controller. You can also upgrade to a ER-4 for a much faster CPU but I don't think you need to.
fli4l [1] on an ALIX board [2] (for example) is an option.
ALIX boards are reasonably energy efficient. fli4l can run from read-only media. This is no panacea (see fileless malware) but at least you can be sure that after a reboot your system is clean. Security is a primary goal [3] of the fli4l project and they maintain a public Security Archive.
[1] http://www.fli4l.de/en
[2] https://www.pcengines.ch/alix.htm
[3] http://www.fli4l.de/en/home/security/
Find a not too old Cisco integrated services router, set it up to drop everything coming from outside, and run DHCP network(s) on the inside. Use WiFi routers in bridge/access point mode.
Drawback is they tend to be noisy, but if you have a basement/closet..
I think its been around 7 years since a public exploit has been dropped for the apple airport extreme. YMMV though, as Apple has stopped selling them which means support is likely going to be minimal in the future if something does pop up. Alot of it is likely security through obscurity though as obviously the code is closed source and it uses a custom management interface vs web-access.
If you want to go the modern (better) route, enterprise equipment such as ubiquity or cisco with strict rules are likely your best bet. The budget option being a openwrt install with one of their recommended routers
> Buy a x86 box and turn it into a router? But it consumes more power than a low-power router, and buying more network adapter is not that cheap.
If you want to go this route, used Intel NICs are cheap. I recently picked up a 4-port gigabit NIC (PCI-E) for £13.99. I'm running on a machine that would be on anyway, so the power usage is negligible.
I highly recommend looking into pfSense. I’ve been running it for years and it’s been solid.
You only need two network adapters, other devices could be connected by a switch.
How many home routers aren't compromised or have known vulnerabilities? It would interesting if a study looked at a random sample of the population of home routers to determine this. Go to people's homes and actually check. These articles always seem to look at it from the "how many compromised routers have we found so far" angle. I suspect that if the story was "90% of home routers have known unpatched vulnerabilities", these security issues would be taken more seriously by the companies responsible for them. And if they don't act, regulate them out of existence.
> regulate them out of existence
When the main players of an industry demonstrate unwillingness to take it upon themselves to resolve problems that negatively affect society at large, something needs to be done for sure.
I am generally in favor of regulation, and it might be the answer in this case also. However, I worry that the regulations that would be introduced to fight router vulnerability might lead to a situation where router owners no longer have the possibility of flashing third-party firmwares such as DD-WRT.
In my opinion, being able to flash third-party firmwares is more important than a lot of people might realize.
Firstly, router makers necessarily target the market as a whole, and as such the factory firmwares found in consumer grade routers are generally lacking in advanced features that only a small portion of the market has a need/desire for.
Secondly, open source firmwares can more readily be audited for backdoors. Of course, backdoors could still exist in parts of the router hardware that are not controlled by the main firmware though...
Anyway, the reason I worry that regulation might threaten the possibility of running third-party firmware is two-fold:
1. The regulations might specify that bootloaders need to be locked down, etc.
2. Router makers might decide to lock down the routers even if the regulations don’t directly require it, in order to be able to prove that security demands are met.
3. Router makers might use regulation as an excuse to lock down routers even if there is no real reason to do so.
Perhaps the regulation should mandate support for third-party software, such as DD-WRT.
> And if they don't act, regulate them out of existence.
Sounds easy but doesn't work IRL. The service providers don't build the units and rely on the supplier. The supplier might have patched it but wants money, the ISP doesn't want to pay. Maybe the patch breaks something else and the ISP don't want to put that on all their users.
Also, not all vulnerabilities are equal. Some are more serious than others and require patching urgently, others less so.
And not all ISPs can push a patch so how do you tell everyone to update and what happens when it doesn't work and 1M people are calling Customer Support?
Comcast has functionality where they will email and/or text you if your connection has botnet or other nefarious activity on it and will disconnect you until it's resolved. Not a fan of them, but it's something they get right.
https://i.imgur.com/cYKXtII.png
If an ISP can't push reliable updates to their hardware they shouldn't be in business.
Vulnerabilities should be prioritized of course. But I honestly don't mind when someone creates a worm that bricks crappy devices that isps know are vulnerable. It's a public service at that point.
I think a solution that generalizes and has the possibility of actually working is for the result of compromised hardware to show up in the consumers' bill.
We expect to pay a low, fixed, monthly price for unlimited bandwidth, but what happens when someone else gets their hands on that bandwidth?
It's nice to hold manufacturers accountable for their woes, like shipping routers with "admin":"" creds, but what about all the other reasons devices get pwned, like users downloading malware or falling for those fake download-button ads or using something like Hola VPN that turns them into an open relay?
Some ISPs will give you a phone call or shut you down entirely if they probabilistically think your bandwidth is compromised, but that involves a lot of complexity.
If ISPs weren't racing to the bottom with the meaning of the word "unlimited", they could be honest about bandwidth prices and service levels instead of using a complicated throttling system to maintain the facade that bandwidth really is unlimited.
Also, there would be natural filtering pressure against, say, insecure IoT devices that end up impacting people's ISP bill.
Germany is a nice white spot on the map because they all run their Fritz boxen, which seem to be unaffected by BCMPUPnP_Hunter.
I must be missing something, but why are all these routers publicly listening on port 5431?
Ports 5431 and 1900 are used for UPnP.
I can’t think of any good reason they should be listening on an external interface, but maybe the port scanning is happening on the inside.
That's the thing, it looks like they are listening externally: https://www.shodan.io/search?query=Server%3A%20Custom%2F1.0%.... I tried a couple of those IPs and can reach all of them on 5431.
Yeah, DNS rebinding attacks can allow malicious Javascript running inside the network attack the router from the LAN side.
They are currently talking about creating a cyber civilian corps that would be under the Department of Homeland Security. The purpose would be some yet to be defined “assisting businesses and state / local governments in crisis”.
However maybe we should have them knocking on doors having ppl set up their home network.
Obviously a lot of responsibility is being pushed back on companies to make this easier, but still we have all these old devices out there humming along.
https://www.newamerica.org/cybersecurity-initiative/reports/...
It’s been talked about for years under DHS. I was part of one of the early iterations of it called NetGuard. I have zero hope for any such initiative after the experience despite thinking its sorely needed.
It's interesting to me that "pwn" has entered the respectable lexicon. If I were to talk about "haxxors" or "warez" I don't think I would be taken very seriously on here. I guess it's because "pwn" occupies a meaning not fully encompassed by any other word. There is "root" which is itself a slang term but it's too specific, I suppose, and "compromised" is just too long,
I can say "pwn" is not something I would ever write in a serious document, but I'm also an old fart.
It depends on the age... usually for the board, we use 'compromised', because every one of those guys is scared of compromising pictures coming out (snorting milk powder off a friend's breasts for example)
I imagine that most lingo dialects have a subset of terms which export more easily. A concise hacker community-originating term for compromise seems like a prime candidate.
I’ve said it before: it shouldn’t be that hard for someone handy with a soldering iron to “harden” their router:
Look up the Pinout for the flash chip, find the write-enable line, and put it on a switch to lock firmware updates.
This won’t protect you against non-persistent malware, but it will prevent malicious updates.
One could attach a bit of logic and an LED to this line to switch on when a flash is attempted. Then you know something bad is in the stream.
What about non malicious security updates?
Flip the switch when you want to allow them (but why accept random OTA updates?).
The LED logic should signal you when there's an update coming in OTA, and you can verify for yourself if there's a legitimate update (and possibly load it yourself).
How exactly does one go about buying a router that is not going to turn evil? Is there some company with open source software and easy setup, or some other easy solution?
What if someone did that, but to use the routers for some charitable distributed computing project?
Or mining crypto currencies and giving the proceeds to the router's owners?
Or perhaps a globally distributed weather prediction system that automatically detects network enabled weather stations and predicts weather everywhere for free?
Or a distributed P2P social network?
Well, the increased power consumption of the hardware not entering sleep mode would be a non-marginal amount of power theft.
Not to mention consent...
It's wrong, full stop. No less wrong than it would be for someone to set up a homeless encampment on property you own without your consent.
Sure, it's (probably) a good cause. It's still wrong.
It's morally wrong.
You don't suddenly have the right to use someone else's personal belongings as you see fit just because they left a door or window unlocked.
This appeal to morality is useless. ok its wrong to you but doesn't mean it wrong to me.
What if the router was being unused? What if the power usage was minimal? I think it is unethical not to utilize resources that are being wasted.
I hope your parents taught you to ask before invading somebody's personal property.
Are you okay with XYZ Tech Company snooping on your private messages, emails, or credit card transactions? The impact that you'd see would be minimal (aside from more targeted ads, perhaps), and it's data which would otherwise be "wasted" if nobody was mining it.
I hope your parents taught you that too, thanks. Anyways, no its not okay for XYZ because they are invading the privacy of people's lives as a means to make more money. In the other circumstance, you would be using unused resources, not invading privacy, and contributing to projects such as Folding@home, which hopes to solve hard protein folding problems in order to better humanity.
I like the outside the box thinking for positive, however the environmental impact of crypto makes the latter seem like a net negative, given the compute efficiency :/
Sure, but if the increase in power usage is marginal enough, maybe it'd be worth it for the router owner and be useful for the community at large.
Even if it's a crime to do it without permission ;-)
The kind of subject I love...!!
pwn: the second derivative of getting owned
A much better, more thorough analysis, complete with affected router model numbers, graphs, charts, and area affected map are at the source post:
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-tu...
We've changed the URL to that from https://nakedsecurity.sophos.com/2018/11/12/botnet-pwns-1000.... Thanks!
Iceland and India are either the best or the worst places to be to avoid this exploit. The map doesn't have a scale, so it's hard to tell.
Aside from that, it's very interesting and a good, quick read. Makes me sad that Apple got out of the router business.
Is there any reason we can't replace the link on the front page with this one? It's clearly a much better article.
I think you just killed the site. I get a 504 error.
https://web.archive.org/web/20181112153533/https://blog.netl...
Thanks for that! The usual Google cache wasn't working for me in this case.
Came here to ask for this. Thank you very much.
Server seems to be down.
Lol, I love the phrasing of the title. Like they unearthed an old and forgotten mezoamerican curse against a broadcom executive's ancestor.
I wish this botnet would delete the infected hosts facebook accounts. Like it asks fb for deletion, then hides the confirmation mail. After 30 days when the account is permanently deleted , it would erase itself from the host + patch the vulnerability.
I would've awarded the worm author the prize for contributing to the mental wellbeing of the society.
Reminds me I haven’t updated my pfSense router in awhile. Nor have I ever heard about a flaw like this for them as it were.
But also, can we stop with “pwns” in a serious website? Almost makes me think the comment section would start with someone saying “First!”.