Puzzled About Router Security Design

Discussion in 'hardware' started by jclarkw, Nov 17, 2013.

Thread Status:
Not open for further replies.
  1. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA
    Fundamental Question: What external (or internal) software could possibly need to mess around with the router's settings that we install strong passwords and turn off remote administration specifically to protect? If there are "features" of modern routers that actually require this capability, then how do security-conscious users select hardware that does not include these features and the accompanying security vulnerabilities?

    Background: Some routers evidently have/had back doors deliberately designed into their firmware. See, for example, a recent announcement, e.g., "http://www.pcworld.com/article/2054680/dlink-to-padlock-router-backdoor-by-halloween.html". Following the link to the source of the discovery at "http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/", I find the following astonishing conjecture:

    "I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that **the developers realized that some programs/services needed to be able to change the device’s settings automatically**; realizing that the web server already had all the code to change these settings, **they decided to just send requests to the web server whenever they needed to change something.** The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, 'Don’t worry, for I have a cunning plan!'."

    Any enlightenment or re-direction to a more relevant source would be appreciated. -- jclarkw
     
  2. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    This feature could f.ex be used to remote-(re)configure ISP-supplied routers
    or in 'corporate environments' .
    But yes, it is troubling that you can not really trust your hardware !
     
  3. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA
    Thanks, Enigm. Any idea how to avoid this kind of router? It's hard to see why a product aimed at consumers (e.g., my D-Link DIR-645, not that I know it has this problem) would need such a back door... -- jclarkw
     
  4. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I would think that good open-source firmware such as OpenWRT (I like Gargoyle) or DD-WRT would put a stop to that.
     
  5. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA

    SirDrexl -- Having taken a quick look at the sites you suggested, I think this is over my head. I don't see any prepackaged, flash-able firmware out there for the D-Link DIR-645 rev. A1. Am I missing something?

    I do see a nice-looking Wireless-N router sold by Gargoyle, but I doubt it has the range of myDIR-645 with its "smartbeam" technology.

    Do any of the commercial manufacturers have particularly good reputations for security. -- jclarkw
     
  6. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    In my 20 years of networking experience, I have never seen more frequent firmware updates for both problems and security than Asus. And, yes, I have used SOHO routers made by Belkin, TP-Link, Trendnet, Linksys, D-Link, and Netgear.

    I could go on and on, but just plain don't have the time that I used to since moving from TX to MA.... :p
     
  7. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA

    Sorry to be obtuse, kdcdq, but are more frequent updates a good sign or a bad sign? And do you have any comments on Gargoyle? -- jclarkw
     
  8. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
    Those are fair questions. :)

    1) When you look at the various firmware change logs, especially from Asus, you see that what companies are actually addressing both networking issues/problems and increasing the security of the router. SO, in this case, I view more frequent firmware changes as a "good sign".

    2) From a support standpoint, I stay away from OEM firmware except for DDWRT.

    3) I do NOT have any experience with Gargoyle routers, so I am unable to advise you on this.
     
  9. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA

    OK, got it. I take it you don't trust openWRT.

    Does anyone else have recommendations for secure routers and/or compatible, pre-configured, open-source firmware? I'm getting pretty fed up with D-Link...
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    Tomato firmware.
     
  11. jclarkw

    jclarkw Registered Member

    Joined:
    Nov 17, 2013
    Posts:
    7
    Location:
    USA
    SirDrexl -- Have you (or do you know anybody who has) used the Gargoyle Router (the hardware sold by Gargoyle pre-loaded with Gargoyle firmware)? Except for the nice bandwidth-allocation features, I haven't been able to find much discussion of it.

    And regarding Gargoyle firmware itself:

    Although the OEM firmware native to the TP-Link TL-WR1043ND offers enable/disable switches for things like SPI, DoS, UDP Flood, TCP-SYN Flood, and Ignore Ping from WAN (in addition to the "Access Restrictions" that are clearly implemented in Gargoyle), I don't immediately see any way to control these features through Gargoyle. Also no clear way to set up port filters for individual remote sites.

    (Maybe I'm missing something. It's difficult for me to learn the features of Gargoyle through the clumsy on-line "Configuration Guide.")

    Any further comments on Gargoyle would be appreciated. (...and Happy New Year to All!) -- jclarkw
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
Loading...
Thread Status:
Not open for further replies.