
Asus lawsuit puts entire industry on notice over shoddy router security - transpute
http://arstechnica.com/security/2016/02/asus-lawsuit-puts-entire-industry-on-notice-over-shoddy-router-security/
======
Isamu
>The action should serve as a wake-up call, not just for other router makers,
but entire industries tied to the so-called Internet of Things wave that's
adding Internet connectivity to refrigerators, watches, and other everyday
devices. Over the past few years, researchers have uncovered a litany of
security defects that make it possible for such devices to be remotely
hijacked by attackers. Often, the hackers can use their position to install
malicious code on the devices or to surreptitiously monitor the comings and
goings of the owners.

Pretty much what we've all been saying here.

~~~
x0x0
I think it's time to encode in law security requirements, a minimum timespan
for security patches to be provided post purchase, a maximum timeframe for
security patch provision, and liability for unpatched security holes.

~~~
_delirium
Just normal consumer-protection and product-liability law ought to take care
of it for the most part, if really applied. Computer software has somehow
managed to almost entirely escape liability, avoiding legal responsibility for
shipping software with serious defects that makes it not fit for advertised
purpose. But I suspect people shipping physical devices will find it harder to
avoid, because the legal regime for physical devices like ovens and toasters
is well established. Nest being forced to issue a product recall of its
thermostats over a software flaw is one example of this starting to play out.

~~~
reitanqild
> Computer software has somehow managed to almost entirely escape liability,
> avoiding legal responsibility for shipping software with serious defects
> that makes it not fit for advertised purpose.

So did early car manufacturers etc etc.

Personally I think if everything had been thoroughly regulated from the start
a lot of the innovations we are all benefiting from today wouldn't have
happened or would have taken far longer time.

So I am not against regulations, but I can understand why waiting a bit and
thinking very carefully before implementing regulation might be smart.

~~~
mzs
Early car manufacturers in no way almost entirely escaped liability. There
were many people killed or injured by the starter crank alone and the law
suits to go along with it. It's the single biggest reason that steam cars were
around until the advent of the electric starter.

~~~
hga
The Ford Model T, "generally regarded as the first affordable automobile"
([https://en.wikipedia.org/wiki/Ford_Model_T](https://en.wikipedia.org/wiki/Ford_Model_T)),
over 15 million manufactured, had a hand crank. A '40s era tractor that my
family "inherited" when we bought our 25 acres of land had a hand crank.

That said, while hard to use, that tractor's hand crank automatically
disconnected well enough once the engine got started. Then again my father,
born in the early '30s, grew up using them.

~~~
gonzo
> That said, while hard to use, that tractor's hand crank automatically
> disconnected well enough once the engine got started. Then again my father,
> born in the early '30s, grew up using them.

Hell, I was born 30 years later, and they still existed on tractors, fork
lifts, and other, assorted engines.

There are a couple 'safety rules' when using a hand crank on a gasoline
engine:

1) Always grip the crank with the thumb wrapped below with the fingers. So,
all your fingers on ONE side of the crank, instead of four fingers on one
side, and the thumb on the other

2) NEVER push the crank down the right side of the rotation.

3) If the hand crank binds when inserted through the starting crank bushing
and into the crank ratchet, don't crank start the car. Too much bind will
prevent the crank from releasing from the ratchet.

~~~
hga
Ah, yes, 1) is a rule for self-loading rifles with reciprocating charging
handles, starting in the US I suppose with the '30s M1 Garand. On the off
chance the gun will fire while you're manipulating the handle, make sure your
thumb is out of the way so at worst your palm will be beat up a bit.

The AR-15/M16/M4 which follows that family (M1 and '50s M14) lacks that
"feature", replacing the lost functionality with a separate forward bolt
assist. In other major rifles of that general era, the AK-47 etc. and SIG SG
55x and I think it's 510 predecessor reciprocates, this in fact goes back to
the original Nazi StG 44 "storm rifle", the FAL and G3 don't.

------
manyxcxi
I really hope this leads to some change some day. If router makers can be held
accountable for not providing minimum security standards then maybe we'll stop
seeing so many "me too" BS options and gimmicks and get a smaller stable of
trustworthy routers/firmwares.

It kind of sucks that my first requirement for buying a router is that I must
be able to immediately, and easily, flash a new firmware on to it. It doesn't
matter whose makes them, you are going to be receiving absolute shit for an
OS, save for maybe a few prestige models of some of the better brands.

I liked the TP-Link Archer C7s because they were easy to flash and came with
some pretty nice hardware for the price. Their products have been badly
vulnerable, and now they're locking out alternative firmware. So even when you
find a brand/model you like, that may not last.

~~~
threatofrain
The thing is that security is a fuzzy boundary, so no amount of case law or
statutes can draw an easy-to-understand line between negligent insecurity and
acceptable insecurity, and the legal community is ill-equipped to make
excellent technological laws.

Also, there's no engineering society that censures its members and creates
standards or certifications for quality or security, and it doesn't look like
engineers are too interested in that.

Medical malpractice or unethical behavior are also fuzzy lines, but at least
there's a medical association that draws some kind of line, determines
standards for membership, and censures its members for malpractice or bad
behavior, thereby also improving its public image as a trustworthy
institution.

~~~
BogusIKnow
You've nailed it.

------
AdmiralAsshat
While I have no doubt that OpenWRT/DD-WRT are better than the stock firmware
provided on these routers, has anyone actually audited OpenWRT for exploits?

~~~
AnthonyMouse
The root of the problem is more that the stock routers can't be or aren't
updated when e.g. there is a Linux kernel or libc vulnerability.

------
ck2
Except part of the "solution" is going to be mandating signed firmware, which
means you won't be able to actually own your router anymore.

TP-Link has already fallen victim to this.

You can take openwrt, ddwrt, tomato and padavan from my cold dead hands.

~~~
wmf
IMO alternative firmware projects make things better for the 0.1% while
throwing the other 99.9% of humanity under the bus. If we want the Internet as
a whole to be more secure, not just our own home networks, we need to solve
crappy vendor firmware somehow and not signing updates is unlikely to help.
OnHub has a good tradeoff with signed auto-updates by default and a developer
mode switch for hackers.

~~~
izacus
Huh, how does your ability to update firmware yourself "throw other humanity
under the bus"? Can you explain that reasoning further?

~~~
tjohns
The problem is asking other users to install DD-WRT/Tomato/OpenWRT in order to
get a secure device. That's not something I would reasonably expect my parents
to know about or do.

Consumer networking hardware needs to be secure out of the box, and
automatically keep itself updated without any end-user intervention.

Installing alternate firmware should be an option, but it shouldn't be
necessary.

~~~
syntheticnature
Heck, as someone who used to run alternative firmware they seem to be making
it harder for all. After a few years of a forced all-in-one device (thanks,
Windstream), I went looking again... things do not seem as organized. Wiki
pages argue with each other and point to forum posts without indicating which
piece of information is most relevant, and in general things only look stable
for routers that are at least two years old, with newer routers having
regular, massive regressions. I get enough of JTAG at work, thanks.

~~~
wtallis
> "and in general things only look stable for routers that are at least two
> years old, with newer routers having regular, massive regressions."

Yep. New hardware is shipped first with proprietary drivers, then shitty open-
source code dumps. When the hardware vendors don't participate in the open-
source process, it takes the community quite a lot of time to clean things up
enough to be merged upstream. Usually by the time that happens the vendors
will have secretly changed all the guts of the model with completely
incompatible hardware at least once.

Just requiring a new model number for new hardware would get rid of most of
the confusion. If the router and chipset vendors would actually maintain their
operating systems as flavors of _current_ OpenWRT instead of 5+ year old
private branches, most of the problems wouldn't exist in the first place.

------
DanBlake
I think the most egregious issue that the asus routers had (even up to the
RT-N66U) was that when you used the interface to check for a firmware update,
it would report you were on the latest update, even if you were multiple
patches behind.

~~~
curun1r
The most egregious, for me, is that while they published the source code for
their firmware as GPL (good) they were too lazy to incorporate fixes made by a
third-party developer who was fed up with their buggy software and decided to
do something about it. The AsusWRT Merlin builds are much higher quality and
the source code to them is, per the GPL, also available. It's one thing to not
fix security issues, it's another thing to have a single guy fixing your
security problems and not even be bothered to take his work and pass it on to
your customers. They deserve all the punishment they're receiving.

------
acd
I think its time for consumers to demand the ability to run open source
operating systems on their devices! All consumer routers should have open
device drivers. Right now its a lot of closed firmware from both router makers
and the wireless radio chip manufacturers that prevents that. There is very
few 802.11ac devices that is well supported by OpenWRT because of closed
drivers and firmware.

Lets face it, the manufacturer are not that interested in supporting the
operating system of your device after a few years. Device manufacturers profit
from selling you new devices not maintaining old devices. Throwing a perfect
working hardware device just because it has outdated software is bad for the
environment and not good when we have global warming. Do we want to have a
Wall-E kind of future scenario of the working junk we consume and throw to
consume to throw?

This is of course not only consumer routers, all devices that run embedded
software that the manufacturer stops caring for are in danger of getting
hacked. If they can be hacked they will be hacked - hackers law.

Why does consumer devices have to be that different from a PC? A PC can load
any operating system you like on including good open source operating systems.

This is also the same for cell phones, there are lots of Android devices with
older releases that are not security updated.

------
AnthonyMouse
Notice that this never happened with PCs because it was well expected for
people to choose and install their own operating system, which is where the
vulnerabilities lie. If you have an old PC and you don't want to throw it away
then you can install a newer OS (or *nix) and your only problem is that it's
old/slow, not that it's insecure.

Make it trivially easy to install open source firmware and the security
problem gets solved by the people who know more what they're doing.

------
FLUX-YOU
Medical device manufacturers should be the next industry to get put on notice
about this.

------
TACIXAT
The company I work for runs a home router based CTF at security conferences.
So many of these products have vulnerabilities it's mind blowing. This IoT
thing is a crazy trade off, we're getting really powerful devices but people
are moving fast and really fucking shit up in terms of security. Some devs
will know a good amount about security or their framework will cover them, but
so many don't. The end result are networks with gaping holes in them waiting
to be exploited.

