>The action should serve as a wake-up call, not just for other router makers, but entire industries tied to the so-called Internet of Things wave that's adding Internet connectivity to refrigerators, watches, and other everyday devices. Over the past few years, researchers have uncovered a litany of security defects that make it possible for such devices to be remotely hijacked by attackers. Often, the hackers can use their position to install malicious code on the devices or to surreptitiously monitor the comings and goings of the owners.
I posted the same to reddit also. I was down voted heavily.
Anyway, I want to ask this.
How did we get here? How did the whole tech crowd okayed the use of perpetually connected devices with cameras (on both sides!) and microphones to allow operating them without notifying the user.
I mean, did no one ask, why is there no indicator light on this camera (or mic) on my net connected phone that I take with me to the most private of places?
So what about forcing these gadget makers to add notification that cannot be bypassed in software to alert users when camera or mic is active? Let them add them in all the new devices.
Also, pickup your phone right now and stick a piece of tape on that camera (both of them). Will you do that? Naa...you won't, because that is too 'inconvenient' to remove it when you have to take a picture..
Consumer choice is not all it's cracked up to be. The process for getting surveillance out of phones is like getting lead out of the water: functioning accountable regulation.
(Cameras are less relevant when the phone is in my pocket; it's the microphone that is more of concern.)
I think it's time to encode in law security requirements, a minimum timespan for security patches to be provided post purchase, a maximum timeframe for security patch provision, and liability for unpatched security holes.
Just normal consumer-protection and product-liability law ought to take care of it for the most part, if really applied. Computer software has somehow managed to almost entirely escape liability, avoiding legal responsibility for shipping software with serious defects that makes it not fit for advertised purpose. But I suspect people shipping physical devices will find it harder to avoid, because the legal regime for physical devices like ovens and toasters is well established. Nest being forced to issue a product recall of its thermostats over a software flaw is one example of this starting to play out.
> Computer software has somehow managed to almost entirely escape liability, avoiding legal responsibility for shipping software with serious defects that makes it not fit for advertised purpose.
So did early car manufacturers etc etc.
Personally I think if everything had been thoroughly regulated from the start a lot of the innovations we are all benefiting from today wouldn't have happened or would have taken far longer time.
So I am not against regulations, but I can understand why waiting a bit and thinking very carefully before implementing regulation might be smart.
Early car manufacturers in no way almost entirely escaped liability. There were many people killed or injured by the starter crank alone and the law suits to go along with it. It's the single biggest reason that steam cars were around until the advent of the electric starter.
The Ford Model T, "generally regarded as the first affordable automobile" (https://en.wikipedia.org/wiki/Ford_Model_T), over 15 million manufactured, had a hand crank. A '40s era tractor that my family "inherited" when we bought our 25 acres of land had a hand crank.
That said, while hard to use, that tractor's hand crank automatically disconnected well enough once the engine got started. Then again my father, born in the early '30s, grew up using them.
> That said, while hard to use, that tractor's hand crank automatically disconnected well enough once the engine got started. Then again my father, born in the early '30s, grew up using them.
Hell, I was born 30 years later, and they still existed on tractors, fork lifts, and other, assorted engines.
There are a couple 'safety rules' when using a hand crank on a gasoline engine:
1) Always grip the crank with the thumb wrapped below with the fingers. So, all your fingers on ONE side of the crank, instead of four fingers on one side, and the thumb on the other
2) NEVER push the crank down the right side of the rotation.
3) If the hand crank binds when inserted through the starting crank bushing and into the crank ratchet, don't crank start the car. Too much bind will prevent the crank from releasing from the ratchet.
Ah, yes, 1) is a rule for self-loading rifles with reciprocating charging handles, starting in the US I suppose with the '30s M1 Garand. On the off chance the gun will fire while you're manipulating the handle, make sure your thumb is out of the way so at worst your palm will be beat up a bit.
The AR-15/M16/M4 which follows that family (M1 and '50s M14) lacks that "feature", replacing the lost functionality with a separate forward bolt assist. In other major rifles of that general era, the AK-47 etc. and SIG SG 55x and I think it's 510 predecessor reciprocates, this in fact goes back to the original Nazi StG 44 "storm rifle", the FAL and G3 don't.
Samsung is actually in a lawsuit in the EU over this right now. The lawsuit says Samsung should provide at least 2 years of software updates as part of the 2 year mandatory "warranty".
So just to be clear... you want the same entities that are demanding backdoors and key escrows and the like to ultimately be the gatekeepers of security? I can only imagine what a regulatory required update may include for, say, "homeland security" or other reasonable compromise... reasonable in the mind of a regulator or legislator. I can see nothing but a legal framework rife with unintended consequences coming out of the practical implementation of such a suggestion. I wonder how the current Apple controversy would work in such a world (not that there aren't laws that may already apply in that case).
Look, I understand why you would want such a thing and I don't believe that your desire is wrong. However, the method you propose I don't think would work the way you expect in the final analysis.
If you really want to do something in this area: why not work to create a consumer products security organization. Yes, it wouldn't have force of law, but you could certify products which manufacturers could use as a valuable distinguishing characteristic in the marketplace. Yes, all of that requires good marketing, etc. and not everyone would pay attention... but that may be better than the use of government force.
Better add to that list minimum company/market size and target audience exclusions, otherwise nobody will ever innovate again, companies like SparkFun will have to shut down, there'd never be another successful Kickstarter campaign by anybody not a front for an existing company, ...
So basically all your devices just phoning home to make sure they are updated, maybe even updating themselves and crashing/bricking at bad times, and while they are phoning home manufacturers just passing some stats on how you are using their devices.
I completely agree but what happens when some startup produces a product with serious flaws and is then sued out of business before they're able to fix the product. Who's liable for fixing the product then?
IMO the people who lead the corporation that released the product should be held personally liable but I realize that's an unfavorable opinion. Otherwise the government ends up footing the bill, which means WE foot the bill, and we're back to being in an unfair situation.
I really hope this leads to some change some day. If router makers can be held accountable for not providing minimum security standards then maybe we'll stop seeing so many "me too" BS options and gimmicks and get a smaller stable of trustworthy routers/firmwares.
It kind of sucks that my first requirement for buying a router is that I must be able to immediately, and easily, flash a new firmware on to it. It doesn't matter whose makes them, you are going to be receiving absolute shit for an OS, save for maybe a few prestige models of some of the better brands.
I liked the TP-Link Archer C7s because they were easy to flash and came with some pretty nice hardware for the price. Their products have been badly vulnerable, and now they're locking out alternative firmware. So even when you find a brand/model you like, that may not last.
The thing is that security is a fuzzy boundary, so no amount of case law or statutes can draw an easy-to-understand line between negligent insecurity and acceptable insecurity, and the legal community is ill-equipped to make excellent technological laws.
Also, there's no engineering society that censures its members and creates standards or certifications for quality or security, and it doesn't look like engineers are too interested in that.
Medical malpractice or unethical behavior are also fuzzy lines, but at least there's a medical association that draws some kind of line, determines standards for membership, and censures its members for malpractice or bad behavior, thereby also improving its public image as a trustworthy institution.
While I have no doubt that OpenWRT/DD-WRT are better than the stock firmware provided on these routers, has anyone actually audited OpenWRT for exploits?
IMO alternative firmware projects make things better for the 0.1% while throwing the other 99.9% of humanity under the bus. If we want the Internet as a whole to be more secure, not just our own home networks, we need to solve crappy vendor firmware somehow and not signing updates is unlikely to help. OnHub has a good tradeoff with signed auto-updates by default and a developer mode switch for hackers.
The problem is asking other users to install DD-WRT/Tomato/OpenWRT in order to get a secure device. That's not something I would reasonably expect my parents to know about or do.
Consumer networking hardware needs to be secure out of the box, and automatically keep itself updated without any end-user intervention.
Installing alternate firmware should be an option, but it shouldn't be necessary.
Heck, as someone who used to run alternative firmware they seem to be making it harder for all. After a few years of a forced all-in-one device (thanks, Windstream), I went looking again... things do not seem as organized. Wiki pages argue with each other and point to forum posts without indicating which piece of information is most relevant, and in general things only look stable for routers that are at least two years old, with newer routers having regular, massive regressions. I get enough of JTAG at work, thanks.
> "and in general things only look stable for routers that are at least two years old, with newer routers having regular, massive regressions."
Yep. New hardware is shipped first with proprietary drivers, then shitty open-source code dumps. When the hardware vendors don't participate in the open-source process, it takes the community quite a lot of time to clean things up enough to be merged upstream. Usually by the time that happens the vendors will have secretly changed all the guts of the model with completely incompatible hardware at least once.
Just requiring a new model number for new hardware would get rid of most of the confusion. If the router and chipset vendors would actually maintain their operating systems as flavors of current OpenWRT instead of 5+ year old private branches, most of the problems wouldn't exist in the first place.
That's not something I would reasonably expect my parents to know about or do.
Then you should be teaching them, much like how I've taught friends and family to reformat and reinstall the OS on any prebuilt device before actually using it.
The only way things will get better for everyone is if we, the ones who know how, try our hardest to educate the ones who don't. If we remain complacent and want others to solve our problems for us, we're implicitly giving up our freedoms to the governments and corporations who are more than willing to take control of more and more aspects of our lives. Asking for "secure out of the box" will make them interpret it to mean secured against their owners. It certainly won't be easy, but that doesn't mean we should give up.
Not everyone is willing to take the time to learn. Some folks just aren't interested in the inner workings of their computer, or maybe they have other things they'd rather spend their time on.
It's like asking everyone to change their car's oil. Sure, it's easy enough to learn to do and will save you money, but some folks would just rather pay somebody else to deal with the problem. Both options are valid.
Ironically, the only way to get custom firmware onto a system that uses code-signing and other forms of security is often to find such an exploit. (See iOS jailbreaking, Android rooting, console homebrew, etc.)
there is a page[0] that I helped put together that maintains a list of the current more powerful routers that support OpenWrt and DD-WRT. Sort by Performance, Value, or Price. Criteria for getting on the list is Performance first, and then Value.
OpenWRT is plain vanilla and probably a hard place to start if you don't understand terminology, etc.
Try Tomato for a friendlier newbie environment. Google your router to see what alternate firmwares are available for it and never buy a new router unless you know one of the alternatives is available for it because most factory firmware is full of holes.
What do you find friendlier about Tomato than modern OpenWRT? The latter has more features, but from what I recall of Tomato it really wasn't much different about how it presented the core functionality.
What specific features or capabilities do you think a current version of OpenWRT does in a less newbie-friendly way than Tomato or DD-WRT?
They've all got web interfaces that present a status summary upon log-in and have pages for configuring different categories of settings (WAN, WiFi, port forwarding, etc.). Unless you think Tomato's default color scheme makes it vastly more usable, you'll have to point to something specific.
(And while it's been a while since I last used DD-WRT, my experience was that it had a multitude of options that were non-functional or incorrectly documented, so I'll need some pretty strong convincing that it's got any advantage over OpenWRT.)
I used Tomato (various flavours, including this one) for a long time until finally succumbing to OpenWRT.
The web interface is lacking compared to Tomato, but in return you get a recent LTS kernel built with the latest GNU toolchain and a superb package manager + collection.
OpenWRTs CLI config system is very slick, the web interface just doesn't yet hook into all possible settings (which may vary between devices).
I think the most egregious issue that the asus routers had (even up to the RT-N66U) was that when you used the interface to check for a firmware update, it would report you were on the latest update, even if you were multiple patches behind.
The most egregious, for me, is that while they published the source code for their firmware as GPL (good) they were too lazy to incorporate fixes made by a third-party developer who was fed up with their buggy software and decided to do something about it. The AsusWRT Merlin builds are much higher quality and the source code to them is, per the GPL, also available. It's one thing to not fix security issues, it's another thing to have a single guy fixing your security problems and not even be bothered to take his work and pass it on to your customers. They deserve all the punishment they're receiving.
I think its time for consumers to demand the ability to run open source operating systems on their devices! All consumer routers should have open device drivers. Right now its a lot of closed firmware from both router makers and the wireless radio chip manufacturers that prevents that. There is very few 802.11ac devices that is well supported by OpenWRT because of closed drivers and firmware.
Lets face it, the manufacturer are not that interested in supporting the operating system of your device after a few years. Device manufacturers profit from selling you new devices not maintaining old devices. Throwing a perfect working hardware device just because it has outdated software is bad for the environment and not good when we have global warming. Do we want to have a Wall-E kind of future scenario of the working junk we consume and throw to consume to throw?
This is of course not only consumer routers, all devices that run embedded software that the manufacturer stops caring for are in danger of getting hacked. If they can be hacked they will be hacked - hackers law.
Why does consumer devices have to be that different from a PC? A PC can load any operating system you like on including good open source operating systems.
This is also the same for cell phones, there are lots of Android devices with older releases that are not security updated.
Notice that this never happened with PCs because it was well expected for people to choose and install their own operating system, which is where the vulnerabilities lie. If you have an old PC and you don't want to throw it away then you can install a newer OS (or *nix) and your only problem is that it's old/slow, not that it's insecure.
Make it trivially easy to install open source firmware and the security problem gets solved by the people who know more what they're doing.
The company I work for runs a home router based CTF at security conferences. So many of these products have vulnerabilities it's mind blowing. This IoT thing is a crazy trade off, we're getting really powerful devices but people are moving fast and really fucking shit up in terms of security. Some devs will know a good amount about security or their framework will cover them, but so many don't. The end result are networks with gaping holes in them waiting to be exploited.
Pretty much what we've all been saying here.