survey of more than 6, 000 firmware images finds no improvement

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

survey of more than 6, 000 firmware images finds no improvement

George N. White III

"A survey [by CITL] of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors."

Earlier CITL work used Ubuntu 16.04 as the reference configuration:

I had a look at D-Link's terms of service:

"Neither d-link nor its officers, directors, employees, affiliates, suppliers or agents, or any other service provider or vendor who furnishes the services, devices, or products to the customer for us will be liable for unauthorized access to our or your transmission facilities or premises equipment or for unauthorized access to, or alteration, theft, or destruction of, your data files, programs, procedures, or information through accident, fraudulent means, devices, or any other method, regardless of whether such damage occurs as a result of d-link's or its service providers' or vendors' negligence."

CITL says "nobody is trying [to improve security of home routers]", but in fact vendors are trying to limit their exposure to any consequences of this negligence.

--
George N. White III


_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: survey of more than 6, 000 firmware images finds no improvement

Joel Maxuel
D-Link has been a non-starter for me for the past half-decade, since their products are controlled by the company enough for a customer to not replace the firmware, but due to non-support after a year or two means it can just as easily become part of the botnet.

--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Sat, Aug 17, 2019 at 8:33 AM George N. White III <[hidden email]> wrote:

"A survey [by CITL] of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors."

Earlier CITL work used Ubuntu 16.04 as the reference configuration:

I had a look at D-Link's terms of service:

"Neither d-link nor its officers, directors, employees, affiliates, suppliers or agents, or any other service provider or vendor who furnishes the services, devices, or products to the customer for us will be liable for unauthorized access to our or your transmission facilities or premises equipment or for unauthorized access to, or alteration, theft, or destruction of, your data files, programs, procedures, or information through accident, fraudulent means, devices, or any other method, regardless of whether such damage occurs as a result of d-link's or its service providers' or vendors' negligence."

CITL says "nobody is trying [to improve security of home routers]", but in fact vendors are trying to limit their exposure to any consequences of this negligence.

--
George N. White III

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: survey of more than 6, 000 firmware images finds no improvement

Oliver Doepner
On a related note: Are there any OpenWRT users on this group?

I am considering installing it on my TP-Link Archer C7 v4.0.

Any experience with the software and its web UI ?


On Mon, Aug 19, 2019 at 7:20 AM Joel Maxuel <[hidden email]> wrote:
D-Link has been a non-starter for me for the past half-decade, since their products are controlled by the company enough for a customer to not replace the firmware, but due to non-support after a year or two means it can just as easily become part of the botnet.

--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Sat, Aug 17, 2019 at 8:33 AM George N. White III <[hidden email]> wrote:

"A survey [by CITL] of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors."

Earlier CITL work used Ubuntu 16.04 as the reference configuration:

I had a look at D-Link's terms of service:

"Neither d-link nor its officers, directors, employees, affiliates, suppliers or agents, or any other service provider or vendor who furnishes the services, devices, or products to the customer for us will be liable for unauthorized access to our or your transmission facilities or premises equipment or for unauthorized access to, or alteration, theft, or destruction of, your data files, programs, procedures, or information through accident, fraudulent means, devices, or any other method, regardless of whether such damage occurs as a result of d-link's or its service providers' or vendors' negligence."

CITL says "nobody is trying [to improve security of home routers]", but in fact vendors are trying to limit their exposure to any consequences of this negligence.

--
George N. White III

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
Reply | Threaded
Open this post in threaded view
|

Re: survey of more than 6, 000 firmware images finds no improvement

Joel Maxuel
Hi Oliver,

I haven't used OpenWRT personally, though I should have tried it somewhere at some point because my understanding is that the interface is a bit DIY (this statement could be false hence why I should try it out instead of holding a bias). 

I have used Tomato before, but at some point I have applied DDWRT to every router I have (incidentally one form of Linksys or another).

I should note that experience for flashing router firmware is quite varied - sometimes it's straightforward, other times it is quite painful (even within the same make/model combination - an experience with a Linksys WRT54GS can be determined by the revision - newer versions are downright dreadful).

--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Mon, Aug 19, 2019 at 10:33 PM Oliver Doepner <[hidden email]> wrote:
On a related note: Are there any OpenWRT users on this group?

I am considering installing it on my TP-Link Archer C7 v4.0.

Any experience with the software and its web UI ?


On Mon, Aug 19, 2019 at 7:20 AM Joel Maxuel <[hidden email]> wrote:
D-Link has been a non-starter for me for the past half-decade, since their products are controlled by the company enough for a customer to not replace the firmware, but due to non-support after a year or two means it can just as easily become part of the botnet.

--
Cheers,
Joel Maxuel

"One should strive to achieve, not sit in bitter regret."
 - Ronan Harris / Mark Jackson


On Sat, Aug 17, 2019 at 8:33 AM George N. White III <[hidden email]> wrote:

"A survey [by CITL] of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors."

Earlier CITL work used Ubuntu 16.04 as the reference configuration:

I had a look at D-Link's terms of service:

"Neither d-link nor its officers, directors, employees, affiliates, suppliers or agents, or any other service provider or vendor who furnishes the services, devices, or products to the customer for us will be liable for unauthorized access to our or your transmission facilities or premises equipment or for unauthorized access to, or alteration, theft, or destruction of, your data files, programs, procedures, or information through accident, fraudulent means, devices, or any other method, regardless of whether such damage occurs as a result of d-link's or its service providers' or vendors' negligence."

CITL says "nobody is trying [to improve security of home routers]", but in fact vendors are trying to limit their exposure to any consequences of this negligence.

--
George N. White III

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug
_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug

_______________________________________________
nSLUG mailing list
[hidden email]
http://nslug.ns.ca/mailman/listinfo/nslug