Hacker News new | past | comments | ask | show | jobs | submit login
Over 25k Linksys routers vulnerable to sensitive information disclosure flaw (badpackets.net)
79 points by bad_packets on May 14, 2019 | hide | past | favorite | 37 comments

Linksys just doesn't give a shit. At all. I specifically bought one of their top end routers to use it as a NAS with USB storage, only to discover that their best of the best router serves files over.....Samba 1.0. Even though Samba 2.0 has been available for over a decade and Samba 3.0 is common place now. Which means that Windows 10 doesn't allow you to actually browse it by default anymore, since it's a huge security risk. And even when you manually install SMB 1.0 suppport, it's still not going to work on Windows 10 Pro editions. Which means that the main selling point of the router is now useless for me. Linksys of course remains completely silent, they don't see anything wrong there.

Yeah I wouldn't trust Linksys to do even what their core competency is ... securely. Let alone any NAS.

Sadly the only good home NAS solutions are build it your own (time, hassle) or pay for something more expensive from Synology.

I've been using Fedora Server for this, for several years. There is no GUI front end for configuring Samba, so it does take a bit of time and hassle to learn enough about Samba to edit the sample smb.conf.example the package comes with.

This suggests a GUI is coming, not sure how it will be supported. I'd hope they'd make it possible to wrap that up as a Cockpit plugin. Cockpit is very cool, and is standard with Fedora Server.

https://www.samba.org/samba/GUI/ https://github.com/cockpit-project/cockpit/issues/3534

That is appalling, all of those are EOL, including Samba 3.x.


You bought a router to use as a NAS? I think that's your problem right there.

How is this even voted to the top?

Edit: Looks like I hit a nerve. God forbid anyone buy hardware for a purpose it was actually designed for.

Because your comment is not contributing.

Linksys produces and advertises a "best of the best" router with inbuilt alternative NAS feature that not only is so poorly maintained that it's insecure but also unusable by modern OS.

Some people find that appalling because they want a basic NAS without breaking the bank and more "stuff" lying around, expecting a high end router to cheaply fill that gap.

Some other people will find it appalling because it shows how little Linksys actually cares about the product and security as a whole.

It's actually common nowadays to have NAS-type features in routers now. My non-Linkysys router has SMB/FTP access as part of the stock firmware for USB attached storage.

You may be lucky enough to have avoided learning about the shitshow that is consumer grade "routers". They seem to constantly be trying to come up with stupid shit they can do. Many of the "high end" of the spectrum of garbage have things like OpenVPN servers and samba shares off the included USB port.

They are all hot garbage and should not be used.

I have no problem with a router offering a VPN server; it's another network service after all and I see a router as a device that offers network services. On the other hand, I wouldn't trust the default software stack and wouldn't use it myself personally.

However, a router acting as a file server just sounds plain wrong.

But....why. What is it about it that makes it wrong. These are really powerful devices, sometimes with dual or quad core CPUs and gigabytes of ram, so what's wrong with using them as a NAS? Especially since all I want to do is share a single USB drive on the network so I can watch some films on my TV or just run a backup from my main PC to it. Using my router as a NAS allows me to do that with very little space taken, and most importantly it's completely quiet. Dedicated NAS devices not only use considerably more power(and it does actually add up) but they are almost inevitably louder, with at least one fan and 3.5" disks.

You've already experienced it yourself. Once you find yourself in a situation that needs more than what is offered by the device you find yourself trapped. A dedicated NAS device, even a really basic one, wouldn't have the issues you have.

Also, there are small, quiet[er] NAS devices around. A bit of searching found me this: https://nascompares.com/top-5-silent-and-low-noise-nas-of-th...

>>. A dedicated NAS device, even a really basic one, wouldn't have the issues you have.

How so? What's stopping a NAS maker providing shitty support and/or firmware? I actually used to own a Netgear ReadyNAS Duo and I got rid of it mostly because of how loud it was and Netgear stopped releasing updates, which meant that things like Timemachine backup stopped working. And it was super slow for transfer speeds compared to what the drives could do.

For comparison sake, that Linksys router I have is super duper quick - it can actually do 100MB/s reads and writes on the connected drives which is very impressive(I thought) - this Samba issue is the only thing separating it from being great at it. And then I could install OpenWRT and then just install the newest version of Samba - it's just that I'm a bit lazy to do that.

Once again embedded device security is a joke. Firmware updates are provided for 2 years or less on devices that end up lingering, acting as the core of networks for 5 to 15 years.

Repeat offenders should be held accountable, standards should be enforced (like running point releases of OpenWRT, providing vendor skins as a package, thus the vendor doesn't have to deal with software updates).

> Once again embedded device security is a joke.

Have you seen the state of salaries in the firmware dev industry?

That pretty much explains why firmware security is such a mess. You pay peanuts you get peanuts.

The state of salaries in hardware/embedded roles is quite poor, along with the decision making process of most companies that create embedded hardware.

Only TI ever really went all in with a fully open stack that had support mainlined, problem being by the time their chips had full support upstream they'd be lagging 1 to 2 years behind Qualcomm, Nvidia, Mediatek, Allwinner, Spreadtrum, etc while having a much higher cost per chip, most of said cost being the decently written and upstreamed drivers.

For longer lived architectures (eg: AMD/Intel CPUs) totally new device drivers aren't needed on launch day, in part due to older upstreamed drivers still mostly working with newer hardware.

None of the aforementioned vendors besides TI ever got into this virtuous cycle of having upstreamed drivers, thus they've trapped their devices on sketchy, unstable & insecure BSPs that hurt the reliability, performance and sometimes the market image of the final product (eg: when the device randomly crashes or gets exploited due to latent bugs).

Pity that the author didn't mention alternative firmwares as an option to fix the vulnerability. I recommend everyone with the affected device to go to https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Linksys and install the OpenWRT firmware, it's pretty easy.

+1 for OpenWRT

I've had a Linksys WRT1900AC since its release (specifically on the promise of OpenWRT support)

The device has gradually gotten better and better with each OpenWRT release. These days I get a blistering 60MB/s file transfers over Wi-Fi to my laptop. Even with newer, "faster" specced devices on the market, I really can't see any compelling reason to upgrade

Will add to the post, thanks for the recommendation.

Confirmed this happens on my router -- but the saving grace is that my ISP doesn't allow port 80. Whoof.

It would be nice if there was a home commercial product that cut out all the remote access or even local access, reduced feature set (I don't need NAS on my router), allowed admin access via a physical port only and thus cut out a lot of the attack surface area....

It shouldn't even be hard for Linksys (granted with their history I wouldn't trust them) or someone to provide that option. With a reduced feature set and etc maybe updates would be easier too.

Granted when it comes to home commercial routing products it looks like it is all about a bazillion new features (at least the way they look on the box / shopping sites) ... not less.

Ubiquiti Networks have their Unifi product line that sells to business but since they don't charge licence fees have become quite popular with keen home users.

There's regular firmware updates and the feature set is quite standard.

Though their routers and access points are separate: Eg: Their smallest router: https://www.ui.com/unifi-routing/usg/

Their cheap WiFi AP: https://www.ui.com/unifi/unifi-ap-ac-pro/

To configure the network you use their controller software, can be deployed on a raspberry pi but I just run it ad hoc on my laptop when I need to change some configuration.

I keep meaning to try them out, although I have a bit of trouble parsing their product lines / names at times ;)

At least I thought that you could opt out of the remote management at least on some models. This is what this seems to indicate as well: https://community.linksys.com/t5/Wireless-Routers/EA8300-can... When remote admin is disabled the info leak does not occur as far as I can tell. Not sure if anyone can confirm that as well.

Are there any routers that come out by default with Tomato or OpenWRT?

The Turris Omnia and soon-to-be Turris Mox are the only ones that I'm aware of. I know Linksys has a special line of WRT "open source ready" routers that are supposedly OpenWRT compatible, but the Amazon reviews are completely trash. They're a little more pricey, but my next router will be a Turris.


Now that I think about it, probably the new Raspberry Pi would do a phenomenal job.

Just incase you are not sure who owns Linksys. Cisco sold them in 2013 and Belkin is their new parent company.

This is not a problem if you are behind a CG-NAT. If you are not (that should be the default) then ask your ISP to put you behind one. If they don't offer that service, then it's time to shop around.

Asking your ISP to cripple your connection like that is a horrible "solution", and usually isn't a change they're prepared to make by request. If you have the option of shopping around for ISPs, the one that doesn't do CG-NAT is usually the best choice.

I disagree with you. The majority of users don't care about being behind a CG-NAT (what you call "crippling"), and CG-NAT offers a very big layer of protection that avoids problems like the one on this article.

NAT adds latency to a number of applications (VoIP, video conferencing, gaming). Not so much in the translate IP/ports and keep some state, but in connection establishment. CG-NAT only makes this worse (not to mention it's becoming impossible to troubleshoot when issues arise).

Users don't explicitely care because they don't know. It doesn't make much difference when viewing YouTube videos, but there's more to the Internet than cat videos.

NAT is not a security layer. It's possible through techniques like STUN and such to discover and reach hosts behind a NAT.

CG-NAT is crippling because I want to receive incoming connections like anyone else who has a connection to the Internet should be able to. Router manufacturers can do better. The world does not have to consist solely of cloud-based middle-men who take full advantage of the fact that all your data has to pass through them, and that you have to trust them.

What's somewhat ironic to this discussion is that some Linksys routers modify STUN responses, which breaks legitimate functionality if the router is used with dual-NAT or CG-NAT:


Both Linksys and CG-NAT need to be avoided.

Stop breaking the internet for goodness sake. Blithely throwing more power into the ISP's hands does no one any good in the long run.

Also it is very likely you are still vulnerable from other users on the same ISP attacking you.

This is very unlikely. Any ISP with some experience will make sure customers are not able to interact any more than they could from outside the network. That's network 101.

Having worked for large ISP's for around a decade, cheap comes first, customer safety comes last.

Also, QUIT BREAKING THE INTERNET. CGNAT is complete crap that breaks the internet peer model. Even ISPs not using CGNAT are pushing complete crap on users. For example last week I had a user that VOIP stopped working. They received a new integrated cable modem router from their ISP. If you rebooted the unit VOIP worked about an hour, after that it would stop passing VOIP packets (ran tcpdump on the server and watched them stop). If we ran VOIP over another port it would work (but had different issues related to changing around 50 phones so we only used it for testing). There were no options to disable SIP_NAT, nor any other settings that would fix the problem. Since this ISP also provided their own phone service I found the whole debacle rather anti-competitive. They simply have no interest in contacting the modem vendor and having them fix the problem.

We ended up supplying our own modem and router in this case and the problem was resolved.

CG NAT is a solution for ISPs that don't have enough IPv4 addresses to give to their customers.

It's not security nor a service. And also breaks a lot of use cases like P2P VoIP/gaming etc.

I assume if the ISP gives you an IPv6 subnet, you'd disable it? Or if you can't do that, switch ISP?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact