Hacker News new | comments | show | ask | jobs | submit login

Interesting, but it still relies on the default username and password on the router. I think this points at a glaring hole in router security, why aren't password and username changes forced on the first bootup of the device? Having the password as "changeme" is not good enough for your everyday user, they are very unlikely to ever use them without being forced so will plain not know they are meant to at all.

Right, it's all based on this lack of configuration, and could be avoided by users. It's alternately amusing, annoying and irksome to me that the researchers propose to fix the situation with a "product that could be installed in wi-fi access points to prevent this kind of hijacking - without requiring the user to take responsibility".

That is the wrong approach. User education is hard, and lacks incentives for the gear makers, but adding new layers (maybe proprietary, maybe with vulnerabilities of their own) is the wrong approach. The autoconfiguration features on some routers are an example.

Equally bad is the "dumbing down" imperative that in recent years has made interfaces more opaque, restrictive and stupid. "Click this big, colorful icon and we'll do it all for you, so you don't have to think!" -- and then interface makers try to cope with users being more ignorant than ever -- failing to perceive the cause and effect relationship.

The right approach is giving controls for all the functionality, status displays to show what is happening, explaining in plain terms what each control is for, giving step by step instructions for the essentials, and making the default configuration safe. (In the case of a router, this would mean no WAN connection until you configure the device.)

FWIW, the last few routers I've had (supplied by UK ISPs) have had random admin passwords set by default, printed onto a sticker.

The random admin passwords would be great if they weren't also leaving in backdoors.

https://wikidevi.com/wiki/Xmlset_roodkcableoj28840ybtide https://github.com/elvanderb/TCP-32764

It's amazing that this isn't done by everyone. But of course roughly nobody cares about security (and those who do can change the password themselves), so why not save the 5 cents per unit that it would cost.

Also, even if the credentials are 'admin/admin' or 'admin/password', by default the administration interface is not reachable from the WAN side of the router. Or at least, I've never seen a consumer grade router that was open to management from outside.

Most router administration pages are CSRFable, meaning it's trivial to exploit them from the "outside" via those on the inside.

The last few routers I've used have an option for remote management, but that option is disabled by default, as it should be.

I don't think most routers work that way anymore. WPS has weaknesses, but it's still better than having the same password on every device.

Possibly, although I have never been given a WPS enabled device from an ISP, nor have any of my family ( have to love being tech support ). Come to think of it though I have seen routers in the past with what can only be randomly generated passphrases though, which is a step in the right direction at least. My current router was not one of those though.

If I have it right, WPS (wifi protected setup, right?) results in sharing the password (i.e., in practice it is only ever used with PSK and attacks recover the key).

Conceptually, device bonding seems like the right way for consumers but WPS doesn't do it very well.

Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact