Are consumer-grade routers any more or less vulnerable?

Question

I apologize if this is an obvious question, I'm not very familiar with hardware.

I am planning on hosting a few personal websites from my home, but I'm concerned about my security. I'm using a fairly old cable router (probably around 10 years old I would guess, it's ASUS RX3041). I was wondering if it would be possible for an attacker to send some malicious packets and gain access to my router or be able to send packets to computers connected to the router on ports that are not mapped, or any other exploit, really.

Even if the router was compromised, the server should still be secured with its own firewall and what not but what I want to know is if I can rely on the router as a security layer.

Is it reliable to host a website with my current setup?

@Aatif How is that related to networking. I made up a pretty neat csrf protection technique which is utilized without actually storing the tokens rather than encrypting them. I guess I should ask another question on this approach another time. It may, as usual, turn out to be not as good as I think :D — php_nub_qq, May 28 '15 at 20:48
@php_nub_qq there may be CSRF vulnerabilities in the router's admin interface. — , May 28 '15 at 22:57
One important thing to consider: if the router is 10 years old, does your provider still patch it for vulnerabilities or is it no longer supported? — Jörg W Mittag, May 29 '15 at 06:45
I think @André answered it, incase you have further questions, do ask. — racec0ndition, May 29 '15 at 14:36
@Aatif In order for this attack to work the attacker needs to know every parameter the request expects, the local address my router responds to as well as needs to get me to visit his website or inject js in a site I visit regularly. Not impossible but really hard to get these things together IMHO. And I think it still wouldn't work because the router doesn't allow you to do anything before you log in, I doubt anyone keeps a persistent log in on their router. — php_nub_qq, May 29 '15 at 15:33
@php_nub_qq it's really not that hard. Send the person a link on social media to a post on any site/forum which allows `img` tags to arbitrary URLs, and use the default IP of the router which is almost never changed. The hard part would be to figure out which router the person has, but once that's done it becomes pretty easy if the device is vulnerable. — , May 29 '15 at 15:39
@André seems pretty hard to me, well not as hard when I have given my device model already :D — php_nub_qq, May 29 '15 at 15:52
@php_nub_qq, most attacks don't target just one person. Assume a popular model, assume the default IP, put an attack somewhere popular, and hope you get some bites; doesn't have to work against everyone for you to get lucky. — Charles Duffy, May 29 '15 at 17:33
"more vulnerable" than what? The title asks if it's more or less vulnerable, but without telling us what you want to compare to, it's not clear how to answer the question in the title. — D.W., May 29 '15 at 21:24
@D.W. apparently the question was edited, this was not the title I put in. — php_nub_qq, May 29 '15 at 21:42
@logicalscope, since you edited the title, can you please clarify what you meant by it? See [my comment](http://security.stackexchange.com/questions/90309/are-consumer-grade-routers-any-more-or-less-vulnerable?noredirect=1#comment151918_90309). php_nub_qq, if the revised title doesn't accurately reflect your intent, you are welcome to edit it further to pick a better title -- I suspect logicalscope was simply trying to select a more descriptive, narrowly defined title, so you are welcome to edit it to improve it further. — D.W., May 29 '15 at 21:45
Could you just use a software routing instead? Let something on the software handle the routing running within, say, Linux. Do you actually need a hardware router? What if you had a secure, internet facing Linux box with twin eth interfaces, one facing the world & one local. And a switch connected to the local interface. With something like iptables + NAT handling all the routing for you? Would that work? Would that be more secure? — curious_cat, May 30 '15 at 06:14
Wasn't this question previously "Can routers be vulnerable?"? Don't change the question, especially after it's answered. If you have a new question, ask a new question. — user253751, May 30 '15 at 12:33

score 22 · Accepted Answer · edited Mar 17 '17 at 13:14

22

TL:DR - Yes, routers CAN be vulnerable.

Misconfigured/Unconfigured routers - A ton of people just install their routers and leave the default accounts turned on without modification. Thus allowing attackers easy access.

Vulnerable built in scripts - http://www.reddit.com/r/netsec/comments/1xy9k6/that_new_linksys_worm/

See:

As for answering whether your 'current setup' is secure. We would need a bit more information about the entire scope of your security onion before being able to answer that.

edited Mar 17 '17 at 13:14

Community

1

answered May 28 '15 at 18:53

Digital fire

3,126
5
31
44

1

Plenty of routers don't even allow the owner to change the default account (the last 5 I've owned haven't) – Jeremy List May 29 '15 at 08:19
1

@JeremyList that sounds pretty bad to me, I wouldn't own such a device. – php_nub_qq May 29 '15 at 15:39
@php_nub_qq Sometimes you have no choice. There's a huge multi-national company group, that has a company here in Portugal, which distributes routers with extremely weak passwords (easily guessable from their SSID) to the general public, without any option to create a new user and to disable the default ones (guess and admin). If you don't use that equipment, you will need to buy your pricey router. – Ismael Miguel May 29 '15 at 16:48
@IsmaelMiguel well you can always purchase online, ebay and what not – php_nub_qq May 29 '15 at 18:04
@php_nub_qq And pay a ton, to have the hassle to program it all yourself with PPPoE without you knowing the credentials and having a bunch of headaches. – Ismael Miguel May 29 '15 at 18:09
@IsmaelMiguel idk what you're talking about man, there are cheap routers (2nd hand are insanely cheap) and ISPs (or at least my ISP) would help you "program" it free of charge. – php_nub_qq May 29 '15 at 18:40
@php_nub_qq You have no idea how badly organized that company is. Just to get your ISP password, you will spend over 10€ calling them. And also, what might be cheap for you ($100, for example) will be extremely expensive for me (around 90.96€, being $1 worth 0.909578774€ as of today; almost 1/7th of my paycheck). – Ismael Miguel May 29 '15 at 19:01
@IsmaelMiguel well this is a little chatty but, hey I live in Bulgaria, minimum wage is around 300 BGN or ~150EUR, and I'm saying it's cheap :D – php_nub_qq May 29 '15 at 19:03
1

@php_nub_qq It indeed is a bit chatty. I know we can't put a price on security, but we aren't in a perfect world. Everything here is even more expecive thanks to turists. But anyways, for some reason you may not be able to get a new router and that is another factor that should be added (in my opinion) to the answer. – Ismael Miguel May 29 '15 at 19:09
@php_nub_qq I wouldn't knowingly buy such a device, and yet I've owned 5 in a row (they haven't lasted very long except for the last one) – Jeremy List Jun 01 '15 at 01:20

score 13 · Answer 2 · answered May 28 '15 at 19:18

13

Other answers have been given to answer whether routers are secure: your router likely has unpatched vulnerabilities.

A recommendation for making things more secure would be to put a real Linux box in front of your router. Configure it for automatic security updates every 10-30 minutes so your patches come quickly. For kernel vulnerabilities, you could use something like KSplice (have to pay for it, unfortunately) which can patch these vulnerabilities in a running Linux kernel, ie without a restart.

What you'll likely want to do is setup your network like this:

enter image description here

Note that "Network Partition" and "Server DMZ" don't have to be physical devices, but can be. The above setup puts your workstations in one subnet and your server(s) in another subnet. This is called a "De-Militarized Zone," or a DMZ for short. Having the servers in a DMZ allows you to limit what can connect into the DMZ from the workstation network and vice versa. A compromise of a server in the DMZ can be limited to stay within the DMZ. A compromise of a device in your workstations/WiFi devices, etc. can be limited to not be able to hit the DMZ.

By the way, this is why you shouldn't host things at home if you can help it. Managing a network is something I believe you don't want to be a full-time job.

Hope this is helpful.

answered May 28 '15 at 19:18

Naftuli Kay

6,715
9
47
75

3

I read somewhere that Linux 4.x will have livepatching support in the mainstream kernel. So maybe it will soon be accessible to everybody without having to pay for KSplice. – kasperd May 28 '15 at 21:04
1

If that's the case, Linux 4 can't come soon enough. This shouldn't be something users have to pay for. I'm disappointed that KSplice took the route it did. I understand that there are bills to pay, but it's good to hear that this may be coming to mainline. – Naftuli Kay May 28 '15 at 21:10
I'm disappointed that so many people get so disappointed when they are asked to pay a fair price in trade for some amazing software. Where did this expectation of "something for nothing" come from? That being said, KSplice is monumentally expensive, so refer to your own penultimate paragraph, I guess. :) – Lightness Races in Orbit May 29 '15 at 02:48
Why would you call that router the network partition? – munchkin May 29 '15 at 07:16
@munchkin It's more of a concept and not a physical device per se. The idea is having separate subnets for the DMZ and client networks, firewalling access between them and between them and the internet. – Naftuli Kay May 29 '15 at 07:53
I agree with this answer and would suggest a variant (I'm using): "put a real Linux box in front of your router" → "put a real Linux in place of your router". Then configure it for routing and firewalling your network, and **harden it** and **test it**! – dan May 29 '15 at 15:42
Just live kernel patching isn't enough. Remember CVE-2015-0235 (GHOST)? That was a bug in the glibc shared library. Userspace applications that relied on that library had to be restarted - and IIRC the packaged updates did not perform that restart automatically (and it's close to bringing down the whole system anyway; almost everything depends on it). – Bob May 29 '15 at 17:51
@Bob that's why you also subscribe to CVEs. Security isn't easy. – Naftuli Kay May 29 '15 at 19:20
@Bob Or you AppArmor and SE linux the hell out of everything, if you have the time for that. – Naftuli Kay May 29 '15 at 22:05

score 6 · Answer 3 · answered May 28 '15 at 18:50

A router is actually a small computer; most of them use the same kind of software as full-fledged servers (typically some Linux variant). As such, it has security holes, that should be patched promptly when discovered. Vulnerabilities that are not fixed might be exploitable and yield remote control to attackers, at which point they can do what they want with the router, and, in particular, see all your internal traffic (unless blocked by further firewalls). The real problem here is that software upgrades on routers is rarely done; it is called a "firmware update" and almost never done.

Most cabled-based ISP provide the modem and tend to consider that the modem is still theirs, not yours. Some will push firmware updates on their own accord, without any warning. Some will try to automatically block at the network level incoming connection attempts that look like attacks on known vulnerabilities. Some don't care.

Some ISP may also claim that by hosting "servers" you are breaching the usage conditions, and then block your Internet access or charge you more. In any case, ISP apply asymmetric bandwidth, with a lot more download than upload. In my experience(*), server hosting at your home, while possible, is not really worth the effort. You have to take care to fly under your ISP radar (or to use one of the rare ISP that do not mind about "server usage"), and the performance is poor. Renting a server somewhere (a simple VPS) is cheap, faster, and way less hassle.

^{(*) My experience includes running the master DNS for my own domain, and my mail server, from a home machine. I don't do it anymore.}

I'm pretty lucky I have a very good ISP, I can switch between using a public IP or hiding myself and using the modem's IP, I can also switch between high down low up and low down high up speeds and also a bunch of other stuff over the web without even speaking to them. Furthermore they have opened port 25 so I can host my own mail server (which may not necessarily be a good idea but still). The problem with hiring hosting is that most companies have very poor support and usually take too long to respond. The ones with good support charge extra for VPS, I do want to be able to install stuff. — php_nub_qq, May 28 '15 at 19:13
@php_nub_qq I don't work for either company, but AWS or Digital Ocean could help you get what you want on the cheap. — Naftuli Kay, May 28 '15 at 19:19

score 1 · Answer 4 · edited Mar 17 '17 at 10:46

Consumer grade routers are frequently more vulnerable than professional grade for the following key points:

They usually only work through web or graphical interfaces, where errors strike at the speed of the click. The click being the one of the owner, of the cat or of the attacker.
They usually have a web server embedded which is in itself a huge amount of code with a proportionnal amount of vulnerabilities. For models I had hands on, this web server couldn't be inactivated. On professionnal grade server it can easily be turned off, thus closing a serious amount of weaknesses.
They don't get the same level of quality control and security fixes updates.
They much too often embed easy remote admin and debugging functions which are not publicly advertised because of the target market: consumer grade. These admin and debugging functions are well known of network professionals and cyber-criminals. This is a huge piece of security through obscurity. The truth is that it is no security.

I will end by an answer to a question you didn't ask but to which Naftuli Tzvi Kay made a pretty detailed answer: Linux box in front of your router

How would you sort the security level of three kind of equipments to connect to Internet:

a consumer grade router, a professional grade router, a Unix server running as a firewall router ?

Here is my practical professionnal experience on about a hundred of such equipments:

Unix server configured as a router and firewall
Professionnal grade firewall router
Consumer grade firewall router

score 0 · Answer 5 · answered May 30 '15 at 03:01

There are some good answers here, but I wanted to highlight that there has bee a LOT of research findings recently which show that the security of domestic, small business routers has been very poor. In particular, some major manufacturers, such as Netgear, TP Link Linksys etc have been found to have some very poor practices, such as using the same ssh key on all models, including USB and virtual USB support which is not secure, running services which lack adequate protection from being exploited as part of a DDoS amplification attack etc.

Of course, there is no guarantee that more expensive 'enterprise' routers will be any better.

These days, hosting web sites on your home connection is rarely a good idea. Once upon a time, it has significant financial benefits, but I think these days, there are very good and competitive hosting options which are a far better choice. The reality is people expect more these days i.e. hosting which includes UPS, backups, redundency, etc. The level of security threats has increased to the point where just keeping things up-to-date is overwhelming. Find a good hosting company and see what sort of deal you can get.

Are consumer-grade routers any more or less vulnerable?

5 Answers5

Linked