Horowitz: New modem security is a disgrace

Topic

New Reply

AskWoody_MVP @Michael432 tweeted last week: Someone I know just got a new #router and modem from Spectrum. Security was a disgrace. Default router use
[See the full post at: Horowitz: New modem security is a disgrace]

5 users thanked author for this post.

Myst, SueW, ve2mrx, Elly, Mr. Natural

Reply | Quote

Replies

Sorry I didn’t read the articles, but I have a theory. Some should remember concerns that some ISP’s were setting up a private network on home routers to allow for hotspots for their customers. And Spectrum now has smart phone packages using Verizon’s network. Perhaps some skulduggery?

Spectrum provided me with a Cisco “modem” and I have a netgear nighthawk wireless router which just happens to have a new firmware update. If they modified the security settings on the “modem”, Cisco will still be monitoring the traffic.

So the question is, Does this have anything to do with hotspots?

Red Ruffnsore

Reply | Quote

I do not know if Cisco & Spectrum are in cahoots for adding such intrusive Wi-Fi hotspots. DSLReports dot com may have the information as their forums and coverage many United States internet service providers.

Netgear released updates for other router models, but even if you are informed of the fixes for your model this round of firmware may come with new undisclosed features! You may already have “Router Auto Firmware Update” in yours or you might get it after the upgrade, and I was disgusted to be offered the option to have to disable(?) “Router Analytics Data Collection”! (Maybe Netgear disclosed the new features somewhere else perhaps in an e-mail, but I refrained from receiving any communications.)

They took away some Parental control wanting you to go in Circles with Disney using a smartphone program and now Netgear wastes precious RAM & ROM space with data collection routines. WPS cannot be ever be disabled, at least the box has a power switch while some other brands do not have one except if you live in Europe. I get that the data might theoretically be for cost cutting support calls, but that container of an excuse it may or may not hold water over time…

I do not mind telling people to research more before buying equipment and buy less Netgear, this is not what I paid for.

Sorry, I have to vent and also let people know what happened after applying the new firmware upgrade.

Reply | Quote

I had a rental modem/router from my ISP, the local phone company. There were areas in the modem setup screen that I couldn’t get to. I’m quite sure that they use their rental modems to provide hotspots for their customers. I found out that I could purchase a DSL modem from them for around $25 and then use my own router with it. I installed the latest firmware on my router, and that’s how I’ve been surfing the web ever since.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I tend to agree with Martin Boissonneault on this. uPnP at home on a small controlled network greatly increases the usability for a typical home customer, and many game consoles work better with it. It’s actually safer than letting an untrained home customer set their own port forwarding rules — without opening the LAN up more than needed. It’s also true that almost all home DSL and Cable modems do not forward uPnP.

But at the corporate or SMB level, where we use bridged connections and have many workstations – uPnP has zero place in my world. I always check to make sure it’s completely disabled.

As for WPS: also agree. There is a secure mode, but on a large network the question becomes: why would you bother? All other flavors of WPS need to die. As in they should stop adding that feature to access points entirely. While I at it, WEP and WPA (original) needs to die as well.

~ Group "Weekend" ~

4 users thanked author for this post.

Myst, JSTechGeek, ve2mrx, ch100

Reply | Quote

Hi!

I am the Martin Boissonneault (@ve2mrx) quoted above! I totally agree with you, UPnP has no place on a secured and actively managed business network. IT needs to know what runs around in the network, even if only from an accountability point of view.  Letting users, or potential malware, punch holes in your firewall is a really bad idea.

In a residential setting, it’s easier to let devices set up their own incoming ports than require users to RTFM and reconfigure the firewall. It would more likely end up as a call to the family support desk permanent staffer (me)!

I would have to say, configuring UPnP should be done after considering the level of risk and the possible extent of compromise.

I agree WEP, WPA(1), WPS(pin) should be black-listed, default OFF with a big warning, and UPNP should be OFF, enabled only if the “admin” understands the risks.

Martin

6 users thanked author for this post.

Myst, NetDef, SueW, GoneToPlaid, woody, Kirsty

Reply | Quote

Devices on the LAN can talk UPnP to each other, without the router/gateway being involved. Enabling UPnP in a router is just asking for trouble, especially considering the poor security of so many IoT devices.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

4 users thanked author for this post.

NetDef, Microfix, ve2mrx, AlexEiffel

Reply | Quote

IoT in home networks deserves its own sub-net and its own security setup or an entirely separate security appliance (UTM box).

National Cybersecurity Awareness Month – Protecting Your Hackable Home IoT

https://www.datafoundry.com/blog/iot-home-network-security

How to Secure Your (Easily Hackable) Smart Home

https://www.tomsguide.com/us/secure-smart-home-how-to,news-19380.html

Simple Steps to Protect the IoT on Your Home Network

https://www.bitdefender.com/box/blog/iot-news/simple-steps-protect-iot-home-network/

(Full disclosure — BitDefender sells a UTM box and security software subscription services.)

Trying to do these things at the router is a nightmare of technically challenging steps most home users could not accomplish successfully.

How to secure your router to prevent IoT threats?

https://www.welivesecurity.com/2017/10/26/secure-your-router-prevent-iot-threats/

How to Protect Your Home Router from Attacks

A comprehensive guide for choosing and setting up secure Wi-Fi.

https://motherboard.vice.com/en_us/article/9kn3g7/how-to-protect-your-home-router-from-attacks

Look at what corporate IT has to do:

Start Securing Your Network From Consumer-Grade IoT Threats

https://www.pcmag.com/article/361455/start-securing-your-network-from-consumer-grade-iot-threats

There’s a lot of extra security hoops to jump through if you have a highly connected home.

-- rc primak

1 user thanked author for this post.

AlexEiffel

Reply | Quote

BTW:  If you suspect your older modem might be accepting UPnP requests, you can test for the problem here:

https://www.grc.com/su/upnp-rejected.htm

This test should come back negative even if you enabled UPnP on your gateway/firewall.  uPnP properly implemented should NOT be talking on the WAN side of your network.

~ Group "Weekend" ~

11 users thanked author for this post.

rc primak, LH, samak, JSTechGeek, Perturbance, GoneToPlaid, lanceboil, ve2mrx, Seattle27, Elly, woody

Reply | Quote

To be clear, UPnP was never meant to exist on the WAN side of a router/gateway. This was a HUGE mistake that was noticed a few years ago by Rapid7 which found many millions of devices doing UPnP on their WAN side. HUGE mistake. The standard UPnP on/off control in a router is only meant for the LAN side.

FYI: There are more external tests you can run on your router/gateway here  https://routersecurity.org/testrouter.php

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

6 users thanked author for this post.

rc primak, Myst, ve2mrx, NetDef, SueW, Microfix

Reply | Quote

I absolutely agree!

My reading on @Michael432’s website for many years combined with my personal experience makes me believe that:

• In general, the software quality and maintenance level of consumer devices (usually the stuff you can buy from Big Box store shelves) is poor as it’s built for a price. It feels marketing has way more input in the equation than the software engineers (Dead spider routers anyone?). The devices have short term support only, almost throw-away devices. ($)
• Then there are ISP devices… Mostly as above, built for a price, less marketing, more long term support. I suspect the ISP has to pay for support. ($$)
• Finally, business devices are aimed at performance and long term support. Many of them have paid support plans. They usually Just Work. Bugs are dealt with. After all, you pay for it. ($$$)

(My) Bottom line: You get what you pay for. Software engineers don’t work for free!

Martin

Edit: Typo

3 users thanked author for this post.

rc primak, Myst, NetDef

Reply | Quote

What’s the alternative to default passwords?

Spectrum does recommend changing them:

We recommend customizing your network name and password.

Before you go…You can increase your home’s network security by updating the ADMIN credentials. The ADMIN credentials control who can access and change the settings of your home network. Check the network settings web interface for help on updating the ADMIN credentials.

Customize Your WiFi Network Name/Password

1 user thanked author for this post.

rc primak

Reply | Quote

Hi!

Of course default password change should be mandatory on any consumer network-connected device! Heck, why even have a default one? The device should be unconfigurable until a password has been set.

For business level devices, default passwords should bring up a warning until changed. I know some of those devices get pre-configured and finished up on-site. My opinion, up for discussion!

Martin

3 users thanked author for this post.

MrJimPhelps, Michael432, Kirsty

Reply | Quote

Years ago when I got my TWC (now Spectrum) router I changed both the login name and password for the router. A lot of people only change the password. Yet with the default login name, a hacker already has half of what is needed. The same goes for the administrator account on Windows computers. I temporarily enabled the administrator account, changed the login name from “administrator” to something else, set strong password, and then I disabled the administrator account. Now, any malware will have to guess what the machine’s administrator account login name is, in addition to trying to crack the password.

Reply | Quote

Many routers/gateways do not allow you to change the logon userid. In this case, the new router that Spectrum installed always and only uses user “admin”. You can only change the password.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

5 users thanked author for this post.

JSTechGeek, rc primak, Myst, GoneToPlaid, columbia2011

Reply | Quote

Thanks for that tidbit of info. If a user can not change the userid, then the user should create a really strong password. I really like ve2mrx’s idea of injecting a third party router into the chain between the ISP’s provided router and a person’s home network. There are two things which I really like about this concept. First, is that the ISP can’t get any further than their own equipment. Second, is that hackers would now encounter a second stumbling block in terms of gaining access to a person’s home network. That there would be a worthy “how to do it” article for you to create, and would be an article which I would be most interested in reading.

Reply | Quote

GoneToPlaid wrote:

I really like ve2mrx’s idea of injecting a third party router into the chain between the ISP’s provided router and a person’s home network.

This is how my network is set up, with an added twist.  My ISP, like many, has a DSL/router combo as its standard issue.  The wireless section on the router is particularly bad, only offering a radio on the 2.4GHz band.  There are more than thirty SSIDs visible at any given moment from my residence (a regular house, not even an apartment), and all but two of them (including mine, which would not be there if I were using their router/AP) are on the 2.4 GHz band.  Using bluetooth (which also uses 2.4 GHz) at some times is impossible, even to stream sound from one PC to another one less than three feet away.  There’s just too much interference, with lots of stuttering, high packetloss, and high latency.  I’ve tried it with completely different PCs with their own integrated BT on both the sending and receiving end with the same results, and I’ve tried it with Linux all around, Windows all around, and a combination of Windows and Linux, again with the same result.  It’s hard to imagine signals from outside my house are strong enough to attenuate a signal when the distance is only a few feet, but the results speak for themselves.

Late at night, it all works fine.

And in that environment, my ISP expects people to use 2.4 GHz.

Not surprisingly, for that and other reasons, I don’t use the router function of the router/modem.  My own personal router, whichever model it may have been at the time, has always been the basis of my networks at home.

It works just to daisy-chain the ISP router to my router, but since I don’t need any of that functionality from the ISP router, I set the device mode to “transparent bridged,” or whatever the actual text is.  That disables the router function and allows the entire device to act as a modem.  I then enter the PPPoE login credentials for the DSL connection into my preferred router (normally the built-in router handles this), and I’m off and running.

I made sure to turn the wifi radios in the ISP router off first, just in case it wasn’t smart enough to do that in transparent bridged mode, and their preassigned SSIDs are not visible in any of the client devices, so they’re still off.  I then removed the antennae from the ISP router and put them in my computer pieces/parts box for future use.

I would still do this even if my ISP offered a modem/ router that has dual-band, 2×2 wireless-N or better for the usual reasons, but that was not the one that I was offered (it came free with a year service commitment).  I use DD-WRT on my personal router, so it gets regular security updates, and it’s more configurable by a mile than the basic ISP router.

My ISP does have a list of other modems (some of which are just standalone modems without built-in routers or APs) that they are willing to support, but if I can make the free one work well enough, I’ll use that.  Other than getting outrageously hot for a modem (and it’s part of the design of the unit… the case of the device is solid vents over the entire top and bottom, so even before I plugged it in the first time, I remarked that this thing must be a hot little beast).  It draws some 15w of power by itself (as reported by my UPS), even while idle.  That’s pretty high for what it is, but not so high that I am tempted to run out and buy another unit for the power savings.  I will probably use it until it cooks its capacitors to death, then buy a better one on the supported list that uses less power.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

I really like ve2mrx’s idea of injecting a third party router into the chain between the ISP’s provided router and a person’s home network

Or insert a UTM box between the ISP’s gateway and the IoT (physical) sub-net.

Plug the UTM into its own wired (ethernet) port on the gateway, and connect IoT devices only through the UTM.

While @Ascaris has the right idea, I doubt that many home users would be able to follow his highly technical instructions.

I have lived in two apartment communities, and I totally agree about wireless interference being a serious and constant problem.

-- rc primak

Reply | Quote

Changing username and password is great! That is, until they kindly reset your router to defaults to “help” you solve your service issues!

2 users thanked author for this post.

rc primak, Myst

Reply | Quote

My way to avoid this is ‘deny remote access’ via settings in modem/router.
Here in the UK, if I or clients have a problem with connection, having checked and recognised there is a connection issue after testing/ changing connecting cables, phoning the ISP is far easier without them needing to access the device thus avoiding admin/ psswd changes. Another thing is, I personally never use supplied ISP modem/routers due to having neutered settings and dumbed down interfaces.

Windows - commercial by definition and now function...

1 user thanked author for this post.

rc primak

Reply | Quote

You are lucky if fou can deny the ISP access! Here, my ISP has baked in TR-069 to their devices. They can access it anytime. Unless, of course, they choose to open that SSH port!

Yes, a vulnerability scan of my ISP’s Sagemcom device revealed an vulnerable, accessible SSH port!!! Management listened to my report and the firmware has been fixed. But not before I pointed them to the media mess a mass attack could cause.

Lucky in my unluckiness, I can piggy-back my own router to their device using PPPoE pass-through. Their device provides IPTV phone service and (unused) Internet, while my EdgeRouter Lite provides me my Internet.

Whatever access they have, they won’t access my local network.

Martin

2 users thanked author for this post.

rc primak, GoneToPlaid

Reply | Quote

Slick.

Reply | Quote

Well, there’s something to be said to buying your own modem/router… but of course that gets a bit too advanced for the average consumer.

At least my ISP sends out DSL router/modem boxes with individually set SSID and default admin password. It’s on the device label right next to the serial number, and yes, it does go back to that if you do a factory reset on it.

1 user thanked author for this post.

Ascaris

Reply | Quote

Another danger about network devices: outdated or manufacturer abandoned devices! How many manufacturer-abandoned vulnerable routers are online? ISPs usually don’t replace an obsolete CPE device unless it’s required for service. Many have not gotten firmware fixes in years, yet are on a shelf carrying Internet to customers!

How many devices are forgotten, completely unmanaged by anyone, hidden in a cupboard until it fails? Those exist too, vulnerable, waiting to be abused.

The solution? Automatic disconnect 6 months after the last successful firmware check, firmware update or logon. If marked as vulnerable or no longer supported, 6 months too! On logon, a big red warning and by typing back a 32 character random string back, the device works for another 6 months! It WILL get the needed attention!!!

Any other ideas?

 

Martin

Reply | Quote

Here in the US, ISPs are monopolies almost everywhere. Thus, no need to do a good job. That so few people understand the technology just adds to their ability to do as little as they can get away with.

Your points are valid, of course, and its even worse. Since IPSs give out so many of the same devices, bad guys will naturally target them as they offer more bang for the buck. A buggy router used by very few people is safer than a buggy router used by millions.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

3 users thanked author for this post.

rc primak, Myst, ve2mrx

Reply | Quote

Hi. When some of my friend calls for help with his internet connection, I am always suprised, that there is default password. Credentials like “admin” “admin” are always amusing for me 🙂 But you know what I found? This often is caused by restarting their devices.

Understand – their internet connection is not working, so the first thing to do is restart your modem.. if this doesnt work, they just press that button for longer period of time, because just pushing that button is not enough… or just because someone told them to restart this to factory settings. This should indeed help 😀

So.. In the bussiness solutions, there is plenty of security. At home, there is mostly lack of knowledge – thus means lack of security. And who is to blame? Nobody. For example I am not good in baking, still I have to eat something. So I have to go to bakery and buy that delicious croissant. I think IT guys should get used to be mentors.

But If I do some setup, I always make sure its safe and definitely I do not leave def logon, thats bad.

 

Try this https://routersecurity.org/index.php

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

1 user thanked author for this post.

rc primak

Reply | Quote

I tend to agree. It’s complicated to most users. It’s just going to be more complicated.

Home IT services will probably become as needed as a plumber or electrician. It is a specialized job. However, it relatively new compared to electricity and plumbing.

Nobody died at home from Internet issues yet. Blood brings Laws!

Reply | Quote

Not to belabor the point, but a UTM box with a subscription security service solves the issue of home users not being savvy enough or not wanting to spend the effort/time to set things up through the router.

Most folks would rather pay someone else to look after their security than to spend their own time and effort to learn how to do it themselves.

-- rc primak

Reply | Quote

I’ve found that most modem/routers offer a facility to ‘save/restore’ or ‘export/import’ settings to/from an ini file once configured which can be a timesaver should settings be lost or corrupted. I usually do this whilst disconnected from internet access via an RJ45 cable connection. This has happened on a few occasions upon restart of the modem/router of clients and our own device.
It saves having to go through all the sections and subsections checking settings.
1st rule, as per a PC is: backup, backup and backup

Windows - commercial by definition and now function...

5 users thanked author for this post.

rc primak, SueW, ve2mrx, JSTechGeek, GoneToPlaid

Reply | Quote

I do the same thing whenever I change my router’s settings. Yet I temporarily set the login and password back to the defaults, just before backing up my router’s settings. After backing up, I then change the router back my chosen login and password. This makes restoring my configured settings much easier after a firmware upgrade or after performing a factory reset. After doing either of the latter, one has to remember to immediately change the router’s default login and password back to your desired login and password.

1 user thanked author for this post.

rc primak

Reply | Quote

Modem/routers security have been a disgrace for a very long time.

The problem with the consumer routers is people want easy, no hassle quick connect, but you can’t expect them to know about security. At least, if they could have the help of an expert for initial setup, the rest should be handled better.

I once asked the people responsible for DD-WRT if they planned to have an autoupdating  firmware. They said it would be too much trouble and there are too many brands of routers to support.

I think they should pick a few models and support them better with optional autoupdating firmware that doesn’t loose config for them. Then, I could install a properly configured DD-WRT firmware on old routers of some friends and be done with it for a long time. Of course, I can’t blame them for not doing it, but I still think they miss a big opportunity to make the Internet safer. If the community doesn’t do it, who is going to do it? There is no incentive for router companies to provide security. Routers are cheap devices and as Michael said, reviews focus more on dust gathering abilities, looks and speed than security.

I am not going to use a firmware that I have to update all the time because they add features, but for which I don’t know for each release if there is also a security fix or not. I don’t want to have to take the time to verify that constantly. It is not worth it. At the very least, you should be able to subscribe to a mailing list where security issues are sent to you right away to warn you to update the device. However, a normal user should never have to periodically manually check for firmware updates. Most routers should be very simple devices, with not cloud components and other bell and whistles, not much change and security fixes pushed automatically unless you don’t want them and they should come with a reverse to the previous firmware button in case an update breaks the thing.

It is a shame that consumer routers are already not that well maintained by the companies who build them and it is not clear at all to the consumer when they stop being patched. We also see way too much routers loose their config when updating the firmware. How can we expect home users to keep up with this?

It is like nobody is thinking about security at these companies. Security should always be in the back of your mind when you design a router. Tricky settings should be explained and asked in the form of questions when initially setting up the router through a web page before allowing it to go online. I think it is possible to still have enough convenience without completely abandoning security.

Years ago when it was already clear for a long time that WEP wasn’t an acceptable security solution, there was a huge internet provider that shipped tons of routers with WEP configured as the security, probably to avoid support costs on older devices. They probably calculated it would cost less to do things that way than activate WPA2 and handle the issues for the customers that would not support it. They probably thought that anyway, there are not many people that will have their wifi cracked and even if they do, they won’t be able to trace the source of the issue to them. This attitude is a disgrace and meanwhile, there was people hopping on other’s network to get free Internet access and steal their data to download torrents.

As for uPnP, it is a tricky question. For someone that likes to buy the IoT gadgets and that have been warned about the security risks, it makes sense to leave it enabled to be able to use these things more easily from the outside, but the first thing I always tell people is do you really want to have someone from the outside be able to enter your cheap IoT things? You need this that bad or you just find it cool but if you are aware of the security risk you will not allow it?

Consumer routers are not the only ones that have insecure configurations by default. There is a big company that will have outdated encryptions configured by default or that will happily sell you support for the hardware of your firewall but won’t provide security patches for the software it runs. You will also be able to choose among many insecure configurations. I get that you should be an expert to configure those, but would it be too hard to just issue a warning when activating something now deemed inadequate by today’s standards? There are too many ways to shoot yourself in the foot with those devices. That and not counting that if you don’t carefully read the release notes of updates, you might end up with a previously secure configuration that is now behaving differently and in an insecure way for your context.

The general negative attitude about security is seen everywhere. Lots of people look at you like you are that annoying paranoid idiot when you invoke security. I see people that asks me to open a port to the inside for their software to work all the time and they get annoyed when I tell them it shouldn’t be required and they should have built their software better. Lots of people go for the easy way without thinking twice about security, even today. This whole attitude needs to be changed.

On a side note, in today’s world, trust should be at an all-time low. You can now expect that software will do many things you would not want them to do in the background even when you are not using them actively for their intended purpose. Spyware has become acceptable or a “necessary” evil that people tolerate without having a clear understanding of what is going on because they feel like it is an inescapable reality of today’s apps landscape. We just don’t call it spyware no more, but it is no less evil. Right now, the OS lets the apps still do way too much with your files and access too many things that they shouldn’t require. Or it pretends it gives you control, but there are many loopholes (I look at you IOS and its many ways to have apps run in the background even if the user thought it disabled it), plus it can be cumbersome to configure the permissions. We need more insulation between codes. My streaming music app should just be able to play the music, not look at what I am doing on my computer, put cookies in some places or track where I go to build a marketing profile. We are far from there right now.

6 users thanked author for this post.

rc primak, Myst, NetDef, SueW, ve2mrx, Elly

Reply | Quote

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

I once asked the people responsible for DD-WRT if they planned to have an autoupdating firmware. They said it would be too much trouble and there are too many brands of routers to support. I think they should pick a few models and support them better with optional autoupdating firmware that doesn’t loose config for them. Then, I could install a properly configured DD-WRT firmware on old routers of some friends and be done with it for a long time. Of course, I can’t blame them for not doing it, but I still think they miss a big opportunity to make the Internet safer. If the community doesn’t do it, who is going to do it?

That’s the reason I dropped DD-WRT. I had used it since the venerable Linksys WRT-54Gv2.2. At first with original firmware, then DD-WRT. Migrated then on Asus RT-N16 with DD-WRT. A few years ago, while checking about a router vulnerability I searched for a “new”, “right” version of DD-WRT to update to.

You nailed the main problem with DD-WRT: It’s far, very far from simple. They support too many routers. Every new Beta release fixes a problem on the new “port-of-the-day” router, but causes problems on another. I like having control over my devices, and DD-WRT gave people control and so many useful features! But having to spend hours to find the “right” build that “Just Works” on my specific router is too much, even for me.

I gave up and started to shop for new routers. I am the permanent family Tech support Help Desk lone staffer, so I needed something that Just Works. Gone with Ubiquiti.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

There is no incentive for router companies to provide security. Routers are cheap devices and as Michael said, reviews focus more on dust gathering abilities, looks and speed than security.

Years ago when it was already clear for a long time that WEP wasn’t an acceptable security solution, there was a huge internet provider that shipped tons of routers with WEP configured as the security, probably to avoid support costs on older devices. They probably calculated it would cost less to do things that way than activate WPA2 and handle the issues for the customers that would not support it. They probably thought that anyway, there are not many people that will have their wifi cracked and even if they do, they won’t be able to trace the source of the issue to them. This attitude is a disgrace and meanwhile, there was people hopping on other’s network to get free Internet access and steal their data to download torrents.

It is a shame that consumer routers are already not that well maintained by the companies who build them and it is not clear at all to the consumer when they stop being patched.

(Emphasis is mine)

There is no accountability for companies, and software security is hard. On top of that people are ignorant. Those who try to read the license agreement? Almost none. And if you do, it’s likely to say something like “We cannot be held responsible for anything the software does, whether we know about it or not, and we have no obligation to fix anything. You give up the right to sue us or to enter a Class Action suit against us. Give us your money and [edited].”

In a way, Free Market is a failure when every company agrees to be equally Evil or bad. To most companies, you are no longer the real customer. You can no longer vote with your money. Shareholders vote with theirs! THEY are the real customers.

Reply | Quote

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

As for uPnP, it is a tricky question. For someone that likes to buy the IoT gadgets and that have been warned about the security risks, it makes sense to leave it enabled to be able to use these things more easily from the outside, but the first thing I always tell people is do you really want to have someone from the outside be able to enter your cheap IoT things? You need this that bad or you just find it cool but if you are aware of the security risk you will not allow it?

I see people that asks me to open a port to the inside for their software to work all the time and they get annoyed when I tell them it shouldn’t be required and they should have built their software better. Lots of people go for the easy way without thinking twice about security, even today. This whole attitude needs to be changed.

Firewalls are like a house: You can make it very secure, but every hole you cut for a window or door is a security hole that needs attention. There’s nothing like building a security Fortress and leaving a cheap Ebay-provided screen door open on the side 😉

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

I am not going to use a firmware that I have to update all the time because they add features, but for which I don’t know for each release if there is also a security fix or not. I don’t want to have to take the time to verify that constantly. <…> At the very least, you should be able to subscribe to a mailing list where security issues are sent to you right away to warn you to update the device.

However, a normal user should never have to periodically manually check for firmware updates.

I am a big fan of Long Term Support software. New features on major versions, fix on minor versions. It used to be that way, until Internet browsers made the rolling updates sexy for shareholders. Now, everyone wants to me part of that fad! Instead of only fixing bugs, you add new ones! That is plain wrong.

One point you touched: Up to date, precise documentation. Software should be built FROM documentation, not the other way around. Too often, documentation is lagging , vague or non-existent.

Anytime, there is a tough choice to make: simplicity vs flexibility vs security vs cost. The more flexible, the least simple and the less secure. Simple and secure, less flexible. The least costly, the more simple, the least flexible and the less secure. Pick your poison.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Alex, I agree with you!

I’ve broken up my reply so it’s easier on everyone. The quotes have been rearranged and edited for flow.

AlexEiffel wrote:

On a side note, in today’s world, trust should be at an all-time low.

You can now expect that software will do many things you would not want them to do in the background even when you are not using them actively for their intended purpose. Spyware has become acceptable or a “necessary” evil that people tolerate without having a clear understanding of what is going on because they feel like it is an inescapable reality of today’s apps landscape.

<…>

We need more insulation between codes. My streaming music app should just be able to play the music, not look at what I am doing on my computer, put cookies in some places or track where I go to build a marketing profile. We are far from there right now.

Rant warning: The following might be considered depressing.
As for trust, you are right. I trust very few people, and even then, I expect them to fail me. Companies? Hard, very hard. Usually, the smaller ones are better than huge ones. They need you, their customer, to be satisfied to grow. So, they care.

Facebook, Microsoft, Google? Nope. You are a pawn to them. Apple? Feels a bit better. But the bigger the company, the more centered on themselves they become. Their satisfaction before yours. Their shareholders before you anytime.

If they have shareholders, at first, the shareholders want customers to have a good opinion of their investment growth. But as profits to shareholders grows, so do their demands. The companies become prostitutes for the shareholders, and the customers, pawns in that game…

That’s the huge problem we are facing now: once the shareholders get on board, you lose your company’s soul. The focus becomes growth and revenue. Milk it as hard as you can.

I don’t know how to fix that. How to prevent that. But it’s part of the bigger problems in our society. Shareholders. Pollution, security, privacy, quality, price… Just maximize the profits while making it just good enough for people to give us money. Go as bad as the others. Then, consumer pawns, [edited].

That’s the failure of our economic model. It needs to exploit something and/or someone. The value is rarely from the work needed to get the final product, but from the desire of others to get it. Good products where the norm in the 70’s? 60’s? It’s over.

Second warning: yes, it depressing but true!
Heck, Just 8 men own same wealth as half the world (yep, eight people) own 50% (yes, fifty percent) of all resources on this Earth. Poverty is there to stay.

Climate change on top of that, and we are looking at the end of humanity.

• Climate change impacts worse than expected, global report warns
• Global warming report, an ‘ear-splitting wake-up call’ warns UN chief

Please, don’t give this poisoned gift to kids.  Don’t have kids unless you want them to suffer. Open your eyes, the bright red flashing signs are there.

Human nature wins at the end: Everyone for themselves 🙁

All right, my rant is over. Once you know something, you can’t unlearn it. I envy the ignorant.

Martin

1 user thanked author for this post.

wavy

Reply | Quote

@Alex — I think you are correct in your reasoning, but cutting off device access to the Internet if firmware is too out of date seems impractical.

However, a device like UTM with its own subscription service will accomplish virtually the same goal. The consumer is aware that security updates are mandatory and will take place on a scheduled, regular basis. When and if the appliance goes out of date and receives no further updates, it becomes useless. The consumer can easily understand this arrangement, and it takes care of at least some of the issues of keeping the firmware and security settings up to date.

-- rc primak

1 user thanked author for this post.

AlexEiffel

Reply | Quote

mn– wrote:

At least my ISP sends out DSL router/modem boxes with individually set SSID and default admin password. It’s on the device label right next to the serial number, and yes, it does go back to that if you do a factory reset on it.

One brand got bit hard because of that. The Wi-Fi password could be calculated from the “random” SSID. Am I right @Michael432?

Reply | Quote

How about the back doors ISP tech support uses to get into their supplied routers without your prior blessing?

About 5 years ago a local telco came out to install an Actiontec VDSL router at my home.

The tech said they provide the router with the firewall turned off.

 

Reply | Quote

Yeah, TR-069 is often baked in ISP device firmware. They can check settings and connection statistics. It’s not evil, but a Privacy issue.

You need to trust the company or not. If not, change company. After all, they see all your unencrypted traffic! I know, easier said than done. VPN companies are not better, and sometimes have unclear motives. A Facebook-owned company once offered a free VPN service. Reading the EULA, I saw they would scan all the traffic “to enhance their services”. Yeah, right… No thanks!

 

Reply | Quote

Maybe we need to look at this from another angle. Since computers and internet are now such a huge part of every day life. That knowledge of how to securely setup a modem and router are mandatory for the average human. In short we need to teach this at an early age at schools in computer class.

ISP’s are in a terrible situation. In the one hand they need to deliver a working internet connection to their customers. But on the other hand they can not enforce to tight security or they are inundated with complains whenever someones Xbox can not connect to the internet. The problem is that the average customer is totally clueless and unqualified in all things related to the internet other then surfing or hashtags.

W10&11 x64 Pro&Home

Reply | Quote

I think the solution is what they did for phone service. They could guarantee service up to a demarcation point and include a modem in this guarantee. Anything beyond that is your problem.

In my residential install, there is the problem: The combo TV/Phone/Internet router box connects with optic fiber. The fiber OLT is a plug-in module that can be used with your own router (extra hardware needed). Because of the Phone part, I’m stuck with their router box. There is no known way around. TV is hard but can be separately configured in some routers.

They chose to put everything in this one box, locking you with their hardware. The demarcation point is the fiber port now, but they support the service with their Sagemcom box. Anything else and you are on your own.

They do allow you to connect with another PPPoE connection through their router, but with limited speed while Gigabit speeds are available with theirs. No way to have full speed using your own router without bypassing their router. But it’s feasible.

Reply | Quote

Comcast does the same thing if you order a bundled service including their phone lines.

And their routers/Wi-Fi all-in-ones are terrible.

You “can” ask them to disable the Wi-Fi at least if you want to hook up some real AP’s, but residential service won’t config their modem/router into gateway only mode – so if you want a real router you must double-NAT. Not good.

I have Comcast for home, using my own modem. Over the years I’ve enjoyed putting several nice routers behind it (all overkill, but I use them to learn . . . ). Previous occupants in that space have included a Cisco PIX, a Cisco ASA, some ZyWall 110, 310 and 710 units, and more recently a Unifi 4P . . . (which is starting to make me nervous about selling to clients – it keeps resetting itself.)

~ Group "Weekend" ~

1 user thanked author for this post.

rc primak

Reply | Quote

? says:

how about: bridge the ISP Gateway combo box to users preferred equipment?

i use the stuff the ISP supports ’cause it works on the 45\5 i currently have coming in. runs faster than i can type, anyway. the one happy feature they added to the newer boxes is “stealth mode,” in the IPv4 firewall settings allowing me to finally pass all of Steve Gibson’s shield’s up tests…

now, if i could only figure out how to clear the DHCP reservations to make the connected items list clear without resetting the whole shebang

Reply | Quote

Michael432 wrote:

Devices on the LAN can talk UPnP to each other, without the router/gateway being involved. Enabling UPnP in a router is just asking for trouble, especially considering the poor security of so many IoT devices.

That would be a WIRELESS lan corect Michael?

BTW great info on your website and glad you are here!

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

If you are talking about UPnP at the router level, it doesn’t matter if it is wireless or not. UPnP has no relationship to wireless. If enabled on the router, it means any code on your device can ask to punch a hole in the firewall so it is now able to receive an unrequested packet from anyone outside to a specific port. Then, that means you can for example access your IoT device from the outside directly with your IP address.

A better designed IoT device that you would want to access from outside could, instead of punching holes in your firewall, establish and maintain a connection to a central server outside, to which you would connect as well. The server would link you to your device that way. Add two-factor authentication to the mix and you get better security as nobody can directly access your unpatched device from outside. The remote access tool Teamviewer works that way. Of course, it costs more to run the central server outside, so it is much easier to put a cheap code on an IoT device and don’t do anything to support it after.

I don’t buy IoTs and I don’t care for them, but I think they can be convenient for some people. The problem is normal users don’t really understand the security risk they pose. If there was some kind of certification available that would certify this IoT device is maintained for at least that amount of years, is patched when vulnerabilities are found, does not allow direct access from the Internet, etc., maybe it would make it easier for consumers to buy the more expensive but more secure devices if they want just by looking at the seal of certification. Companies could apply for the certification and could loose it if an audit shows they don’t respect the conditions. There could even be a company managing the central outside server for many others with 2FA, although it would be a nice target for hackers. Then you could buy only safer products if you want and not worry as much as a consumer.

But the question remains, do consumers really care enough about security to buy a more expensive device or just not buy the cheap ones? I’m not sure the majority of people do and that means lack of a market until security really gets better attention. When I suggest to people to buy a third-party router to install between their internal network and the ISP router, they generally don’t find it is worth it. The only time I’ve seen normal users worry a lot in the last few years is when they received that spam that pretends it filmed you looking at website with people with no clothes and threatens to release the video to all your contacts if you don’t pay a ransom…

 

2 users thanked author for this post.

ve2mrx, rc primak

Reply | Quote

Again, for a single upfront and subscription cost, a UTM box can defend virtually all IoT devices on a home network. Consumers would not have to shop as carefully, and setup is once only, as new devices can be added without much fussing with the UTM itself.

As for folks not seeing that this is worth the extra costs, just wait until their networks and devices get hacked — especially things like baby monitors or thermostats. Once people (literally) feel the heat or directly hear the threats, they will either throw out all their IoT devices, or wise up to the security risks and act (and pay) accordingly.

-- rc primak

Reply | Quote