Monday, 26 December 2016

TP-LINK Modem / Router (ADSL2+) Security and Vulnerabilities

I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further. 

It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.

From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.

I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.

Friday, 23 December 2016

in-flight entertainment vs avionics

For those of you who have had the opportunity to see one of my presentations "Can you really hack an airplane: Myths & Truths", you are already familiar with what is really happening and the confusion between in-flight entertainment systems and avionics (https://en.wikipedia.org/wiki/Avionics). I was asked to put this article up by a number of friends in the security industry to highlight a few very important points. The purpose of this article is to provide food for thought. Especially, when you hear someone saying that "hacked" an airplane, or made it fly "sideways" by tampering with its systems through the in-flight entertainment system. Consider the following points and come to your own conclusions. 

Anyone who is trying to "generalise" and claim that during an actual flight, for example through the in-flight entertainment system, managed to take control of the plane and/or that it is possible to actually fly an aircraft like this, should first read what the law has to say about this. (Tokyo Convention 1963). 
Do you really want someone with the excuse of being a "security researcher" tampering with the airplane's systems while you are on an actual flight, because he/she decided that has nothing better to do? I am sorry, but from where I stand, we (security researchers) respect the law, and make sure we have permission to conduct any security assessments & penetration testing, in a safe and approved environment.