MacInTouch Amazon link...

router & wireless security

Channels
Security

Ric Ford

MacInTouch
Beware of Linksys routers...
Talos said:
Linksys ESeries Multiple OS Command Injection Vulnerabilities
Multiple exploitable OS command injection vulnerabilities exist in the Linksys E Series line of routers. An attacker can exploit these bugs by sending an authenticated HTTP request to the network configuration. An attacker could then gain the ability to arbitrarily execute code on the machine.
...
Home routers have become one of the main targets for malicious attacks. Although these vulnerabilities require the attacker to have already authenticated with the device, the vulnerabilities are serious as they allow a potential attacker full control over the device, which may include installation of additional malicious code.

Widespread internet-of-things attacks such as Mirai and VPNFilter show that attackers will keep their focus on discovering new vulnerabilities which would allow them to infect devices and conduct large scale as well as targeted attacks. These attacks are more difficult to detect and protection is available only after their manufacturers update the firmware and patch the vulnerability.

Keeping the device firmware up to date is crucial to avoid SOHO routers participating in a distributed denial-of-service (DDoS) attack or becoming an infection vector in an attack targeted to your organization.
 


Ric Ford

MacInTouch
Microtik routers also have had major vulnerabilities:
Sophos said:
Unpatched routers bad, doubly unpatched routers worse – much, much worse!
... If you’re a Mikrotik user, skipping the latest patch leaves you at risk, but if you still haven’t applied the previous patch, you’re in double trouble.

With both patches missing, you’re open to an unauthenticated password disclosure bug that could then be chained with the newer authenticated remote code execution bug.

In other words, instead of anyone being able to get some access, or some people being able to get full access, anyone could get full access by pivoting from CVE-2018-14847 to CVE-2018-1156, the RCE flaw.
ZDNet said:
A mysterious grey-hat is patching people's outdated MikroTik routers
... CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.

For the past five and a half months, the vulnerability has been mainly used to plant cryptojacking scripts on outdated MikroTik routers [1, 2] and to hijack DNS servers and later redirect user traffic towards malicious sites [1, 2].

This wouldn't be an issue, but MikroTik is one of today's most popular router brand. There are over two million MikroTik routers around the globe.
 


Ric Ford

MacInTouch
Add D-Link and more to the list:
Sophos said:
Serious D-Link router security flaws may never be patched
...
The issue of unpatched and never-to-be-patched routers has become a running theme. According to a recent American Consumer Institute (ACI) report, 155 out of 180 routers it analysed had unpatched flaws, equivalent to 172 each, 28% of which were rated high risk.

What’s irksome about the latest example of slow D-Link response is that it’s happened before in 2017 in an almost identical set of circumstances.

Different researcher, another group of older D-Link routers, but the same patchy response and outcome – the researcher reveals the flaws without fixes being available and little hope that they ever would be.

Our security advice is simple: when router makers say end of life, some of them really mean it.
 


Mikrotik routers also have had major vulnerabilities:
Which is a real shame, because I switched to their horrifically bad user interface to avoid the rubbish — but usable — software on normal routers.

Perhaps if Mikrotik didn't make it so freakin’ hard to auto-update (write a script, enter it, then figure out how to schedule it, but not by using the instructions because those don't actually work) — say, having an auto-update checkbox like everyone else — these vulnerabilities wouldn't be so bad. But they seem to have an attitude of “let's deliberately use different terms and make ordinary things hard to do, because then users can feel superior at having mastered their router.”
 


The firmware on my D-Link router was several years old and a few weeks ago I considered replacing the unit when I came across this site:

Router Security​


I read the article on a recommended enterprise-class router and purchased it:

Pepwave Surf SOHO Router​


So far I'm happy with its functionality and look forward to regular firmware updates by the manufacturer (next one should squash a password configuration bug).
 


I just read Jo Yoshida's link to the Router Security site. I must say, Mikrotik does not come out well, and it looks as though they are covering up incompetence with deliberate obscurity. (D-link does come out looking even worse.)


Again, some of the problem could be eliminated by adding a checkbox for daily firmware checks/updates.

Mikrotik did not allow auto-upgrade until version 6 — the current version — of their OS. If you want to amuse yourself, read the instructions:


You may notice that this process requires multiple routers at one installation. In short, you have to still manually upgrade at least one of our routers.

Buried underneath all that they have a suggestion to manually update the boot loader because, you know, that's so obvious, why would they include it in the graphic user interface or make it part of the regular instructions?

Anyone want a couple of lightly used Mikrotik routers?
 


Ric Ford

MacInTouch
FYI:
Cnet said:
Verizon issues patch for vulnerabilities on millions of Fios routers
If you have a Verizon Fios Quantum Gateway router, get the latest update.

Verizon is sending out an update for millions of its routers after security researchers discovered vulnerabilities that could allow attackers to take over the devices.

On Tuesday, researchers from Tenable detailed three vulnerabilities with Verizon's Fios Quantum Gateway router. The security company said that it disclosed these security flaws to Verizon in December and that Verizon issued a fix on March 13.

Verizon said that a small percentage of its customers didn't get the update automatically and will still need a patch.

"We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100," a Verizon spokesman said in a statement. "As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches."

It was a particular type of router that didn't get the update. Verizon said that the people affected won't need to take any action. If the router's firmware is running version 02.02.00.13, they're up-to-date and safe from the vulnerabilities.
 



Looks like there is no need to worry about embracing the new WPA3 standard for your next WiFi router.
Ars Technica said:
Serious flaws leave WPA3 vulnerable to hacks that steal Wi-Fi passwords
The next-generation Wi-Fi Protected Access protocol released 15 months ago was once hailed by key architects as resistant to most types of password-theft attacks that threatened its predecessors. On Wednesday, researchers disclosed several serious design flaws in WPA3 that shattered that myth and raised troubling new questions about the future of wireless security, particularly among low-cost Internet-of-things devices.
 




Log into your Verizon router and click System Monitoring along the top row. The firmware version is displayed there.
I checked my router after seeing this and found that it was not updated so I had a web chat with a Verizon representative. He assured me that the firmware would be updated automatically and when I checked yesterday it was now 02.02.00.14. Note this is higher that what was previously posted here.

I also have an Actiontec 802.11ac Wireless Network Extender with Gigabit Internet and Bonded MoCA (model WCB6200Q) to extend my wireless coverage via my home's wired coax since the FIOS router is in the basement and I wasn't getting adequate coverage in the far corner of the second floor. I checked its firmware and found that it was also out of date. The current version is 1.1.10.20a.t. You can obtain this at
Installation was straightforward except that the WCB6200Q needs to be connected to coax and you need a wired ethernet connection from a computer to the WCB62000Q. Since most relatively current portables lack wired ethernet, this could be a problem. I ended up using an original 2006 MacBook that I have lying around.
 


Since most relatively current portables lack wired ethernet, this could be a problem. I ended up using an original 2006 MacBook that I have lying around.
Ethernet-to-Thunderbolt 2 or 3 adapters are available for around $25-30 each. I keep these on hand for service needs. When you're downloading a multi-GB system update, a wired connection is much preferred.
 


Ric Ford

MacInTouch
Routers are rife with security problems:
Dan Goodin said:
Ongoing DNS hijackings target Gmail, PayPal, Netflix, banks and more
A wave of DNS hijacking attacks that abuse Google's cloud computing service is causing consumer routers to connect to fraudulent and potentially malicious websites and addresses, a security researcher has warned.

By now, most people know that Domain Name System servers translate human-friendly domain names into the numeric IP addresses that computers need to find other computers on the Internet. Over the past four months, a blog post published Thursday said, attackers have been using Google cloud service to scan the Internet for routers that are vulnerable to remote exploits. When they find susceptible routers, the attackers then use the Google platform to send malicious code that configures the routers to use malicious DNS servers.

Troy Mursch, the independent security researcher who published Thursday's post, said the first wave hit in late December. The campaign exploited vulnerabilities in four models of D-Link routers, including:
  • D-Link DSL-2640B
  • D-Link DSL-2740R
  • D-Link DSL-2780B
  • D-Link DSL-526B
 


Ric Ford

MacInTouch
Before you buy a Linksys router...
Bleeping Computer said:
Linksys Smart Wi-Fi Routers Leak Info of Connected Devices
More than 25,000 Linksys Smart Wi-Fi routers are currently impacted by an information disclosure vulnerability which allows remote and unauthenticated access to a vast array of sensitive device information.

This issue is very similar to a Linksys SMART WiFi firmware security issue from 2014 tracked as CVE-2014-8244 which allowed "remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request."

However, as Bad Packets' security researcher Troy Mursch discovered, although that flaw was supposedly fixed about five years ago, the vulnerability is still there. To make things even worse, as Mursch says, the Linksys security team tagged his vulnerability report as "Not applicable / Won’t fix" and closed the issue.
 



I've run into a problem in the latest versions of iOS - not sure when it started, or if it's "by design."

At work, we have an "Employees" WiFi access point that does not have security (WPA, etc. - i.e. "Unsecured Network"), but we do have a login where we enter our email/password to get access. That all works fine, but if I sleep my phone, then wake it sometime later, iOS has disconnected from the access point, and I have to go back in to the Wireless settings and reconnect. It's very annoying.

Not sure if this was a deliberate change recently or is some bug. Has anyone else seen this behavior? (Or maybe I can blame our WiFi system...?) Thanks.
 


At work, we have an "Employees" WiFi access point that does not have security (WPA, etc. - i.e. "Unsecured Network"), but we do have a login where we enter our email/password to get access. That all works fine, but if I sleep my phone, then wake it sometime later, iOS has disconnected from the access point, and I have to go back in to the Wireless settings and reconnect. It's very annoying.
I think it's working as designed.

Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier.

Unfortunately, public hotspots (which appears to be how your access point is configured) frequently track your logins via that MAC address - they maintain an internal database of MACs belonging to authenticated devices so the devices don't need to authenticate every time they connect. But whenever your MAC address changes, it no longer matches anything in the database, forcing you to re-enter your credentials.

You should talk to your IT department to see if they can implement a more proper Wi-Fi access security model. These typically involve running a RADIUS server on your network in support of IEEE 802.1X. This can be used to implement (among other things) per-user passwords (instead of the "personal" authentication where there is one password for everybody). It can also be used to implement certificate-based authentication, where the IT department will generate a certificate for you, which you will install in your phone so it can be used to authenticate connections.

This may not be possible with inexpensive routers intended for SoHo installations, but there are always exceptions including the possibility of using OpenWRT on compatible hardware.
 


I think it's working as designed. Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier....
Thanks for that info. I'll have to talk to them again. They claimed it was a bug in recent iOS. I think it has to do with their configuration. It was working just fine up until some version of iOS 12.
 


Modern versions of iOS (going back to 8, I believe) implement MAC address randomization. Your MAC address will change periodically in order to prevent it from being used as a tracking identifier [. . .] But whenever your MAC address changes, it no longer matches anything in the database, forcing you to re-enter your credentials.
This is not quite correct. iOS only uses MAC Address randomization when scanning for available wireless networks. When it actually joins a wireless network, it always uses the same, real MAC address.

But the rest of what David describes about tracking access via MAC Address is correct. What's actually happening here is the session timeout on their access gateway. Your iPhone is either exceeding the maximum session time or the maximum idle timeout. In either case, you have to reauthenticate at the captive portal before your MAC address is re-added to the gateway's "allow traffic" list.

What you should do is talk to your IT department and ask about having the gateway's session timeout and idle timeout lengths increased to something like 10 hours, so that you can get through the entire workday only having to authenticate once.

Otherwise, as David describes, if they want to have per-user access controls, the proper way to do it is to implement an 802.1X solution. Besides the user convenience of not having to login every time (the credentials are saved on the access device), it also allows you to operate with WPA2 encryption. If this is any kind of serious business, operating an unencrypted wireless network that company-confidential information is flying across is irresponsible and unnecessary.
 


Ric Ford

MacInTouch
Routers and Internet of Things (IoT) devices are being constantly compromised – be very wary of these problems.
ThreatPost said:
Dark_Nexus Botnet Compromises Thousands of ASUS, D-Link Routers
A new botnet has compromised hundreds of ASUS, D-Link and Dasan Zhone routers over the past three months, as well as Internet of Things (IoT) devices like video recorders and thermal cameras.

The botnet, called dark_nexus (based on a string it prints in its banner), uses processes similar to previous dangerous IoT threats like the Qbot banking malware and Mirai botnet. However, dark_nexus also comes armed with an innovative module for enabling persistence and detection evasion, which researchers say “puts other [botnets] to shame.”
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts