Wednesday, June 30, 2004
Cockroaches in the kitchen
Sometimes it's just no fun being right.
I've been worrying about the security of cheap networking equipment for home offices and small businesses. Writing secure software is hard and takes time. The companies that make these network appliances work hard to squeeze every dime out of their costs and they race to meet market demand. Their speed and efficiency give us a wealth of nifty affordable equipment but it's no recipe for security.
When the first security problem came up in home networking equipment I compared it to finding one cockroach in the kitchen. You have to worry that there are more cockroaches waiting in the woodwork.
Since then lots of wireless access point and firewall products have had problems discovered. Some are funny but show dangerous sloppiness, others are serious. There will be more, because when programmers are in a hurry they copy programs that already seem to work, which means they copy all the bugs and security problems too.
The Linksys WRT54G wireless access point had a security problem that sounded more alarming than it really was. The administration interface, where you set and change the security options, was exposed to the public Internet even if you told the device you didn't want remote administration. That sounds terrifying but you're safe if you turn on the firewall features, which I hope everybody has. Linksys has this fixed in the latest firmware.
The D-Link AirPlus DI-614+ and DI-704 have a serious problem, but it requires a sophisticated attack. Brace yourself for some technical language, or skip this paragraph. When the D-Link box issues an IP address via DHCP(Dynamic Host Configuration Protocol), naturally enough it logs the event. The log includes data from the computer that got the IP address. Unfortunately it doesn't adequately check that data. An attacker running a custom-built DHCP client program could insert HTML commands into the log which could reset the D-Link box or (more difficult) change the settings the next time someone looked at the log. This problem was unsolved as of 6/22.
NETGEAR's WG602 had a "backdoor" password, impossible to disable, which allowed bringing up the administration interface even if you'd changed the usual administrator password. The login was "super", and the password was the phone number of the company in Taiwan that builds the innards. The researcher who discovered the problem looked at NETGEAR's "fix" and reported that they'd just changed the login to "superman" and the password to "21241036". Yes, you can firewall off access from the Internet, but you're still vulnerable to anyone near your coffeeshop with a Pringles can.
It's not just the little guys who have hidden back doors in their products. Two Cisco enterprise products, the Wireless Lan Solution Engine and the Hosting Solution Engine had a nonremovable backdoor password. Cisco did fix this one.
If you'd like to hear about a more benign problem, the NETGEAR FVS318, Linksys BEFSR41, and Microsoft MN-500 won't let you log in to administer your box if someone else has made enough simultaneous connections to the administration web page. NETGEAR and Linksys boxes clam up after 7 connections. Microsoft's boxes, which really did offer better security, don't lock you out until there are 31 simultaneous open connections. This could be a problem if you run a public Wi-Fi hotspot and a prankster comes by.
The BT Voyager ADSL Router/Access point will simply tell you its password if asked politely via SNMP (Simple Network Management Protocol).
"Stop telling me about problems! Give me something useful to do about it!"
OK, that's fair. First, run a separate firewall even if your equipment claims firewall-like functionality. Second, check the vendor's web page every down and then for "firmware" updates. You may get a security fix, and probably some reliability improvements. Consider taking a cheap old computer and turning it into a firewall and Wi-Fi access point with free software that's already been checked for security holes.
|
I've been worrying about the security of cheap networking equipment for home offices and small businesses. Writing secure software is hard and takes time. The companies that make these network appliances work hard to squeeze every dime out of their costs and they race to meet market demand. Their speed and efficiency give us a wealth of nifty affordable equipment but it's no recipe for security.
When the first security problem came up in home networking equipment I compared it to finding one cockroach in the kitchen. You have to worry that there are more cockroaches waiting in the woodwork.
Since then lots of wireless access point and firewall products have had problems discovered. Some are funny but show dangerous sloppiness, others are serious. There will be more, because when programmers are in a hurry they copy programs that already seem to work, which means they copy all the bugs and security problems too.
The Linksys WRT54G wireless access point had a security problem that sounded more alarming than it really was. The administration interface, where you set and change the security options, was exposed to the public Internet even if you told the device you didn't want remote administration. That sounds terrifying but you're safe if you turn on the firewall features, which I hope everybody has. Linksys has this fixed in the latest firmware.
The D-Link AirPlus DI-614+ and DI-704 have a serious problem, but it requires a sophisticated attack. Brace yourself for some technical language, or skip this paragraph. When the D-Link box issues an IP address via DHCP(Dynamic Host Configuration Protocol), naturally enough it logs the event. The log includes data from the computer that got the IP address. Unfortunately it doesn't adequately check that data. An attacker running a custom-built DHCP client program could insert HTML commands into the log which could reset the D-Link box or (more difficult) change the settings the next time someone looked at the log. This problem was unsolved as of 6/22.
NETGEAR's WG602 had a "backdoor" password, impossible to disable, which allowed bringing up the administration interface even if you'd changed the usual administrator password. The login was "super", and the password was the phone number of the company in Taiwan that builds the innards. The researcher who discovered the problem looked at NETGEAR's "fix" and reported that they'd just changed the login to "superman" and the password to "21241036". Yes, you can firewall off access from the Internet, but you're still vulnerable to anyone near your coffeeshop with a Pringles can.
It's not just the little guys who have hidden back doors in their products. Two Cisco enterprise products, the Wireless Lan Solution Engine and the Hosting Solution Engine had a nonremovable backdoor password. Cisco did fix this one.
If you'd like to hear about a more benign problem, the NETGEAR FVS318, Linksys BEFSR41, and Microsoft MN-500 won't let you log in to administer your box if someone else has made enough simultaneous connections to the administration web page. NETGEAR and Linksys boxes clam up after 7 connections. Microsoft's boxes, which really did offer better security, don't lock you out until there are 31 simultaneous open connections. This could be a problem if you run a public Wi-Fi hotspot and a prankster comes by.
The BT Voyager ADSL Router/Access point will simply tell you its password if asked politely via SNMP (Simple Network Management Protocol).
"Stop telling me about problems! Give me something useful to do about it!"
OK, that's fair. First, run a separate firewall even if your equipment claims firewall-like functionality. Second, check the vendor's web page every down and then for "firmware" updates. You may get a security fix, and probably some reliability improvements. Consider taking a cheap old computer and turning it into a firewall and Wi-Fi access point with free software that's already been checked for security holes.
# posted by Frederick @ 8:10 PM Email to a friend:
Haloscan: they provide trackback