Articles about sohopeless

Shutterstock - Giant bug destroys ciy

More UPNP woes: Crashable library bites routers and software

It's a patch for vendors and developers, but it could be nasty: there's a bug in a Universal Plug'N'Play (UPNP), used in a wide range of black-box devices. The bug, in miniupnpc, allows the lightweight UPNP library to be crashed by an attacker – and while the discoverer only confirmed its risk as a denial-of-service vector, …

Turn off remote admin, SOHOpeless D-Link owners

It's 2016, and D-Link still can't get its Home Network Automation Protocol (HNAP) implementation right. In a terse advisory, the Carnegie-Mellon CERT says the HNAP service in D-Link's "DIR" range of routers has a stack-based buffer overflow. “Processing malformed SOAP messages when performing the HNAP Login action causes a …
swiss_cheese_648

D-Link DWR-932 B owner? Trash it, says security bug-hunter

If you've got a D-Link DWR-932 B LTE router, you might want to fire it into the sun – or hope that a firmware upgrade lands soon. Following the consumer broadband industry's consistently lackadaisical attitude to security, the device suffers from everything from backdoor accounts to default credentials, leaky credentials, …
Photo by Christian Bertrand / Shutterstock

ABBA-solutely crapulous! Swedish router-maker won't patch gaping hole

European customer-premises equipment (CPE) kit-maker Inteno has said it isn't going to patch a hole that has been sitting in some of its routers for the last nine months, saying it's not the firm's problem. That's bad news if a European carrier, Inteno's key customers, dropped one of the problematic devices into your home. …
Iain Thomson, 2 Sep 2016

IOActive turns up the most SOHOpeless router so far

It could be the worst router in the world: a cheapie from China that IOActive reckons is completely pwnable all ways from Sunday. Bought by a travelling staffer, Tao Sauvage, the BHU Wi-Fi router looks almost indistinguishable to a surveillance box. As Sauvage writes: “An unauthenticated attacker could bypass authentication, …
Cartoon - Private SNAFU

TP-Link abandons 'forgotten' router config domains

TP-Link, rather than recovering domains it forgot to renew, is going to abandon them. The domains in question are tplinklogin.net and tplinkextender.net. They offered configuration services for buyers of the company's home routers and Wi-Fi link extenders, and are identified on stickers on some devices (not all: two TP-Link …

SOHOpeless Cisco wireless kit needs critical patch

A range of SOHO-targeted network kit from Cisco, pitched as “highly secure”, isn't. Switchzilla has just issued a critical patch for three devices in its RV range: the RV110W 802.11N VPN/firewall; and the RV130 and RV125 802.11n VPN routers. The bug lets a remote attacker send crafted HTTP requests and execute code as root. …

FRITZ!Box home broadband routers' security FRITZed

The FRITZ!Box range of home broadband routers, popular in Germany and Australia, needs patching against a variety of remote code execution bugs. Germans RedTeam Pentesting turned up the bugs in model 3272, 7272, 3370/3390/3490, 7312/7412, 7320/7330 SL, 736x SL and 7490 devices. The vulnerabilities are present in all firmware …

Linksys routers vulnerable through CGI scripts

Linksys' EA6100-6300 wireless routers need a patch: KoreLogic has published an advisory saying that rubbish CGI scripts in the admin interface open the device up to remote attackers. Since it's a consumer product, it's a fair bet that most of the devices out there won't get patched, but here's the detail. Many of the CGI …

Netgear prodded into patching SOHOpeless broadband router

Yet another vulnerability in a SOHO broadband router that flew under the radar is starting to cause trouble in the wild. The authentication bypass in Netgear's WNR1000v4 device is documented here by Compass Security and in more detail by Shellshock Labs here. The short version, from Compass, is this: “an attacker can access …
still_life_with_skull_cropped_648

Password 'XXXXairocon' pops Wi-Fi routers from ASUS, ZTE and others

A bunch of home gateway vendors, presumably sourcing their firmware from the same place, can be hijacked using depressingly common hard-coded logins. As the Carnegie-Mellon CERT states, the vendors involved are ASUS and ZTE in Asia, European vendors Digicom and Observa Telecom, and carrier Philippine Long Distance Telephone ( …
Honeywell Tuxedo Touch

SOHOpeless: Security stains on Honeywell's Tuxedo home automator

Honeywell has issued an urgent firmware update for its three-year-old Tuxedo Touch home automation controller to patch vulnerabilities that could, among other things, let an attacker unlock users' deadlocks. This CERT advisory explains that without the firmware upgrade, all users are vulnerable to authentication bypass and …
Skull image

Industrial Wi-Fi kit has hard-coded credentials

The travelling side-show of industrial control kit insecurity continues, with an outfit called Red Lion being called out for hard-coded credentials on a wireless access point. ICS-CERT has issued an advisory noting that the company's N-Tron 702.-W industrial wireless access point has hard-coded private keys for SSH and HTTPS …
Dunce's cap graffiti by https://www.flickr.com/photos/lord-jim/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

Mass break-in: researchers catch 22 more routers for the SOHOpeless list

Yet another disclosure tips 22 SOHO routers in the security bin, with everything from privilege escalation and authentication bypass to hard-coded credential backdoors. That disclosure – more than 60 vulnerabilities from big-name vendors including D-Link, Belkin, Huawei, Linksys, Netgear, Zyxel and Sagem – was made by Spanish …
Skull image

Hungarian lab adds storage to D-Link SOHOpeless list

D-Link users are on the patch-your-stuff-now list again, this time for vulnerabilities in storage devices. Tests at the Hungarian Search-Lab on DNS-320, DNS-320L, DNS-327L and DNR-326 units using 30-07-2014-dated firmware yielded more than 50 vulnerabilities, including authentication bypasses and something the lab says looks …

ɘƨɿɘvɘЯ algo attack cracks Belkin router WPS PINs: researcher

A researcher who last year turned up weak WPS PIN protection in D-Link broadband modems has found the same problem exists on Belkin devices. The writer at embedded systems hacker hangout /dev/ttyS0, who goes by the name of Craig, says the upshot of his latest work is the same as previously: it demonstrates that like D-Link, …

POODLE vuln dogs Australian consumer modems

The persistent awfulness of consumer broadband modems is once again in evidence, with the Poodle and Freak bugs present in a huge number of Australian households. The issue has hit Twitter, with some people reporting that ISPs are notifying them of possible malicious traffic – but without useful information on what to do. TPG …

Create a news alert about sohopeless, or find more stories about sohopeless.

Biting the hand that feeds IT © 1998–2018