a companion discussion area for blog.codinghorror.com

Welcome To The Internet of Compromised Things


#1

This post is a bit of a public service announcement, so I'll get right to the point:

Every time you use WiFi, ask yourself: could I be connecting to the Internet through a compromised router with malware?


This is a companion discussion topic for the original entry at http://blog.codinghorror.com/welcome-to-the-internet-of-compromised-things/

#2

Hi,

im from Germany and do it-support for privat people and small companys and offices. As such i have to often setup the internet/network. The best router company here is definatily avm with its fritzbox´s. They have a 5 year waranty and get updates for at least this period. Every time there is a securty breach its immediately fixed in a few days.

The only downside is, they are expensive compared to other routers. But u can still buy outdated models or used ones since they have such a long waranty.

So i either use fritzbox´s or open wrt.

Maybe it would be a good idea to make a wiki of “safe routers” depending on contrys.

cheers

Edit: PS: first!


#3

Hi,

Great and interesting post, thanks!

I really like the tips. I always felt kinda safe outside while using public WiFi and such, I always knew there are some bad guys trying to do some nasty stuff, but I supposed it’s not going to happen to me. This post gave more awareness which is always good, and now I am more careful, thanks! :smile:

Israel.


#4

The discussion of “faked HTTPS certificates” is unresearched nonsense. For compatibility reasons, Google does still use short-lived SHA-1 certificates on their homepage, which can be trivially observed by loading their site from any uncompromised machines. Similarly, the author suggests that the cert is fake because it has a SubjectCN of “Google.com”, apparently unaware that SubjectAltNames provides a list of domains for which the certificate can be used.

Browsers don’t silently accept HTTPS certificates with errors, and Google is VERY proactive in ferreting out any cases of mis-issued certificates for their domain by making use of CT and certificate-pinning failure reports from their browser.

Yes, trojaned routers are bad. But silently rewriting HTTPS isn’t some trivial thing as is implied here.


#5

Yeah, reading the link, the fake HTTPS cert seemed like a lot of hand-waving. And now a wild HTTPS certificate for google.com appears!

Coincidentally, Google is abandoning the dominant model of secure internal network vs Internet, and will now put everything publicly accessible, relying solely on end-to-end security and authentication.

Personally, I’ve been doing the same for a couple of years. All my home connections are encrypted & well authenticated, and I refuse to use any important service that isn’t secured using HTTPS, at least.

Coincidentally, I notice that discourse.codinghorror.com is unencrypted. Thankfully I couldn’t care less if someone hacked this account :wink:


#6

“just full of ad junk all the time” is pretty much an accurate description of a good chunk of the “mainstream” web these days, at least if you’re not using some heavy-duty ad blockers. Telling the difference between the normal web experience and malware is getting more difficult.


#7

Just an FYI, the RSS feed for https://blog.codinghorror.com links to the non-https version of blog posts.

EDIT: and apparently discourse.codinghorror.com doesn’t support https either.
EDIT: and the redirect for https://codinghorror.com goes to the http version of blog.codinghorror.com


#8

Perhaps it’s a bit out of the scope of this article, but I wonder if you should tell your computer to “forget” a public wifi when you are done using it? I have heard that someone could set up a wifi with the same SSID elsewhere (physically). When your computer sees that hotspot, it might auto-connect. Then it’s game over.


#9

Any TCP connection goes through several (maybe a dozen or more) routers before it reaches it’s destination, and you should never be trusting all of them either.

A bunch of things that don’t add up from the article:

  • You’re assuming that TLS certificate-spoofing is trivial. If someone has the ability to pull this off, they can also intercept traffic at other levels, so it’s pretty much game over unless the browser pins certificates, etc.
  • A user can download a malicious package for chrome with malware: Well just don’t download chrome from a random website. Use your OS’s package manager, it’ll use a secure channel, and, generally, verify package signatures.
  • Follow your own advice: This website is only available via HTTP. Oh, the irony.

#10

This post has terrible advice. Unfortunately, there is no good advice.

All consumer routers are trash. The Register has a tag for this: SOHOpeless. We need to separate the hardware of routing from the software, so competent people can provide solutions. But routers have the same fundamental update problem as Android: Device drivers are closed and devices are made cheaply, so updates are generally impossible.

The security technology is stupid. SSL isn’t quite as broken as Cryptostorm says, but it’s still bad; and the default/fallback of unencrypted HTTP is bad. But as long as there is cryptography, it shouldn’t matter to your security how many malicious ASNs insert themselves into the BGP tables. Oh, look, DNSSEC brings cryptography to DNS. Oh, look again, your browser implicitly trusts the DNS response from the configured DNS server, which is set by your network and cannot be trusted. Even if you configure 8.8.8.8 as your DNS server, the reply itself is not cryptographically secure, and can be spoofed.

What we need is to redo how computers communicate. As Whitfield Diffie observed (inspired by Moxie Marlinspike’s trust agility concept), the Certificate Authority business is fundamentally backwards, and that’s why it’s broken. So, we need to fix that. At the same time, we need to do encryption everywhere, and the strongest that we have available. None of this falling back to insecure protocols that get removed only when someone gives it a name like FREAK. No more of this removing security as a requirement when making new protocols like HTTP/2. Retire broken protocols like SMTP.

Unfortunately, Joel Spolsky says you should never rewrite working systems, and business interests are not always aligned with best practices (e.g. Google pays GeoTrust an estimated $50,000 per year for an intermediate CA certificate and installs Google.com certificates into Chrome; problem solved as far as Google is concerned). Other than programming an oasis of security around a selection of your own things, I don’t see any solutions. So, I’ll just browse the web on my badly insecure MacOS machine through a router that I don’t have the time or energy to keep up to date to communicate on this forum that is not available over HTTPS.


#11

How is DD-WRT rated in security? I’ve got the latest PRE-SP2 installed on my router, but that’s about 7 years old and there haven’t been any updates to it as far as I can see. At the same time the project still seems to be alive and the firmware is being recommended in many internet communities. So how can this be and what am I missing here?


#12

I would like to make one comment, and please don’t see this as an attempt to diminish the warning or problem that this article highlights.

If you (or anyone else for that matter) are in fact communicating with any form of website that accepts or transmits credit card information, and is not doing so using https, then I would postulate that the fact that someone could intercept that information is not your biggest problem. The problem is that you (or that other person) is in fact purchasing merchandise or paying someone who would be the equivalent of someone selling items out of the back of their van.

This is in response to this part:

… they can sniff it for anything important: logins, passwords, credit card info, other personal or financial information.

As this article says, https is the solution to this kind of problem, and if a website accepts this kind of information without encryption then it is basically the same as giving your credit card to a person at the service desk only to observe that very same person is suddenly broadcasting your credit card information using the PA system to verify it with a supervisor.


#13

DD-WRT security is a joke. DD-WRT is all about squeezing the most features into the most devices. Features are always popular. Sadly, I would not be surprised if DD-WRT is still more secure than the typical vendor firmware.


#14

Are there any security-focused firmwares out there?


#15

Hi Jeff,

I was very entertained/horrified by your post. I personally believe that the Internet of Things is a gateway technology that will eventually result in the destruction of ancient temples, the inconsistent mixing of tabs and spaces, and additional horrible things that the book of Leviticus was warning us about in addition to warning us about the devastating consequences of eating shellfish (also known as “the Devil’s gummy bears”). Like myself, you are a prophet for the coming age of IoT-based destruction, and we will rule a kingdom of ash when the cities have been cleansed of their dull, cow-eyed Internet of Things enthusiasts. So, please start thinking about what your Ruler Of A Kingdom Of Ash name will be. I’m probably going to use “Charlemagne the Unfairly Wizened,” but I’m still thinking about it.

Anyways, I recently gave a talk at NDC Oslo that you might find interesting:

In that talk, I discuss why the Internet of Things is going to ruin us all. I engage in additional diatribes about other technologies that I do not like, or that I used to like but no longer like because I asked them to prom and they said no and I was outwardly like “no problem, that’s cool,” but inwardly I was like “I spent seven weeks making a papier-mâché sculpture of you as Katniss Everdeen, so the least that you could do is not throw it in a fire while making disparaging remarks about the entire field of papier-mâché arts.” Words hurt, Jeff. Words hurt. #WordsHurt #RealTalk


#16

Wow James Mickens! I am a huge fan!

Everyone reading this should go watch and read all his stuff:


#17

Sounds like it’d be GREAT for browsers to automatically go into an ultra-tight lockdown when in HTTP[non-S] so that no cookies would be created, JavaScript requires permissions, etc.

With optional whitelist.

I’d choose a browser based on that feature.


#18

Agree re: severity of situation.
Would just like to emphasize the incredibly-slow-to-non-existent update chain, which makes for a security nightmare.
We discussed this issue in our talk of Misfortune Cookie (http://mis.fortunecook.ie) and specifically the aftermath - analyzing update rates in the months past disclosure.


#19

Re: Lockdown in HTTP. Mozilla tried a weak version of that. They proposed restricting new features to HTTPS, and gradually deprecating risky features. And people acted like Mozilla was practicing censorship and trying to hand users to Google or the NSA or something. This is why we can’t have nice things.


#20

I don’t think there is any security-focused firmware.

The problem is that security is not a product. You can easily be insecure, like the stars of the SOHOpeless series, but you can’t just get a thing and be secure. Security is a spectrum, where you yourself are a more important component than the router, and it’s all about what specific things you’re secure against. And what you’re willing to spend to get there.

OpenWRT comes closest, but that’s just a matter of being open. You can make OpenWRT into whatever you want. It has an extensive Wiki, and it has a clever Kconfig-based build system so you can try your own ideas easily. One guy has recently been playing with installing security features in OpenWRT.

I would posit that you can’t ever be completely secure with a WRT-based system. It’s Linux, so it excludes the “slow” security features from OpenBSD. It works on devices with less than 10MB of storage and less than 100MB of RAM and a lack of CPU features like NX and VT, so it doesn’t have the aggressive isolation like Qubes OS, or the wacky policy files of SELinux. Its default installation is a read-only image containing everything, so updates are tedious, especially if you practice that customization that I mentioned in the last paragraph.

Probably if you want a secure network, then you will have to be vigilant, and isolate and update each service individually with all the current best practices like immutable virtual machines. (Not immutable containers. I do not trust Docker/LXC as a security mechanism.) A WiFi router needs these pieces:

  1. A kernel that runs the machine, schedules jobs, etc.
  2. A bunch of tools to control the system and make sure everything is running
  3. A configuration utility, often in a web service
  4. A driver that runs the WiFi controller. Two controllers, if you have dual-band WiFi. Usually containing closed-source firmware or binary blobs.
  5. A driver that runs the Ethernet controller. Two controllers, in many cases. Often containing closed-source firmware or binary blobs.
  6. A bridging service that connects WiFi and Ethernet
  7. An IPv4 routing service that does NAT
  8. An IPv6 routing service
  9. A DHCP client, a PPPoE client, or whatever to connect to the ISP
  10. A DHCP server
  11. A caching DNS server
  12. A RA (IPv6 numbering) server

That’s an impressive amount of stuff to fit in less than 10MB, not even counting extra features like USB file sharing and BitTorrent clients. We typically save a lot of space by combining these functions. 1, 4, 5, 6, 7, 8: The monolithic kernel. 2, sometimes 3, 9: Busybox. 10, 11, 12: Dnsmasq. But if we want to be more secure, we should be running them on separate machines. And run them on something like Xen with no device drivers configured, because Xen device drivers turn out to suck. Clearly, this would take a more powerful system with more storage and RAM and electricity use than the typical home router, so global warming consumes us all. Security fail.

Even if you make your network secure, that is time and money you are not spending on building a moat, so you’re killed by marauders with spears. Again, security fail. You need to watch out about what security risks are most likely to affect you, because there’s not enough time to control everything.

There’s a reason people like kjal just outsource the whole headache to AVM.de.

EDIT: Oh yeah:
13. A time-keeping service, usually NTP, especially if you want to do DNSSEC validations locally