

Your Wireless Router Is Broken – Help Us Fix It At DEF CON - sinak
https://www.eff.org/deeplinks/2014/07/your-wireless-router-broken-help-us-fix-it-def-con

======
miles
FTA: _" Last year, researchers at ISE found that a staggering 100% of SOHO
routers they evaluated were vulnerable to remote attacks."_

However, the linked study[1] shows that:

1\. 2 of the routers did not have remote exploits

2\. All but 2 of the other routers required authenticated access to exploit
remotely

Authenticated attacks _" require that the attacker have access to credentials
(or that default router credentials are used—an all-too-common situation) or
that a victim is logged in with an active session at the time of the attack."_

While default passwords may be common, virtually all routers have remote admin
turned off by default as well.

[1]
[https://securityevaluators.com/knowledge/case_studies/router...](https://securityevaluators.com/knowledge/case_studies/routers/soho_router_hacks.php)

~~~
AlyssaRowan
The real fun comes when you can turn remote admin _back on_ remotely.

Oh, god, I _wish_ I was joking.

~~~
hornetblack
I did that to a ISP provided router. The company wouldn't enable port
forwarding for games. So I did it myself.

Why do those routers have open telnet interfaces.

------
iuguy
I really don't understand why they feel they need to develop their own full
firmware rather than contribute to another project like OpenWRT or CeroWRT?
Anyone involved care to tell us why?

~~~
cryptolect
I would guess that they want the default behaviour and user experience
different to OpenWRT's goals.

~~~
ssebastianj
If UX is a must, then Gargoyle is an option: [http://www.gargoyle-
router.com/](http://www.gargoyle-router.com/)

------
kriro
Does anyone know the rough economics of router manufacturing? At what quantity
could you get reasonable enough prices to sell it at an acceptable (to
consumers) premium?

Build your own, only open hardware (if that's even feasable..soooo much closed
stuff) and sell as EFF approved/privacy friendly whatever. EFF probably has
enough brand recognition with the right folks to pull it off as a sponsor or
something.

Seems like a couple of million kickstarter or similar project to me.
Especially if they also serve the non-US market which is currently rather
security/privacy concerned.

[unfortunately I know very little about hardware cost/closednes but last time
I did a rough check it seems like somewhat of a nightmare field to be in]

Edit: Heck YC could think about opening a spot specifically for a startup that
improves privacy (i.e. open wifi router). After all they did enter the
nonprofit market. Seems like a reasonable PR/goodwill move.

~~~
teacup50
Router boards these days are a commodity, with all the available consumer
access points using the same SoC and hardware on a different PCB with their
own plastic case.

A single SoC often provides 1) MIPS processor, 2) Ethernet MAC, 3) Switch in
ASIC, 4) WiFi MAC

See also: [http://www.eeboard.com/wp-
content/uploads/downloads/2013/08/...](http://www.eeboard.com/wp-
content/uploads/downloads/2013/08/AR9331.pdf)

You can buy off-the-shelf complete systems ready to be dropped in a plastic
case, or even complete (and very commodity) systems:
[http://routerboard.com/](http://routerboard.com/)

I'd love to see a RaspberryPi-style approach to home access points using the
popular MIPS SoCs, with pfsense
([https://pfsense.org/](https://pfsense.org/)).

------
Kayou
At least one of the attack, the CSRF on the Asus RT-N56U, seems to need the IP
address of the router. Does this mean that this attack is useless when the
attacker doesn't know the IP of the router? Or is there a way to know it
remotely? (I happen to have this router and the IP of the router is not the
same, and I don't think that the default config has been changed as the admin
interface has the default password.)

Also, an attack necessitating a user to be logged in to the admin interface
has probably a very small chance of success. I don't know any "normal" person
who would log into their router admin interface (unless maybe they are asked
for with social engineering).

PS: but having an Open Wireless Router is a good idea anyway. We could imagine
one having upgradeable hardware and just switch the mini PCIe card to have
802.11 ac instead of 802.11 n for instance.

~~~
hrrsn
Can easily be obtained by spear phishing or nmapping IP ranges.

~~~
Kayou
Do you need to be on the same local network as the user to do that or does
that work with an attacker being on the internet?

~~~
hrrsn
If you just need their external IP address, you can probably easily coerce
that out of them by getting them to click a link. Send an IM to a bit.ly link
that logs an IP and forwards on to some random image, an email, a tweet, etc.

------
acd
One thing I realized is that you can share several safe internet sites on a
public SSID.

For example you could share Google and duckduckgo searches you can also share
Wikipedia. You can also share access to well known VPN services.

So you put in an iptables rules for the guest SSID interface.

This is not a fully open net and all respect to those who build it but I am a
bit affraid what sites users might surf on and as it now law enforcement
assume ip==user who did things.

~~~
IvyMike
I built a Onion Pi router for this purpose. All traffic on the public access
point is sent over Tor. It's a mixed bag but seems to work well enough.

[https://learn.adafruit.com/onion-
pi/overview](https://learn.adafruit.com/onion-pi/overview)

~~~
Istof
it would be nice to have routers with pre-configured exit nodes

------
ck2
What about things like [http://wrtnode.com/](http://wrtnode.com/)

Opensource hardware with opensource dd-wrt

