Time Capsule is sort of middling quality. Mostly, it seems more secure because it doesn’t support the normal range of insecure behaviors. WPS? Eliminated. UPnP? Eliminated. (It does have NAT-PMP, though not enabled by default.) Web administration interface? Eliminated. I don’t think you can even install a third-party firmware on it.
The downside for security, Apple is really secretive and slow at fixing vulnerabilities. I don’t remember hearing about any particular Airport/Time Capsule issue, but I wouldn’t be surprised if there are mistakes in the code that are exploitable.
The main reason not to use Airport/Time Capsule is performance. The WiFi range and speed on those things is unimpressive.
I’m pretty bummed that I read through that entire cryptostorm article, thinking there was something there because Jeff linked to it. As I was reading, I kept thinking this sounded more and more like a conspiracy theory with almost no actual technical content (just “look - something I don’t understand! Must be malicious!”) but struggled through the entire thing before concluding it’s mostly BS.
A quick Google later confirmed my suspicions that it’s already being well-debunked…or maybe my router is just compromised and that’s what they want me to think.
This is very true.
Most do not know what risks they are taking by connecting to an unknown network!
This compromise in security could easily lead to personal and bank details that can be stolen.
I never knew one could be attacked by only an infected router alone.
Thank you for all your tips!
Some of these steps are too difficult for standard users which would mean that they are still vulnerable.
Never access anything but HTTPS websites.
This should be spread so that everyone can be safe.
I was already suspecting when it mentioned the OCSP url 404 thing as if it was something significant, and I gave up 3/4ths through, when i saw this:
It claims “numerous proven methods” and links a bunch of askubuntu questions with GPG errors from APT, no proofs
That’s when I looked into what kind of organization this thing is, and on the surface it looks like a VPN service with a neat sense of aesthetics, but they also have wacky stuff like a collection of “suspicious looking certificates”, with criteria such as “Subtle typos in the names of companies. Start times that are 1:00:00 exactly. That sort of thing”.
Uhhhhhh… well if they say so.
@codinghorror can you add an edit around that cryptostorm link, warning readers that it’s bullshit? At best, it’s an inconclusive info dump, there’s nothing indicating that messing with DNS or BGP will break HTTPS.
The Netgear Nighthawk is an awesome router and it offers vpn for you to use when away. I generally use my phone’s wifi hotspot when out and about though, because in addition to security, the bandwidth is much better.
Looks like a typical overpriced consumer-level router. Who knows, Asus may have a good offering. It’s just the look of the thing that reminds me of years of Linksys WRT54G hardware upgrades (read downgrades).
Why not try a Ubiquiti? I use a Motorola Modem for DOCSIS, connected to a Ubiquiti Picostation. The little thing is a workhorse and it has all the advanced features I could ever want. I actually purchased it with the intent of loading custom firmware (ie it was replacing my crippled DD-WRT router) but liked the stock capabilities enough that I didn’t bother.
It can be configured to work as SOHO, wireless bridge, and mesh network node. With all the usual advanced networking capabilities. They’re cheap but surprisingly powerful for the cost.
My solution to this is to use a VDSL modem that just passes through the PPP level packets for my Linux server/router/firewall to do the PPPoE part of things. This way I have full control and it’s all my responsibility for keeping it up to date and configuring correctly. No trusting some ‘open’ firmware vendor to not put hardcoded credentials (I’m looking at you OpenELEC, or have they fixed that in later versions?) and to otherwise be on the ball.
So for anyone comfortable with using a custom firmware on a ‘router’ I’d advise going this route instead. WiFi is a separate unit and goes inside the Linux router, preferably on its own sub-net with firewall rules controlling what it can access internally.
And, yeah, I need to get around to setting up a home VPN (for my phone to use when on random WiFi), given I finally have decent (for a home connection) upstream bandwidth.
In my earlier Mirai blog post, I offered some guidelines that are both practical and achievable in the home router and IoT device market. My hope with the following guidelines is to inspire innovative technical solutions among device vendors and service providers to redesign or update home routers to limit the risk that these devices will end up being used for nefarious purposes:
Design home routers and IoT devices to operate with read-only filesystems, making run-time installations of malware impractical.
Disable any packet crafting/spoofing/promiscuous mode on the firmware level to avoid malicious use of network resource on these devices.
Provide automated updates for firmware with either planned downtime or no downtime to resolve vulnerabilities proactively.
The purpose of these lightweight, low-cost devices is to transit network data or stream live data (like IP cameras) with little reason for any persistence. In fact, some of the newer home routers do operate within a chroot and a read-only file system, making it hard to both exploit these devices and install third-party software for persistence. Even if a would-be attacker learns or guesses an administrative password, malicious code installation performed by VPNFilter and Mirai would not be successful on these devices.