> D-Link will not be liable for any direct, indirect, special, or consequential loss suffered by any party due to their use of the beta firmware, beta software, or hit-fix release.
We have a hardcoded password...but take the fix at your own risk.
> Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. Unauthenticated attackers on the local area network can force the device to enable Telnet service by accessing a specific URL and can log in by using the administrator credentials obtained from analyzing the firmware.
On security issues from massive Internet appliance vendors, you can safely assume it is malicious, though it might not have been placed there with knowledge of the vendor itself (i.e. it's very likely a state actor)
Someone putting in a backdoor would have known it's a backdoor, and I feel like they would have done it better. For example, making sure the hardcoded password can't be recovered from the firmware.
If a state actor has access to your LAN you're all kinds of fucked already. They really don't need this crummy exploit for crummy home routers. It's pretty far-fetched to suspect a state actor, and outright ridiculously conspiratorial to say we can "safely assume" this.
> If a state actor has access to your LAN you're all kinds of fucked already.
Seems very likely that some IOT devices are connected to LANs and can be used for shenanigans which is why you shouldn't trust anything on your LAN and always require encryption/authentication. Having telnet available on a router is beyond stupid and outright malicious.
How would hn community feel about government intervention into this obvious market failure?
For instance: mandate all firmware on home routers be open source. (Either by selling hardware only and give guidance on installing openwrt or disclosing the source to their existing proprietary crap)
I would bet such intervention results in it no longer being allowed to use GPL-style open source code that lets you rebuild/customize firmware, and no longer being allowed/able to use firmware not signed by the manufacturer.
We already have that for most hardware in practice, don't we ? The direction of travel in the embedded industry seems fairly clear: you have totally-open ecosystems strictly for hobbyists (arduino, raspberry pi, etc), and totally-closed products for the masses (standard brands). Anything inbetween is tolerated but unsupported.
Clearer legislation would obviously not kill the hobbyist ecosystem, and possibly improve the branded one. Even if the price of such legislation were to be the loss of grey areas where hacked/unsupported branded products live, it might well be worth paying to cash in the gains. Obviously the devil would be in the details of such legislation, so it's all pure speculation anyway.
No. This concrete example illustrates my intended meaning:
Asus has a couple of Wi-Fi access point/switch/router combos with their own Tomato derived firmware named AsusWRT. It's nice. Because it's GPL, the source is required to be available, and a project for a derivative firmware named Merlin exists. Merlin provides additional features. One can choose to flash this firmware if desired.
If these devices must only accept signed firmware then the above becomes practically impossible and you cannot control the software running on your own device.
Ah. So essentially, malicious compliance with the open source requirement, using DRM/tpm. Probably under the gise of SECURITAHH...
Yeah, I can see that. Might be remediated using legislation as well - mandate free access to third parties. The point being that (open) software development can continue maintenance beyond vendor support for the hardware.
But yeah, that would still need some story - and clever thoughts - about authenticity and trustworthiness of the firmware and how to technically enforce them.
I tend to think this type of failure is from utter lack of caring. They know it's there, they know it's a security hole, but are just too lazy to deal with it until it comes back to bite them.
How would they sell a back door then? We keep talking like this was some kind of negligence and/or oversight. Who’s to say this isn’t all according to plan?
Many home routers are in the sub-$200 price range. I've seen low end devices under $50/usd. There's not much more to squeeze out.
And many won't be paying more, or installing OpenWRT, OpnSense or anything else on their own. I wish more open options were supported from vendors, but they have to lock down and make sure you can't run on frequencies or wattages not allowed in $COUNTRY, less they see massive fines.
I'm using an OpnSense device with a commercial AP myself.. it does cost a bit more, but works great and will be updated beyond what any home router will. Most seem to want a discreet all in one box.
This is only relevant if they have a way of passing institutional knowledge from one 'generation' of developers to another. If churn is high enough and internal processes bad enough it is quite likely that entirely new teams are relearning the same lessons from the same mistakes over and over again every couple of years.
I doubt any of the famous three letter US agencies would need (or want!) such a wide open door as a "specific URL" and logging in with an administrator account acquired from the firmware itself. I would think that they would want a door that couldn't be opened by someone who happened to spot it, to not give anyone else the same advantage.
No, this is more likely the result of a test or some annoying procedure during development that needed more access than the device would normally provide - I've seen it before, and I think most people who work with embedded systems at least at some point in their career have done something that would be bad if it ended up in production units.
Is it me or are the standards for 'home routers' just basically horrible? I don't work as a security researcher or anything but in my time I've found multiple router vulnerabilities across manufactures. Everything from exposed admin interfaces (with default creds), issues with firewalls, UPnP accessible outside..., incredibly naïve credential management, its like home routers are swiss cheese by default.
What do HN people tend to run that doesn't give them issues? I'd especially be interested in routers that have good IPv6 support (maybe impossible but still.)
Like the sibling, I run opnsense. There are other similar things you can run, or maybe just a vanilla Linux / FreeBSD / OpenBSD.
I have it installed on an HP EliteDesk 800G2 SFF that my office was going to throw away. It has an i5-6500, 32 GB RAM, two Samsung 840 EVO SSDs and a 2x10Gb Mellanox card.
Before the Mellanox, it had an intel 4x1Gb, i350 IIRC.
I've run the PC with the intel card connected to a power meter and it was pulling 14-15W while running OPNsense and HomeAssistant, both in dedicated VMs. Some of the dedicated routers may be better than that, but when you factor in the price of the unit, mine isn't too bad, despite the rise in electricity costs here in France.
I don't have any other 10 Gb/s machine to test its max performance, but it could run PF with NAT at 2.5 Gb/s without breaking a sweat.
I had been running a Ubiquiti ERPoE-5, but after about seven years of service, the power electronics inside crapped out. The power brick is fine, with a steady 48V output, but the internals always ran ridiculously hot, and time finally caught up with it.
I'm getting by with a cheap TP-Link for now, but I'm thinking of getting a mini-PC with two NICs and enough oomph to run virtual machines well, and then putting VyOS on a VM. I've always liked the ERPoE's CLI capabilities (which were also a fork of Vyatta). I could probably put much of my former ERPoE config into a VyOS system.
...aaaaand, I just took a gander over at VyOS. They really need to make it abundantly clear in their "how to build" documentation that unless you're a paying customer or recognized contributor, you no longer can build an LTS release. That is not at all mentioned in the build instructions, and so there's no point in doing a local build [ETA: unless you're customizing the code] when the nightlies are available for download.
I then looked at their subscription pricing and realized that individuals are not their market, not at all. So, yeah, if I want to run VyOS, I have to put up with rolling releases. :(
They used to have donation options, where in exchange for a regular donation you get LTS releases, (via Patreon and OpenCollective) but both have been decommissioned. I'm not a huge fan of how that was done and how hard it is to find up to date information on that.
Nightlies are pretty stable in my experience, and with the off-device backups, a full recovery will be relatively painless.
Thanks for the vote of confidence (and I can always throw VMs onto ZFS volumes), but I think I'll chalk it up as "I'm not its target market" and move on. Their documentation talks of snapshot releases and such, but there's absolutely no information on actually finding them. It doesn't give me a warm, fuzzy feeling. Bad actors have forced them to pull all the rugs except the nightlies, it seems.
Yeah, no, there's just some old forum posts and blogs talking about stuff that no longer exists. (On this topic, I really like websites with automatic warnings "this was written X years ago, might no longer be true").
Your options are to use the nightlies (perfectly fine IMO), pay a lot for an enterprise LTS, or be a non-profit/education and get LTS for cheap/free.
A friend of my recently purchased the GL-iNet Flint 2[0], and is quite happy with it. It by default runs OpenWRT. There's a recent video on LTT's sub channel ShortCircuit about it [1].
I like GL.inet -- although, the fact that they're a Chinese company could be a bit of a concern. They lean heavily on Open WRT for software, but apparently some of the drivers used are "mostly opensource" ... whatever that means.
They make decent hardware which comes with with modified end-of-life versions of OpenWRT.
And their customizations are quite questionable and smell fishy.
And no, can't install newer versions of OpenWRT.
At least that's my experience with GL.iNet MT2500A (Brume 2).
I happily use their older travel routers though.
I had picked up their GL-MT3000 "Baryl" travel router -- which is a really great little device. I was pretty impressed, so when my home router (Ubiquity EdgeRouter X ) died a few weeks back, I replaced it with the GL.iNet GL-MT6000 "Flint 2" (https://www.gl-inet.com/products/gl-mt6000/). So far the Flint 2 has been pretty solid and nice to know that it's built on top of Open WRT -- and I assume it's fairly easy to convert it fully to an Open WRT device if so wanted.
I’m a huge fan of Eero for set and forget no nonsense home routers. I bought a three pack and they cover our entire home easily with about 10-15 minutes of initial setup.
The only think I don't like about the Eero is all the "subscribe to a monthly service to unlock features that should just come out of the box" -- I use Eeros for the smart TVs / smart phones etc. and then have another wired / wifi network set up for PCs and small servers that I run from home. It seems to work out pretty well.
I like Ubiquiti personally, but there are some risks, they've had a few security incidents (mainly due to a bad employee though, its looked much better recently), and their cloud-management isn't end-to-end-encrypted so that's not usable if you care about security.
Their hardware is simple to manage and excellent for the low-ish price though! E.g. the UDM-Pro which is a 10 Gbit capable router for €350, and the UCG-Ultra looks great for budget networks.
I have a synology WRX560 router (yes, synology does routers). They have a decent security track record and provide long software support with official EOL/EOS statements. IPv6 works very well.
The two other options I can think of is ubiquity and mikrotik.
opnsense. you dont need to run these garbage consumer routers. downside is if your ISP still provides a modem/CPE. but some times you can put those into bridge mode and make them less of a risk
I had so much trouble getting opnsense to work with Frontier fiber. Apparently Frontier does a non standard thing with their DHCP packets by tagging them as VLAN 0 and opnsense DHCP client was just silently dropping those. OpenWRT and Frontier’s router were fine. After three days I figured it out and now just have to compile my own version when I upgrade. I did submit a PR but not sure if it made it into a release.
Is something like that really that necessary though, sure it has a lot of features but for a simple router it takes 15mins to follow a guide on openbsd.org to set up a simple router which works really well and is really secure.
Given GP's question, they're likely not someone who would spontaneously whip up an openbsd router.
Maybe they don't care to fiddle with a command line, read up on dhcp servers, ipv6 router advertisements, pf configuration and what have you. In such a case, throwing opnsense on some machine, clicking around on three pages and calling it a day isn't that bad.
The experience is close enough to an off-the-shelf router (except for the installation part), all the while getting a much better security situation.
Definitely the best choice. You will still need APs for wireless, but they're behind your OPNsense firewall, so not connected directly to WAN like AP+router combos.
I recently got a UDM and don't recall having to sign in and I was able to set it up and everything functions including automatic updates. Where did you have to sign in and for what product?
At some point they changed to doing everything via the 'cloud'. Obviously their customers didn't like that so they gradually backed down.
I want to upgrade my unifi AP so I ask on HN or other forums once in a while. Last answer I got was that you can disable the need for cloud but you still have to sign on somewhere once to be able to disable it.
So I repeat: are you absolutely sure you didn't need to give Ubiquity any info or go through their servers this time?
With the APs you can set them up in standalone mode without the need for a controller at all, but you get more out of them with a controller so if you have the means to run a controller you absolutely should. With the controller you're heavily incentivised to sign in, but you don't have to.
With their "Cloud Gateways" (e.g. UDM Pro, UDR, UX, UCG-Ultra) it used to be difficult if not impossible to get them into a usable state without signing into a UI account, but that is no longer the case since a few years ago.
There are some exceptions, if you wanna use their cameras you lose out on some features if you don't sign into the cloud to activate those, specifically facial recognition stuff.
All I want is a standalone AP. I don't care about advanced administration, I just want it to connect my wifi using devices to the rest of my network.
I switched from consumer to Unifi just because of the better signal.
Unfortunately, even in just this thread there are very mixed answers. One yes you can (and a downvote that probably means the same thing), your 'maybe' and one 'i couldn't'.
OK so I just setup a blank controller (version 8.2.93, latest stable), no UI account (you just click "Advanced setup" and then skip when it tries to get you to supply an account), I then adopted a factory reset UniFi AP AC HD I had laying around, it accepted it without complaints, and automatically updated it to the latest firmware available (this is an option that's on by default in the controller software).
I then factory reset the AP AC HD again, and set it up as a standalone AP using the Android app on a freshly reset Pixel 6 running the latest version of Graphene OS.
Both methods worked fine to setup the AP without any UI accounts involved.
This is available on all APs able to run the current version of the AP firmware, which is literally all the APs released since and including the AP AC Lite (which is from 2014 or thereabouts, they support their devices for a very long period).
7 Pro Max is the current top-end model.
I highly recommend setting up a controller for managing the AP though, even if you don't keep it running 24/7 (you can simply start it on any PC whenever you want to make configuration changes), as when they're in standalone mode a lot of the cool features don't work, you only get one SSID (per radio) and no roaming support for example, whereas when managed by the controller you can have up to 8 SSIDs per radio on the latest APs, you can access telemetry, setup roaming, etc.
I honestly can't recall that ever being true for the controller, but it absolutely was true for the UDM/UDM-Pro on release and for quite a while after, so I guess it might have been true for the controller as well for a while around then too, I don't setup controllers that often.
Maybe it was just hidden, like it is now, but it pissed me off enough to not research it.
> I don't setup controllers that often
I've only done it twice; once when I installed the AP the first time, and once when I retired the machine with the controller so I needed to install it on a new desktop. Second time is the one where I failed by refusing to make an UI account.
I bought one of their entry level wifi routers and was completely unable to configure it without first setting up an account on their cloud service and using that to activate the router. Maybe it's possible, but if it is they hid it very well. I know their hardware tends to get good reviews, but the whole experience left a really bad taste in my mouth
I bet this was between 2018 and 2022? Yeah, that used to be the case, not anymore though, there's literally a big fat "Setup Console Offline"-button on the latest firmwares (since at least a year back I want to say), if you somehow find one with older firmware you can simply boot it into recovery mode and update firmware before setting it up for use.
Confirmation that if you're going to use an inexpensive router, buy one that can run open software and run that instead. I understand this doesn't solve the broadest use case, but you can at least protect yourself.
Run open source software on your router, don't buy one that doesn't support it. Every single company abandons support for the router in a few years at which point your destined to become part of a botnet or worse. Instead get an open source firmware and keep it up to date and not only will you have more features but it will also get security patches. Open source firmware routers have better features and support.
Sure...I mention "inexpensive", because "expensive" and "open" aren't immune to zero days, but both have options to mitigate that via either paid or self-support. Where the inexpensive ones often have no real options in that situation.
Such engineer probably made sure to note it was for testing purposes, like what was stated the last 47392 times this exact same problem was found in mass-produced network hardware. Now, the question is whether the subsequent failure to remove it was willing or not... That will be hard to ascertain, probably enough to keep them from firing the involved code monkey.
I have to wonder, in the US at least (I don't know if this trend is outside the US) most ISP's are selling devices that are both the modem and the router. Which I despise since it also means the ISP can change settings on my Router way too easily.
Then customer support will often tell you how they can't support you using your own router (I use my own, I refuse to use theirs and it is currently in bridge mode).
How are the Linksys, d-links, and others actually doing? I would have thought that that market to completely plummet. Which would lead to shortcuts and a lack of proper care.
> This ensures that the software is of the highest quality and meets our stringent standards.