I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further.
It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.
From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.
I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.
The problem starts when you get to see that there are routers in the marker to choose from that cost approximately 3 to 5 times more and basically these are, more or less, the same product as the cheap ones with some additional access to features. I understand the business logic behind this (even though I do not agree) but again, when you are selling a rather expensive router, it should be able to demonstrate that attention was given to security.
As an example, below you will find the TP-LINK Archer D5 modem/router firmware and version information. The first Firmware update was released on 29/Feb/2016 and the second Firmware update was released on 17/May/2016. As you can see for yourself, the newer firmware update released is a fix for "the bug that Parent Control function don't take effect when set keywords in White list".
It is easy for a consumer to assume that this modem/router is being updated in a regular basis and that the home network is protected by a reputable device, that is not vulnerable to external and internal threats (..well, to the untrained eye, the firmware update released did not highlight any other issues). In order to look at this a bit closer, and allowing you draw your own conclusions, I used Nessus home, to run a scan against the router, before and after loading the latest firmware update.
I found the results to be very interesting. To me, such publicly available scans against the default configuration of modem/routers provide all the information I need when it comes to advising friends and family with which modem/router to buy. To save you some time, absolutely nothing changed as far as it concerns the security of this particular model. Nessus discovered the exact same number of vulnerabilities including the same Critical vulnerability being present in both instances.
So, going back to my previous example, would you consider a bulletproof vest that does not stop bullets (other than those from BB guns) a successful purchase, or would you send it back and ask for a refund?
To view the HTML based reports:
From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.
I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.
The problem starts when you get to see that there are routers in the marker to choose from that cost approximately 3 to 5 times more and basically these are, more or less, the same product as the cheap ones with some additional access to features. I understand the business logic behind this (even though I do not agree) but again, when you are selling a rather expensive router, it should be able to demonstrate that attention was given to security.
As an example, below you will find the TP-LINK Archer D5 modem/router firmware and version information. The first Firmware update was released on 29/Feb/2016 and the second Firmware update was released on 17/May/2016. As you can see for yourself, the newer firmware update released is a fix for "the bug that Parent Control function don't take effect when set keywords in White list".
It is easy for a consumer to assume that this modem/router is being updated in a regular basis and that the home network is protected by a reputable device, that is not vulnerable to external and internal threats (..well, to the untrained eye, the firmware update released did not highlight any other issues). In order to look at this a bit closer, and allowing you draw your own conclusions, I used Nessus home, to run a scan against the router, before and after loading the latest firmware update.
I found the results to be very interesting. To me, such publicly available scans against the default configuration of modem/routers provide all the information I need when it comes to advising friends and family with which modem/router to buy. To save you some time, absolutely nothing changed as far as it concerns the security of this particular model. Nessus discovered the exact same number of vulnerabilities including the same Critical vulnerability being present in both instances.
So, going back to my previous example, would you consider a bulletproof vest that does not stop bullets (other than those from BB guns) a successful purchase, or would you send it back and ask for a refund?
To view the HTML based reports:
- Click the links and download the HTML files, and load them to your web browser.
Device Information:
Firmware Version: 0.2.0 0.9.1 v0043.0 Build 160229 Rel.60133n
Hardware Version: Archer D5 v2 00000000
Nessus Scan Results:
https://drive.google.com/open?id=0B0InZIUB_MM-RWZwZVlpLU9ialE
Hardware Version: Archer D5 v2 00000000
Nessus Scan Results:
https://drive.google.com/open?id=0B0InZIUB_MM-RWZwZVlpLU9ialE
Device Information:
Firmware Version: 0.3.0 0.9.1 v0043.0 Build 160517 Rel.60109n
Hardware Version: Archer D5 v2 00000000
Nessus Scan Results:
https://drive.google.com/open?id=0B0InZIUB_MM-NU1pVldFZzlOWEE
I really do not want to go into the discussion why there is FTP present, why it is on by-default, and if I could explore the possibility to terminate the service by connecting though SSH, that is not the point. The whole point of this blog-post is to highlight that a simple Nessus scan of the device available online, would allow a lot of security professionals to advice against this particular model.
Maybe, such approach would make these companies to spend a couple extra days in securing their products, and ensuring that when they release a firmware update, it comes at least, without Critical vulnerabilities.
Nessus Scan Results:
https://drive.google.com/open?id=0B0InZIUB_MM-NU1pVldFZzlOWEE
I really do not want to go into the discussion why there is FTP present, why it is on by-default, and if I could explore the possibility to terminate the service by connecting though SSH, that is not the point. The whole point of this blog-post is to highlight that a simple Nessus scan of the device available online, would allow a lot of security professionals to advice against this particular model.
Maybe, such approach would make these companies to spend a couple extra days in securing their products, and ensuring that when they release a firmware update, it comes at least, without Critical vulnerabilities.
No comments:
Post a Comment