Hacker News new | ask | show | jobs
by 0b0001 2418 days ago
Do you know if the ancient Linux kernel on your router has any security issues?

Do you receive any notification if there's ever an issue found? Is there even a centralised tracker for security issues affecting the router software?

Sometimes, things need to be updated. And consumers can't be bothered to flash a firmware image.
2 comments
AnIdiotOnTheNet 2418 days ago
It's a home router, who cares. Chances are any security issue it has can only be realistically exploited on the local network. Is it really worth the trouble of constant software updates to bother to prevent? I don't think it is.
link
chopin 2418 days ago
It's not that easy:

There could be a XSS vulnerability in the management interface.

There could be a vulnerability in any component which is internet facing.

The router is handling packets. There might be a vulnerability in that logic allowing for maliciously crafted packets (in the answer of a request).

link
BubRoss 2418 days ago
There -could- be a lot of things. Pfsense and ddwrt were some of the very first router software packages to address DNS rebind attacks.

I think saying tomato is more secure and refined than some router that updates itself constantly to secretly bait and switch the user's expectations is an understatement.

link
JohnFen 2418 days ago
> There could be a XSS vulnerability in the management interface.

Surely you aren't exposing that interface to the world at large, right?

link
basch 2418 days ago
If you click the wrong link while youre on the lan side.

Of all the devices in a house, a router should be the most important to keep up to date.

link
BubRoss 2418 days ago
Pfsense and ddwrt were some of the first router software packages to fix DNS rebind attacks if that's what you are talking about.

If it is not, you will have to explain exactly the vulnerability works.

link
chopin 2417 days ago
A link can also have an IP address as host. Many routers come with 192.168.1.1 preconfigured. With Javascript enabled you could also probe the network and craft a fitting link.

Preventing DNS rebind attacks closes only one avenue.

link
satanspastaroll 2417 days ago
Providing updates with a switch to opt out would be no problem to me. However they seem to be pushing the update without notice or consent, without a way to disable telemetry or automatic updates.
link