Toss routers with hardcoded passwords, expert says

Network World ^ | Aug 27, 2014 4:26 AM PT | Antone Gonsalves

[palmer]

Sometimes it is best to toss security-challenged technology, and that's the recommendation experts are giving to small businesses using a flawed router from a China-based manufacturer.

Trend Micro reported this week that routers sold under the brand name of Netcore in China and Netis outside of the country contained a "backdoor" that could be easily accessed by a hacker to monitor Internet traffic.

...

[palmer]

Lesson #1:
Never buy cheap tech crap from Walmart: http://www.walmart.com/ip/37406393?wmlspartner=wlpa&adid=22222222227025333422&wl0=&wl1=g&wl2=c&wl3=42976232552&wl4=&wl5=pla&wl6=81468267872&veh=sem

related threads:
"The NSA's 50-Page Catalog Of Back Door Penetration Techniques Revealed"

"Backdoor found in D-Link router firmware code"

[palmer]

Only buy Apple routers ping

[palmer]

ping

[FreedomPoster]

I worry about my AT&T router or, as they call it, residential gateway.

I should probably use my own behind theirs.

[palmer]

worth thinking about. I try to use end-to-end encryption for important things, so even if they let the hackers into my crappy vendor-provided routers (AT&T and Sprint), I am still relatively safe. But lots of things I do cannot be encrypted end to end.

[markomalley]

Probably wouldn't be a bad idea at all. If you have an extra computer sitting around, you could consider building your own firewall using m0n0wall, pfsense, IPCop, Smoothwall, or another firewall product. By doing so, you don't have to worry about backdoors placed in some OEM's firmware.

(I assume that, if you are a home user, you don't really need routing (as you likely only have one "route") but actually need a firewall (to keep your home network protected from the outside world).

[AlbertWang]

RSA sold out to the NSA for a few bucks.

Don’t trust anyone.

[Whenifhow]

FYI

[palmer]

That’s a good point. I am impressed by the difficulty of generating large prime numbers but even more impressed with the fact that the elliptic curve private key is just a random number. OTOH the world is chock full of slipshod random number generators and complex (and possibly bad) implementations of various algorithms.

[skinkinthegrass]

Thank you, for the technology up date. 👍

[ShadowAce]

[FreedomPoster]

That is correct.

What do you think of dd-wrt?

[rarestia]

What do you think of dd-wrt?

If your router supports it, I highly recommend you go the DD-WRT route. It adds functionality that manufacturers don't want you to have with the stock firmware. I personally invested in a Linksys (Cisco) E3000 and have been using it with DD-WRT for years. Learn a little iptables syntax and you can configure it to firewall your whole network.

Never ever plug a computer directly into your provider's modem. You're asking for trouble.

[markomalley]

” What do you think of dd-wrt?”

I never had the Linksys device it was originally coded for, so I never really looked at it. In principle, it’s a fine idea, but in practice, I don’t know.

[Wyatt's Torch]

I have the same thoughts (UVerse 2Wire router) - I know you can change the password on it. I would really like to use my own router behind it (because the range will be better) but have heard it is very difficult to set up.

[frog in a pot]

Thank you for your #13!

[E. Pluribus Unum]

I only use routers that allow replacement of the OEM firmware with dd-wrt.

dd-wrt supported devices

[Mr Fuji]

It's not too difficult but it does require some technical effort to pull it off. I've done this on my Uverse 2wire gateway with several different routers.

Link to instructions from "SomeJoe777".

There is no true bridge mode on the 2Wire routers. However, you can still configure it such that almost all functions of your own router will work properly.

1. Set your router's WAN interface to get an IP address via DHCP. This is required at first so that the 2Wire recognizes your router.

2. Plug your router's WAN interface to one of the 2Wire's LAN interfaces.

3. Restart your router, let it get an IP address via DHCP.

4. Log into the 2Wire router's interface. Go to Settings -> Firewall -> Applications, Pinholes, and DMZ

5. Select your router under section (1).

6. Click the DMZPlus button under section (2).

7. Click the Save button.

8. Restart your router, when it gets an address via DHCP again, it will be the public outside IP address. At this point, you can leave your router in DHCP mode (make sure the firewall on your router allows the DHCP renewal packets, which will occur every 10 minutes), or you can change your router's IP address assignment on the WAN interface to static, and use the same settings it received via DHCP.

9. On the 2Wire router, go to Settings -> Firewall -> Advanced Configuration

10. Uncheck the following: Stealth Mode, Block Ping, Strict UDP Session Control.

11. Check everything under Outbound Protocol Control except NetBIOS.

12. Uncheck NetBIOS under Inbound Protocol Control.

13. Uncheck all the Attack Detection checkboxes (7 of them).

14. Click Save.

Your router should now be able to route as if the 2Wire was a straight bridge, for the most part.

Inbound port 22 might be blocked, and inbound ports 8000-8015 might also be blocked, and there's nothing that can be done about it.

[zeugma]

BFL. THink I might need to upgrade my router.

[dfwgator]

You’re naive if you think the government doesn’t have a backdoor to everything.