About two months ago, I posted a video blog showing how easy it is to obtain unauthenticated root access on a very popular Netgear router. This Netgear vulnerability received overwhelming news coverage and the urgent call went out across the Internet to patch all of their routers ASAP. Users scrambled to get new firmware for their hardware before hackers could potentially exploit the weakness to break into their devices. As a reaction to this negative exposure, Netgear rushed production of patches for almost all of their popular router devices. For users who were unaccustomed to this firmware patching exercise, this process was a frustrating introduction to how to obtain and install new firmware onto the hardware that they depend on to protect their homes from Internet attackers. Little did they know that this would only be the first salvo in an ongoing saga of issues with Netgear firmware.
Now, last month, a security researcher at Trustwave uncovered a huge directory traversal bug that appears to exist in a wide array of popular Netgear routers. Given how easily he was able to identify the issue and considering the very large reach the vulnerability has on Netgear firmware, one could reasonably conclude that basic security auditing and SDLC development practices have somehow failed to produce secure firmware that end users can rely on to protect them from hackers.
So, what can end users learn from all of these vulnerabilities being exposed?
First: End users need to acknowledge that the security of their home equipment is largely their own responsibility. Fully relying upon their “trusted partner vendors” alone to protect them from hackers is not meeting their expectations. End users could share some of the security burden and educate themselves on how to patch their hardware on a regular basis. Users need to consciously develop the habit of checking in with their vendors to see if patches have been released and also become informed as to when zero-day vulnerabilities drop.
Second: Users should be much more critical of their hardware choices prior to their purchasing the device. Evaluating hardware based on vendor’s previous track record may be a good start place, however – as we are finding out – no vendor is immune to all security vulnerabilities. Consumers should exercise their right to vote with their wallets. They need to stop using and start returning gear that’s proven to be insecure in much greater numbers than they are today.
Third: We should open the discussion with legislators to consider additional measures aimed at protecting consumers. In the event that the software and firmware did not protect the end user from security vulnerabilities, perhaps the consumer should be eligible for some form of compensation. In two recent cases, the Federal Trade Commission (FTC) has ruled against different router manufacturers. Recently, the FTC settled with the router maker, ASUS, for failing to fix security holes in a timely manner and the FTC also took action against router manufacturer d-link for failing to take reasonable steps to secure their routers. While these legal actions by the FTC represent a great first step, we ought to see additional vendors voluntarily take the proper actions to get ahead of these vulnerabilities. They could do so by adopting software development practices that reduce the chance of creating bugs that cause security gaps before the software is released.
What can you do to prevent these issues from impacting your home?
– Place a monthly reminder on your calendar to review the status of the firmware on your router/firewall. Visit support section of your vendor’s website and check that you are running the latest release of their software which contains the latest security patches. For example, if you own the Netgear router, find their updated firmware issued and update.
– While performing this exercise, be sure that all of your client machines, such as laptops, desktops, tablets and mobiles, are up to date as well. Run Windows Update manually and ensure your machine is patched. Check in with Apple to do the same. While getting caught up the latest patches may mean a significant investment of your time initially, once you make this best practice a regular monthly regimen, you should only need to reserve a few minutes each month.
– Review the update status of the software you depend upon to secure your Internet experience. This software is your main interface with vulnerable servers on the Internet, and updating it is absolutely critical. Also, be aware this software also includes your internet browser (Chrome, Firefox, I.E, Safari) and you can generally select “help, about” to verify you have the latest patch for your browser.
– Don’t forget to update your plugins – including Flash, Java and Adobe reader, as well as any other add-on software you use to enhance your browser. These programs are high value targets for hackers who write a large majority of malware to target vulnerabilities in these platforms. If you don’t regularly use these packages, consider uninstalling them – thus eliminating any possible security vulnerabilities associated with the plugins. You may have heard that the Flash had such a dismal track record for security vulnerabilities that the Chrome browser decided to disabled it by default and other browsers may elect to follow suit.
Hopefully, this article has provided you with some best practices that you can adopt as good habits. Start taking ownership of the security posture of your home devices. Take the time to build a routine to ensure that you are doing what you can to keep all of your devices running at their best and that you’re leveraging their ability to properly secure your home and family.