Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
New Linux worm targets routers, cameras, “Internet of things” devices (arstechnica.com)
34 points by hepha1979 on Nov 27, 2013 | hide | past | favorite | 16 comments


> While not posing much of a real-world threat now, Darlloz demonstrates a major shortcoming with most Internet-of-things devices available today—they typically run Linux or other types of open source code that are woefully out of date.

This make no sense. Running Linux (or an OSS stack in general) is not what makes devices out of date. Not updating them does.

If updates are not automatic then the vast majority of people will not perform them. If they're not automatic and a pain in the ass to do (ever tried updating the firmware on a TV?) then even less will do it.

I'm not saying I want auto updates for everything (I personally don't like them though the option is nice) but for the vast majority of folks it's the right option. $NON_TECH_SAVVY_RELATIVE is not going to keep tabs on the latest exploits for her router and know when to login to the management console (assuming she can login) and apply an update.


> This make no sense. Running Linux (or an OSS stack in general) is not what makes devices out of date. Not updating them does.

I can see how you'd read it that way, but I think the intent of the sentence is to state that they're running woefully out of date versions of Linux, not that Linux itself is woefully out of date.


He parsed that (ambiguous, I agree) section like that because of the "or other types of open source code" section, and because the word "version" (or similar) was not included.

Had it instead said:

  *"they typically run Linux versions that are woefully out of date."*
or

  *"they typically run versions of Linux or other operating systems that are out of date."*
then there would not be a problem.

Since the real problem is out of date software, not the license that software happens to have, mentioning the license makes it sound like the author is blaming the license (a problem that is made worse by not including some "version" wording).

Considering the awkwardness of the phrase "other types of open source code" (what do we mean other "types"? Other licenses? Other languages? I don't think they intend either of those, what they mean is other projects, not types), I have to assume that the author did not intend any sort of slight and this is just a misunderstanding.

They probably included the "other types of open source code" section because that is frankly what is common with these sort of devices. It is an incidental detail that got confused with the point because the author is not as precise with the language surrounding this topic as we are.


Manufacturers need to do a better job making these appliances easier for consumers to keep updated. And this isn't just a problem with Linux, it is a problem with the designs being fire and forget.


Aren't most home routers, by default, configured to not accept HTTP connections from outside the local network?


It's still possible to trick the browser of a user on the inside to HTTP POST a form invisibly to 192.168.1.1, by javascript hosted on an external web page.


I tried to figure out how to do this a while ago. Doesn't anti cross site scripting built into most modern browsers stop this? The flash and java security models certainly do.

I think you can do this by serving the user a hidden form that e.g. sends a firmware to the device, and a real form that they are likely to submit. The hidden form is the one that actually gets submitted. But I thought anything via XHR wouldn't work. Which is needed for a brute force attack say.

What did you find?


What about embbedding iframes?


That would look to be correct, see here for example: http://hackers2devnull.blogspot.co.uk/2013/07/exploiting-pos...

In which case, I woner why more sites (or evil ads via an ad network) don't attack our home routers?


Probably because it isn't really necessary — it's easier just to own the user's PC the old-fashioned way.


One thing I do is put my router and network on a different Class C than the default, for example 192.168.56.0 .


One thing I've always wondered is why anyone would stick with anything in the 192.168 range when the 10.0.0.0 class A is also available for local allocations, and significantly easier to remember?


Well, in my case it was because I was a little uncertain of what the various classes meant. This was my pre-university days before I studied networks formally.

My first router could only do the 192.168 range so I got in the habit of it. Later with subsequent routers, all my devices were already set up on a specific class C network, so it was easier to change the router than go through all the devices and change them.


Probably but, (all routers - most routers) = still a huge number of exposed routers with default passwords.

Note that the article mentions Intel routers (x86 cpus?). Those are indeed not very common to my knowledge.


fla: The article also mentions that these ELF binaries can be made compatible with ARM and other targets easily by just changing the Compile Target metadata in the binary itself. Making it quite simple to also target almost all routers.


Can I use this to root my printer?




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: