[HN Gopher] List of 8000 security vulnerabilities in 1200 Wi-Fi ...
___________________________________________________________________
List of 8000 security vulnerabilities in 1200 Wi-Fi routers
Author : ndata
Score : 146 points
Date : 2021-11-16 18:30 UTC (4 hours ago)
(HTM) web link (modemly.com)
(TXT) w3m dump (modemly.com)
| gennarro wrote:
| This is pretty cool. What dataset is this based on?
| Jon_Lowtek wrote:
| The vulnerability list seems to be CVE data filtered for
| routers, grouped by vendors.
| politelemon wrote:
| I couldn't find the ever popular Asus RT Ac86u in that list, or
| the X version. Would it be converted under "asuswrt"?
| msbarnett wrote:
| Yeah, that's an asuswrt-based router
| 0134340 wrote:
| Yes. And Asuswrt is based upon, iirc, the open-source Tomato.
| Kikawala wrote:
| Reminds me of routerpwn.com
| hk1337 wrote:
| Interesting, I don't see arris (ATT gateway) on the list. Not
| sure if that's because there's no vulnerabilities or not as well
| known?
| Namidairo wrote:
| I already have little hope for consumer networking equipment,
| this just seems like a big old list of scraped CVE's.
|
| One has to remember that the majority of the development ends up
| being by the SoC vendor, usually a horribly out of date fork of
| OpenWrt with weird looking proprietary kernel modules to support
| wifi, accelerated nat, etc.
|
| Quite a few of the older devices lack some pretty basic
| mitigations as well; ASLR, Position Independent Executables,
| Stack Canaries, etc. Either they get forgotten or they're off
| because of they can't be bothered getting the drivers up to
| scratch. (Assuming they haven't just been handed a binary)
| willis936 wrote:
| Holy smokes. The router I used for many years has 79 listed
| vulnerabilities.
|
| I got a used Ruckus earlier this year and it's been great.
| ghostly_s wrote:
| Every exploit listed for my router (tplink Archer A7) has no
| "affected version" listed nor indications if it has been patched,
| but clicking through to the CVEs indicates all have been
| remediated. As near as I can tell this website is just scraping
| CVEs, poorly, in order to sell their security services (which
| consist, at least in part, of an email reminder to rotate your
| router password...seriously?).
| wnevets wrote:
| so spam?
| ndata wrote:
| OP here, Yes, I agree, we (modemly) could do better
|
| 1. Show the vulnerability status (patched / open) 2. Show
| affected firmware versions 3. Display manufacturer's last patch
| release date
|
| Though lots of the dataset is clean, still we do lots of
| parsing and regexing to extract insights out of a massive
| haystack. The intention of this tool is for everyone to realize
| and keep their firmware updated
|
| And No, we don't sell any services. The security reminder
| emails are free
| bserge wrote:
| You're not using OpenWRT on a C7/A7? Please do someone a favour
| and sell it, they're in short supply.
| david_draco wrote:
| When will BrickerBot be reborn? The world needs you!
| xedrac wrote:
| So 80% of these vulnerabilities are on Netgear routers, and
| nearly all of them are rated as High severity. That's really
| impressive. I don't think I'll buy a Netgear router ever again.
| proactivesvcs wrote:
| Skirting a discussion on how relatively good or bad Netgear
| are, the results seem to be vague as to whether they're
| resolved, how bad each vulnerability is, and it seems to list a
| device for each firmware version. I don't think the front-page
| numbers are necessarily particularly helpful.
| chasil wrote:
| If the router allows 3rd-party firmware and well-maintained
| ROMs are available, why avoid the hardware (unless you don't
| want to apply the upgrades)?
|
| Cable modems typically do not allow this; only the cable
| provider is able to apply oem firmware updates.
| lostmsu wrote:
| I don't see this to be too useful. Many vulnerabilities listed on
| this web site are for outdated firmware versions.
| jvolkman wrote:
| How many people actually update their router firmware?
| lostmsu wrote:
| How many people who would go to that web site do not update
| their router firmware?
| jvolkman wrote:
| Fair. But if the site doesn't list vulnerabilities in older
| firmware, then someone stumbling upon it that hasn't kept
| their router up to date won't see their actual
| vulnerabilities listed.
| RealStickman_ wrote:
| This list is still useless in that case, as it doesn't
| list the affected firmware versions as far as I can see.
| fairytale wrote:
| Just wait and see till all those thirsty script kiddies start
| abusing these even more now.
|
| On a side note, those who write router software like this need to
| step up their security and stop being lazy. Seriously.
| clb92 wrote:
| Sure, 1200 routers. Except someone listed single Synology
| applications as router models for some reason. Synology only has
| a couple routers, not 32 different models. If the quality of the
| rest of the data is similar, this list isn't very useful.
| fencepost wrote:
| Interesting to not see Mikrotik on the list, though I'm not sure
| how far back you'd need to go to find hardware that's not still
| receiving firmware updates - certainly well over 10 years.
| paulmd wrote:
| I also don't see Buffalo. The question is whether they're not
| vulnerable, or whether they were simply not tested (being
| smaller brands).
| chasil wrote:
| I have a Ubee cable modem with integrated wireless, and this
| manufacturer is not on the list either.
|
| It would also be helpful to see how many vulnerabilities are in
| the latest release of Gargoyle.
|
| I have heard that the best countermeasure for router vendor
| abandonware is to avoid the 192.168 network entirely, so I
| configured mine on a random 10. subnet.
| PaulKeeble wrote:
| A lot of these routers have DD-WRT, OpenWRT, FreshTomato or maybe
| pfsense support. Since the manufacturers long ago abandoned
| security updates and feature upgrades an open source firmware
| will vastly improve the security and the devices functionality.
|
| Not all routers can run one of these firmwares but many can and I
| wouldn't choose a device that didn't in the future. Its
| relatively easy to setup a basic secure home router using a
| Raspberry pi 4 and USB Ethernet and then attach one to a hub and
| the other to the modem and you have a 1 gbit/s capable routing
| device that can do SQM and remove bufferbloat and not a lot of
| consumer routers can remotely achieve that level of performance.
|
| It is more hassle than the manufacturers firmware, but its also a
| surprisingly good way to extend a routers usable life and
| functionality as well. VPNs, Virtual LAN, File and web servers or
| just better QoS you can do just about anything you might want.
| bserge wrote:
| I've been seeing "buffer bloat" a lot recently. Why have people
| started caring about it? It's really not a problem in most
| cases and SQM adds nothing but extra CPU usage.
|
| It's just the new "QoS". Back in the day, if you didn't use
| QoS, you were a loser :D
| waltbosz wrote:
| Does anyone maintain a list like this one for vulnerabilities
| in open source router firmware ?
| PaulKeeble wrote:
| Given they are all continuously updating its unlikely such a
| list would exist. The way this usually works for open source
| software is that the vulnerability isn't made public until
| the software patch has already been issued and its very rare
| to get anything other than "security issue fixed" in the
| changelogs anyway. The answer should be on the latest version
| of the firmware no outstanding known vulnerabilities or very
| few.
|
| The entire problem is that most of these routers haven't
| received updates in years from the manufacturers, they are
| abandoned. The open source firmware's are not abandoned and
| are continuously getting updates for their underlying
| packages from Linux/NetBSD even if they aren't doing
| substantial development themselves. What vulnerabilities that
| do exist and are not getting fixed will be in the hardware
| binaries for wifi for the FreshTomato supported routers and
| those usually listed as poor or no wifi support in openWRT,
| that is about it.
| chasil wrote:
| The last release of Gargoyle was last year, and Shibby
| Tomato went silent several years ago, probably taking a lot
| of older routers out of 3rd-party ROM updates.
|
| Many router ROMS don't come out as often as is necessary to
| address exploits in a timely manner.
| londons_explore wrote:
| Most VDSL routers don't have any decent support on DD-WRT or
| OpenWRT due to the proprietary firmware blobs required for all
| the DSP algorithms inside the modem.
|
| Sadly, that means a massive chunk of the world connected by
| ADSL/VDSL can't use this advice.
| PaulKeeble wrote:
| You can but you need your own device that supports an open
| source firmware. The ISP provided modem you can potentially
| put in modem mode at which point its just the interface to
| the wire and you can then run your own router in PPPoE mode
| to interface to it and out to the internet. If the ISP
| provided device can't do that then turn off its NAT, firewall
| and wifi and just configure it to connect to the internet and
| plug into anetwork port just your router from the routers WAN
| port and then use DHCP WAN configuration. Then all your
| devices only go into your device. The only device exposed by
| the poor security of the manufacturer is the modem itself and
| your network is defended by your personal device.
|
| There are a bunch of other ways to do it but you can
| absolutely have your network defended by your own device
| running open source firmware and still use the device the ISP
| has provided mostly as a modem. I use a DHCP WAN on my router
| which outputs to the ISPs provided router which is just a
| modem at this point and not a lot else. It still runs DHCP
| and DNS and all that other junk but my home network doesn't
| use any of it. I use Virtual LANs internally for some
| development services I use so the default ISP routers are
| useless to me and after issues with various routers with VDSL
| modems I gave up and have used openWRT ever since. I also use
| separate access points for wifi since its another area
| openWRT is a little behind just due to how long drivers take
| to come out.
| londons_explore wrote:
| And then you have fun with the fact the ISP resets all the
| devices back to defaults once a week... And if you have to
| live with it in its default config you have double-NAT and
| games and web conferencing stuff doesn't work properly.
|
| It's just a bad compromise.
| paulmd wrote:
| The lack of ongoing support from device manufacturers is really
| awful. There were some major UPnP vulnerabilities (last year,
| as well as some previous ones iirc) and a parade of attacks
| against WPA of various levels and very few devices ever get
| patched for them - including high-spec devices.
|
| Running open-source firmware is basically necessary to have any
| chance against all these attacks, because manufacturers simply
| won't do the work.
|
| There really really needs to be some regulation on this,
| internet of things devices as well. Give a defined minimum
| software update lifespan on the box at time of purchase and
| require that it be at least 3 years from the date of sale, for
| example.
| SavantIdiot wrote:
| Interesting.
|
| a) How does someone compile this and keep it current? FTWP:
| "17,000 routers per month" ... ? That's ... daunting.
|
| b) Was Ubiquiti UniFi (or brand ___) excluded because their
| routers have no vulnerabilities or because they weren't tested?
| pixl97 wrote:
| Not sure, but if you go to the main site, they do list
| instructions for Ubiquiti equipment so they seem to know about
| them.
| capableweb wrote:
| A) Shortly: Automation. Long: "Every month, We evaluate 17000
| routers for security Vulnerabilities using the national
| vulnerability database and publish the list with the
| remediation steps" from the website
| mbesto wrote:
| How has someone not made a commercially available open source
| hardware router and just load it up with DD-WRT or Tomato?
| funnyflamigo wrote:
| Linksys does!
|
| They have a series of routers designed to support OpenWRT
| (which IMO is better then DD-WRT but preferences of course). If
| it supports OpenWRT then others shouldn't be difficult to load
| on it either.
|
| https://openwrt.org/toh/linksys/wrt_ac_series
|
| I've had a decent experience with OpenWRT on a WRT1200AC
|
| EDIT: I haven't used it for actual wifi (just
| routing/switching) in a few years so I don't know how good they
| are nowadays.
|
| EDIT 2: OP asked for open source hardware, not hardware that
| runs open source firmware - my bad!
| LeifCarrotson wrote:
| Linksys does not make Open Source Hardware.
|
| Also, it ships with their proprietary "Smart Wi-Fi", not
| OpenWRT.
|
| > _While the Linksys WRT1200AC provides an outstanding
| experience via Smart Wi-Fi immediately out of the box,
| advanced users can further modify the router with open source
| firmware. Developed for use with OpenWRT, an open source
| Linux-based..._ [0]
|
| No one, to my knowledge, makes the appropriate Gigabit
| Ethernet (ideally Dual Gigabit Ethernet) + Wifi Open-Source
| Hardware SBC that could be used as a router. There are a lot
| of SBCs with open-source software and mostly-accurate PDFs of
| their schematics, but very few (the Olimex OLinuXino project,
| maybe?) that are actually open hardware.
|
| I do understand that truly open-source hardware is a tough
| sell, as Jay pointed out in his amazing piece "So you want to
| build an Embedded Linux system" [1]
|
| > _People forget that these EVKs are built at substantially
| higher volumes than prototype hardware is; I often have to
| explain to inexperienced project managers why it's going to
| cost nearly $4000 [2] to manufacture 5 prototypes of
| something you can buy for $56 [3] each._
|
| And an EVK is likely built at a lower volume than a consumer
| SBC. The idea that someone can download your hardware design,
| modify it, and respin it for their desired open-source router
| but now with a piezo buzzer added might work for Arduino-
| scale hardware projects but simply isn't reasonable for
| something that reaches the performance required of a router.
|
| [0]: https://www.linksys.com/ca/wireless-routers/wrt-
| wireless-rou...
|
| [1]: https://jaycarlson.net/embedded-linux/#
|
| [2]: https://circuithub.com/projects/jaycarlson/BEAGLEBONE_BL
| ACK/...
|
| [3]: https://www.newark.com/beagleboard/bbone-
| black-4g/beaglebone...
| funnyflamigo wrote:
| I apologize I misread OP's question. I incorrectly
| interpreted it as "hardware that supports opensource
| firmware such as DD-WRT/Tomato".
|
| In terms of hardware like you mentioned there's few open
| source SBC's at all. Even fairly open hardware like the
| raspberry pi have a proprietary firmware blob. I guess it
| will come down to how strictly you define "open source". If
| you define it as "we have firmware/schematics for every
| chip on the board" then we'll likely never have that (I
| don't think even Linksys has that type of access).
| silasdavis wrote:
| Also very happy with openwrt on this device. Really quite a
| decent gui tui and config. Setting up always on open vpn and
| wireguard was reasonably painless and works well.
| 2OEH8eoCRo0 wrote:
| I tried OpenWRT a few years ago on my WRT3200acm and the
| wireless quality was severely lacking. Has a lot changed
| since then? Do you think it's worth giving another go?
|
| It hasn't been updated since Jan of 2020 but I also don't see
| any vulns listed for it.
| wtallis wrote:
| > It hasn't been updated since Jan of 2020 but I also don't
| see any vulns listed for it.
|
| Are you referring to the manufacturer's firmware or
| OpenWRT? The latter's last release was three weeks ago.
| Namidairo wrote:
| IIRC, the WRT3200ACM had other large issues in regards to
| wifi... (WPA3 was off the cards because the firmware blob
| just does not support protected management frames, for
| example.)
| mikeyschaefer wrote:
| I just tried the wrt3200acm with openwrt for about a month
| and it wasn't nearly stable enough. The wifi issue is
| pretty well know and people seem to be working on it but
| I'd stay away.
| funnyflamigo wrote:
| I haven't stayed up to date with them to be honest. I've
| switched to ubiquiti access points with my WRT1200AC as
| just a switch/router. My plan is to upgrade to a x86 box
| with openwrt or something similar.
|
| So if you had issues with the WRT3200acm I'd go a different
| route
| LeifCarrotson wrote:
| It's older now, but for several years I used a Buffalo N300
| router which came pre-flashed running DDRWT out of the box:
|
| https://www.buffalotech.com/products/airstation-highpower-n3...
|
| I say "used" because my main router has been updated to an
| AC1900 solution, but it's still kicking, I'm just running it as
| an access point. Unfortunately, both it and their updated
| AC1200 solution:
|
| https://www.buffalotech.com/products/airstation-ac1200-gigab...
|
| are discontinued.
|
| Also, while it's pre-flashed with open-source software, it's
| not Open Source Hardware.
| paulmd wrote:
| Buffalo does this as well, and there's a variety of PFSense
| hardware available.
|
| In PFSense hardware you can even find things with atom
| processors or laptop tier processors - which are going to be
| more power-hungry than ARM but also a lot faster, and x86 means
| everything is bog-standard drivers/etc and Just Works. Although
| I suppose with the world we live in, perhaps not having your
| web-facing device have speculative execution would be better.
|
| At that level of cost, many people also go to standalone WAPs
| (although of course there's no reason you can't use DD-
| WRT/OpenWrt/Tomato to turn an old router into a WAP as well).
|
| Some hardware I've seen recommended for PFsense before:
|
| Alix PC Engines APU2
|
| Netgate SG-1100
|
| Protectli Vault
| ipodopt wrote:
| https://www.turris.com/en/
|
| https://docs.turris.cz/
|
| New version coming out next year with 10 gbs ethernet and wifi
| 6. Made by an established internet company: https://www.nic.cz/
| spaniard89277 wrote:
| Hey, have been researching about this brand recently. Any
| experience?
| mnd999 wrote:
| Satisfied Omnia customer here. It's a decent router with
| enough performance to host a small website and Logitech media
| server in lxc containers as well.
| mcspiff wrote:
| Somewhat satisfied customer here. Omnia is great as a wired
| router but I offloaded wifi to another device (eero in my
| case). Mox I was less satisfied with, has some strange bugs
| that have never been fixed. I probably wouldn't pre-buy a
| new Turris device, but if the reviews are good I would go
| for it again.
| spaniard89277 wrote:
| Why did you use another device for wifi?
| mikeyschaefer wrote:
| These come pre installed with Openwrt. I haven't tried any of
| their products though.
|
| https://www.gl-inet.com/products/
| zikduruqe wrote:
| These are my next to investigate if my current Eero network
| gets replaced. The ability to put Wireguard on the router and
| not behind it, is the thing I need.
| msbarnett wrote:
| Asus' routers essentially run a skinned version of Tomato with
| some Asus-specific enhancements. The stock firmware is open
| source and there's a popular enhanced fork of it, asuswrt-
| merlin, that's a drop in replacement.
| emkoemko wrote:
| device makers should be forced to support their devices and if
| they don't they must have something like 6 month period where if
| they don't push a security check flag to their devices they
| initiate code to nag the user telling them this devices is not
| secure anymore because manufacture is not supporting it anymore,
| in this case they should also be forced to release way to load
| 3rd party code etc to allow others to fix their crap.
|
| This is a serious issue because many people use old devices
| without knowing anything is wrong.
| lend000 wrote:
| Is there a way to filter these by remotely exploitable?
|
| Things that can be compromised locally just seem like the cost of
| doing business at this point (for non-business use, anyway).
| netizen-936824 wrote:
| Filtering by "not bullshit" or "patched years ago" would be a
| better start
| unfocused wrote:
| I had no idea Huawei produced so many routers.
| aliswe wrote:
| I am more amazed that there are so many routers than the number
| of vulnerabilities!
___________________________________________________________________
(page generated 2021-11-16 23:00 UTC)