

Complete, Persistent Compromise of Netgear Wireless Routers - Hoff
http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html

======
zdw
This, along with bufferbloat [1], is why you run OpenWRT or another similarly
modern, fully open source distro on your home routers.

Right now, the best supported devices are ath9k's, so things like the Buffalo
WZR-* models are ideal.

The WNDR 4700 model specifically doesn't have good support for 3rd party
firmware [2] due to it's use of NAND flash in an unsupported manner, so if you
have that model you're kind of sunk at this point.

1\. [http://www.bufferbloat.net](http://www.bufferbloat.net)

2\.
[http://wikidevi.com/wiki/Netgear_WNDR4700](http://wikidevi.com/wiki/Netgear_WNDR4700)

~~~
mbell
If you want a more hardened setup I recommend pfsense, a freeBSD based
firewall/router disto [0]. It'll run on any number of mini/nano boards and
several companies sell prebuilt boxes. It can run as a wifi AP as well but I
find that a separate AP works best.

[0] [http://www.pfsense.org/](http://www.pfsense.org/)

~~~
mcpherrinm
What do you use as a separate AP? My cursory searching indicates there exist
enterprise-grade APs requiring a controller device, overkill for my apartment,
or I use your standard bestbuy device like we're wanting to be avoiding in
this thread.

~~~
mbell
Most consumer routers actually work fairly well as APs. Once you've turned off
all the routing functionality, which are the most complex and resource
intensive bits, they seems to actually be pretty stable. I'm currently using
an Asus RT-AC66U, which is complete overkill, but I wanted reliable AC wifi
and it was the best option at the time. Prior to that I was using an Asus
EA-N66R AP.

As for how this relates to the exploit discussed here, your only using it as
an AP, you'll very rarely need to login after the first setup since it really
isn't doing much, just Wifi <-> Ethernet bridging. If using a consumer router
the WAN port isn't connected to anything, no outside access to worry about
(unless you did some funky forwarding on the pfsense box). You should also
disable management via Wifi. That limits any access to a wired connection to
the network, meaning someone is already in your apartment to physically patch
in with an ethernet cable. Any security bets are off at that point. If you
want super extra special security you can setup firewall rules on the pfsense
box that only make the AP's IP address accessible from a particular port.

As dumb as this exploit is on the part of netgear, remember that to exploit it
the attacker had to have already broken the WPA2 security to access the wifi
or physically plugged in with ethernet. The first vector can be avoided by
simply turning off management via wifi.

~~~
nitrogen
_As dumb as this exploit is on the part of netgear, remember that to exploit
it the attacker had to have already broken the WPA2 security to access the
wifi or physically plugged in with ethernet. The first vector can be avoided
by simply turning off management via wifi._

Or accessed your router internally via JavaScript, img tag, or iframe hidden
on a malicious or compromised page. XSRF is real.

Edit: granted, browsers limit what JavaScript can do across sites, but
request-only access is enough to change DNS settings to something malicious,
and if the attacker can inject unescaped content into the page in some way,
then they can run JavaScript on the router page and send data back that way.

Edit2: I'm not certain, but I think the timing of image load events could be
used to determine success/failure of router actions loaded through a hidden
img tag.

------
Glyptodon
I have a WNDR 4700 and I can't replicate as described. However, I've also
never trusted the stupid thing since it stores passwords in clear text (or at
least is happy to display them in clear text on one of its admin pages).

~~~
dgesang
Even major browsers store/show passwords in clear text, can it be that wrong?
;)

~~~
graue
That's different. Browsers need to show your password to external websites to
prove to others that you're you. This requires storing the actual password.
They expose saved passwords in the UI because if they didn't, it would create
a false sense of security. There's always going to be some way to get the
saved passwords, or the feature wouldn't work.

The router admin interface only needs to _check_ your password. It can do that
by storing only a cryptographic hash, not the password itself.

~~~
darkmighty
I think they could however, as a default behavior, store each password
encrypted individually using itself as a key, that way no plaintext passwords
would need to be stored at all.

~~~
kcorbitt
Then you would have to type in the password each time you wanted to use it
anyway. Not much sense in storing anything in that case. :)

~~~
darkmighty
Yup that's right, my bad. I were thinking of a way of somehow not requiring
input yet providing passwords without plaintext storage.

What would _actually_ work I guess would be storing a hash of <the password, a
unique string provided through https auth>. So for the first time the browser
would hash the pass and afterwards just provide the pass to the server as a
hash without requiring input, acting as a normal pass to the server. However,
that would either require some sort of universal agreement among browsers to
work, which is tricky to require, or some browser-server protocol in which the
browser would only carry such procedure to supported servers. If a supported
server is accessed through a non-supported browser, the server itself would
perform the hash.

Probably too much of a hassle just in name of abolishing plaintext passwords
on browsers, but I couldn't think of anything simpler. However, fun to imagine
:)

Obs: This would have the extra bonus of depriving knowledge of plaintext
passwords to servers (in case they are compromised, the attacker would not get
to try the pass across other services) and preventing password extraction
through impersonation of webpages (although this is already guaranteed by
https to some extent).

~~~
entropy_
If servers accepted a hash of a password instead of the actual password then
the hash becomes the password. Ie, possession of the hash is equivalent to
possession of the password since it can be used to authenticate.

Therefore, this is no different than storing them in plaintext. Furthermore,
it would mean that if the hashes got stolen because a server was compromised
those could be used as passwords and that would make it pointless to hash them
in the first place.

In other words, no, that wouldn't work.

------
greglindahl
One alternative to underpowered routers running OpenWRT or pfsense is to use a
beaglebone black as your router. It's got well-supported wifi devices with
antennae available, and you're not compromising on clock or ram.

~~~
tux1968
Except the BBB only does 10/100 Ethernet so can't really operate as a modern
router. The advantage of say an OpenWRT modded D-Link DIR-825, is it includes
a gigabit router that handles internal traffic while the cpu handles the
firewall and vpn to the outside world. Because local traffic is handled by
completely separate silicon inside the router, CPU and ram is not a
constraint.

~~~
lmz
Doesn't that separate silicon handle switching, not routing?

~~~
tux1968
yes you're right, thanks for the correction.

------
uptown
Exploit doesn't appear to work on a WNDR3700v2. I'm hoping it doesn't, as this
has been the only router I've ever liked after years of dealing with complete
garbage.

------
cbrauchli
If you have a Netgear WNDR3700v2 or a WNDR3800, check out Cerowrt [1]. The
latest stable build, 3.7.5-2, has been _exceptionally_ stable for me, and
fast. I would highly recommend it.

1\.
[http://www.bufferbloat.net/projects/cerowrt](http://www.bufferbloat.net/projects/cerowrt)

------
ChuckMcM
So has anyone used any of the open hardware alternatives, like routerboard.com
? Seems like having the schematics and the firmware would be a reasonable
place to be.

~~~
voltagex_
I looked into these kind of things but I'm in an odd position where I need an
ADSL2+ chipset of a certain kind (Broadcom with good noise filtering) because
of the state of my phonelines.

I was looking into running an ADSL modem in full-bridge mode (you'd be
surprised how many of these modems don't support that anymore) + a routerboard
or mirotik product, but when you add up the cost and configuration time it
just wasn't worth it.

I'm currently running a Billion 7800VDPX, which I now have the GPL sources to
(after some prodding). When I finally have some time to sit down and risk
bricking my device, I'll have a look at getting OpenWRT working (although at
last glance they were never going to support ADSL).

tl;dr: open hardware alternatives aren't easy enough to drop in yet, or
they're not really open -
[http://wiki.mikrotik.com/wiki/Manual:License](http://wiki.mikrotik.com/wiki/Manual:License)

------
camkego
This post, and other recent ones like it, indicate to me the importance of
running a port scan and making sure no management abilities are exposed over
the WAN side of these devices. Any suggestions on good, fast online port
scanners?

~~~
rogerbinns
In addition to management, a bunch of these can serve up files to the WAN
side. On Netgear devices it is in a USB storage section.

I do scans from cellular devices (Fing on Android and iOS, is passable for
popular ports) and my laptop (nmap) when out and about.

------
girvo
Question: I have Cable internet here in Aus (100mb/10mb) and I like my
connection, but we have to use Telstra's silly modem, and they refused to
activate any other one on the network.

So, lets assume I don't trust this AP and Modem to be secure (fair enough
assumption in my opinion) -- the best way would be to perhaps build my own
Wireless AP running pfsense, on a BeagleBone Black or similar?

    
    
        Cable -> Telstra Modem w/out Wireless -> pfsense AP -> Network
    

Would that be the most secure way to handle that situation?

~~~
tedunangst
Since pfsense won't run on a beaglebone, that's a non starter. I also have my
doubts as to a beaglebone's ability to reliably push 100mb of traffic.

~~~
girvo
Ah, that was just an admittedly poorly-researched example. I basically just
meant a board that'll run open-source code.

------
chojeen
Do companies like Netgear not have a team whose only purpose is to try to
break their own products? I thought that was a primary source of employment
for infosec types.

------
jasiek
Ah, this just illustrates how much hardware companies suck at building
software.

------
holyjaw
I like that this was technical and informative, but still talked down to
people like me who aren't at all knowledgable with how infosec works. Great
read; wish I could find more like it.

~~~
sillysaurus2
Which part did you feel was talking down to you? I need to know in order to
improve my own writing.

~~~
LukeShu
I don't think he meant "talk down" in a negative way. I think he was trying to
say that it clearly explained things to someone who doesn't know about the
topic (while still being full of details to someone who does).

