Mass break-in: researchers catch 22 more routers for the SOHOpeless list
A business model ripe for the bin
Yet another disclosure tips 22 SOHO routers in the security bin, with everything from privilege escalation and authentication bypass to hard-coded credential backdoors.
That disclosure – more than 60 vulnerabilities from big-name vendors including D-Link, Belkin, Huawei, Linksys, Netgear, Zyxel and Sagem – was made by Spanish students working on a master's thesis at the Full Disclosure list.
The list also includes cross-site scripting bugs in 15 of the tested devices; denial-of-service on three of them; UPnP fourteen; and four gave an attacker access to delete files from an attached USB device.
Comment: The Register is increasingly sceptical that home broadband router vendors know or care enough to ship secure devices.
It's time for the carriers to take responsibility for their customers, and wield their market muscle to give customers more secure connections.
If certifying devices is too expensive and too much like a command economy, then the carriers might consider working on an agreed virtual CPE standard (with open source code they've collaborated to audit and certify and keep collaborating to maintain).
That vCPE, rather than a (frequently) badge-engineered lowest-cost box in the hands of the clueless, could be the first line of security.
After all, many carriers and ISPs seem to think a box with their brand on it is a good thing, even though it's a safe bet the brand will be associated with the nearly-inevitable breach. ®