This is classic security overreaction, when talking about home routers.
Just to be clear if this is an issue for you, make sure you do not connect to any wifi you have not hardened yourself beforehand!
Also articles on the page fail to show any practical implications and what does happen instead on what can happen. Don't get me wrong having your router used for DDoS and C2 is not great but it has 0 practical implications for you. The summaries on the page also omit that most of the nasty sounding issues are directly mitigated by using HTTPS.
Delivering malware will have an affect but none of these articles actually mention such cases (other than it can be done) and how prevalent this is compared to other malware delivery methods. I'd say it is safe to assume it isn't.
Also notice most of the recommendations have nothing to do with the these threats. That can be summed up to update your router and change password.
You can possibly get your entire house blocked and/or banned by services, servers, and networks that notice your public IP seems to be part of a botnet.
That said, I'd be skeptical and want to see real data if this guy is claiming your router is more likely to be infected and become part of a botnet than your other networked devices.
operative word is can again. I'd doubt that this happens on large scale (we would see/hear more because of the sizes of botnets).
also when it does happen, removing it from bans will probably cost you less work then applying the hardening in the first place...
Yeah, router compromise was way worse a decade ago when no one used HTTPS. These days it's obviously not great but you're not really in danger so much as you can be inconvenienced.
That said, it would be nice if router security wasn't absolute shit and those devs actually gave two shits about it, but I could say that about so many things.
I tend to agree. And in terms of being used for DDoS attacks etc., that's really an issue that needs to be addressed by ISPs, who supply routers to the vast majority of non-technical home users. ISPs should be setting appropriate defaults, setting unique passwords, and issuing automatic firmware updates over the air.
Don't rely on vendors to ship you secure fimware. Use something open source such as OpenWRT. It will make implementing the protections this blog mentions much easier.
Merlin firmware is special in a good way. Merlin has a good relationship with the Asus firmware dev team, he gets early access to official firmware, they sometimes ship him unreleased routers. He often finds and fixes bugs and creates/adds new features that Asus pickup. Also very careful to maintain full compatibility with the stock firmware, making it easy to switch between stock and merlin. He has also created an interface to allow 3rd party features to get their UI page. There is probably more, but it really is an excellent project.
I've had similar experiences. As time goes on I want to spend less and less time configuring things and more on things that actually matter. Asus' defaults are good and whenever I do need to reconfigure something it's always a breeze.
I recently bought a TP-Link router. It comes with a note that says that it is based on GPL software. However, when I try to install OpenWRT firmware on it, it rejects the update (probably based on a missing crypto signature) ...
They do provide access to the sources, but isn't this still a violation of GPL?
My understanding is that it would violate GPL-3 but not GPL-2 (search term "tivoization clause"). Notably, Linux itself is explicitly GPL-2. IANAL, nor am I an expert.
The link has an interesting justification, I haven't heard that before.
> That's because millions of home gateway routers, especially those leased to customers by their internet service providers (ISPs), leak their unique hardware ID numbers through their Internet Protocol (IP) addresses — and those hardware ID numbers can be connected to publicly available maps that show the street locations of Wi-Fi networks.
> We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64.
> These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.
> For years, turning off IPv6 (IP version 6) was on the long list below, but as of August 2021, I think it belongs here on the short list too. Very very few people need it and it was recently disclosed that there is a possible security issue with it.
I think you're being a bit too accusative. Every suggestion has sources to back it up if you want to see why something is recommended.
A long while back now Google came out saying[0] they did use their Google Maps Street View cars to also collect wifi+location information. It wouldn't surprise me if they augmented this info with data they receive through Google services running on Android phones too.
So my bet is, yeah, they do exist and they do pretty much cover everywhere.
Google even has a geolocation API [1] where you can send the BSSID and signal strength of the access points in your range and it calculates your position.
Though I believe that if Google is the adversary, they have ways (only a guess, but some kind of correlation between GPS location on mobile while connected to Wi-Fi and http requests could be one) that make the "wardriving database" unneeded, I mean, there should be a constant updating of this database, or it would turn out pretty much obsolete soon.
The database may have originally been filled by wardriving, but it can be updated by their distributed agents (phones with location services turned on).
I think there's a better justification. Since IPv6 is still new-ish to SOHO, and often is lightly used at best, the firmware devs might not spend as much time building that support into the firmware. When devs get laxidasical, bugs happen.
I'm not sure that's a better justification. It's definitely an additional justification, making the whole thing that much worse. But street-level geolocation is pretty bad in itself.
The author shows a complete lack of knowledge on IPv6. Yes, you do get a SLAAC address which basically contains you MAC, but if your OS supports it, you will also get a anonymized address which does not leak your MAC on the internet. Windows, Android, Linux, iOS all support MAC address anonymization, so as long as you are using a recent OS you should be fine. Very weird suggestion...
> The author shows a complete lack of knowledge on IPv6.[…] you will also get a anonymized address which does not leak your MAC on the internet.
No, they do not lack knowledge. See the sibling comments: the issue is not a concern of what various computer and mobile OSes do, but rather with some CPE firmware still using EUI-64-based IPv6 addresses.
This allows attackers on the Internet to send out probes, find the router's Wifi interface, map it to the BSSID/SSID, and look up the SSID in geolocation database:
Ideally what they should be doing is contacting vendors to fix their firmware (and also creating CVEs for 'public shaming'), and not telling people to disable IPv6.
Disabling IPv6 does not solve the problem: it is still lurking there for folks that haven't read this site/advice.
How does the attacker get the IPv6 address from the SSID MAC? Or am I looking at the issue the wrong way?
Routers will hardly ever make connections themselves out to the internet, except maybe for things like DNS which hopefully are using major providers like Google which won’t leak the data anyway.
It's explained in the Blackhat presentation if you bother flipping through the slide deck:
The attacker sends a ping to any random address in the /64. The router responds with an ICMP of "timeout" or "unreachable" or something. The ICMP response has the router's IPv6 address.
In badly written routers they use EUI-64 for the local-part of addresses. Further, most devices have interfaces where the MACs are sequential: so if the first interface has 2a:a9:d3:8f:c9:a8, then the next one probably has …:a9, and then :aa, etc.
Then the EUIs-64 and look them up in a Wifi geolocation database:
Right. But isn't it so that each device gets its own IPv6 public address? So that PC1 and PC2 connected through the same modem are identifiable by different IPs, while you can still see that they're from the same modem/household? If that's the case, it can be a privacy concern.
Theoretically, even non-router devices could use more than one address, just to confuse what's listening on the other side.
In that scenario, DHCPv6 would be responsible for keeping the assigned subnet filled randomly, rather than being conservative and consistent with address assignments. I don't know if anyone is doing it now, but I don't think we should dismiss IPv6 for this reason.
There are a lot of shortcomings of IPv6 which prevents it to be widely used (particularly on the consumer network side).
First thing to know is that it shifts responsibilities. The router is not responsible anymore for assigning IPs to the network.
The devices assign their own IP address using SLAAC. You could use DHCPv6, but many devices simply won't support it (windows and android to begin with).
Which brings the following issues:
- No support for multi-homing. Example: You have two connections, a slow reliable one, and a fast unreliable one. With IPv4 you can easily setup multiwan in any proper L3 router. The router will ping both routes, and if the fast one is working, using it as main gateway. When it doesn't answer anymore, the router simply change its route.
Because of NAT, this is transparent to the devices behind its network.
For IPv6, this doesn't work anymore, because the IP prefix is set by the provider, without NAT the second provider will simply refuse to forward any packet which originates from an IP which doesn't have their prefix.
The "solution" is to have your own address space, and use BGP to change the routes (which is out of reach for all of private consumers).
- ISPs got it wrong ! I'm in Germany, tried 3 different providers, they all assign to my router a /64 subnet instead of /60 or /56 (as recommended by ARIN). The problem is that SLAAC only works with /64, below the devices usually won't assign themselves an IP anymore. So you can only have one network, you can't have a Guest network with a different prefix.
- As mentioned by the article, the design is terrible for privacy: SLAAC works by simply taking the prefix from the router and filling the rest with the mac address. Which means that anybody on the internet gets to know your mac address.
EDIT: This is wrong. See throw0101a answer below.
- Captive portals: SLAAC does not directly support assigning DNS servers. So most captive portals simply break because the network's firewall blocks DNS requests as long as they don't use the proper DNS server, but the device might simply not even be able to receive it. (SLAAC has an extension where it can tell the device to receive the DNS servers from DHCPv6, but many devices simply ignore it and treat DNS like browsers do with DoH).
EDIT: This is wrong. See throw0101a answer below.
- Security within networks: Because the responsibilities of who assigns IP is shifted to the devices, switches cannot prevent devices to assign themselves IP anymore. So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64. Makes the whole network abysmally slow, or completely down.
Most of these issues are solved by using NAT6 (or NPT), but the issue with it, is that it breaks some applications. Ipv6 promised to get rid of NAT, so some applications took the liberty to assume that their local IP would always be the same visible on the internet. Not sure if that's this particular case for SIP, but it's usually broken with NAT6.
It is far away from transparent. Devices behind the router can't know that a change in Public IP happened and won't reconnect active connections.
One example is Apple's APNS and Android's GCM. In IPv4 multiwan network, after the change they won't receive notifications at all for up to 30 minutes. In IPv6, the router can invalidate the old prefix, and publish a new one immediately.
I think we're talking about a different issue here. MultiWAN does break consumers which do not support reconnecting from a different source IP. But the issue is the same with IPV6, if the prefix changes, the client has to reconnect anyway.
Also, I'm personally not aware of any reliable way of invalidating IPV6 prefixes except waiting for the timeout. (And if it's republishing a RA, devices don't have to listen to it, and the packet might even be lost with an unreliable wifi for example). If I'm wrong here, I'd love to know about it.
See also "Reaction of IPv6 Stateless Address Autoconfiguration (SLAAC) to Flash-Renumbering Events":
In scenarios where network configuration information related to IPv6
prefixes becomes invalid without any explicit and reliable signaling
of that condition (such as when a Customer Edge router crashes and
reboots without knowledge of the previously employed prefixes), hosts
on the local network may continue using stale prefixes for an
unacceptably long time (on the order of several days), thus resulting
in connectivity problems. This document describes this issue and
discusses operational workarounds that may help to improve network
robustness. Additionally, it highlights areas where further work may
be needed.
> Which means that anybody on the internet gets to know your mac address.
Pretty sure all reasonable devices utilise privacy extensions.
> ISPs got it wrong ! I'm in Germany, tried 3 different providers, they all assign to my router a /64 subnet instead of /60 or /56 (as recommended by ARIN).
If it's wrong is subjective. If it's not a goal to upsell a business connection there might be technical limitations.
> No support for multi-homing. Example: You have two connections, a slow reliable one, and a fast unreliable one. With IPv4 you can easily setup multiwan in any proper L3 router.
Bit of a niche use-case and still very doable with NAT66.
> Captive portals: SLAAC does not directly support assigning DNS servers.
I haven't seen a captive portal that wasn't able to intercept DNS or that couldn't MITM all connections to display that page. It's a non-issue.
> So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64
IPv4 devices can conduct ARP spoofing, no biggie. If it's "very easy" to do either it's just poor switch software.
A lot of devices (android/windows) simply don't support DHCPv6.
And SLAAC's RA delegates the responsibility of the IP to the device itself, so doing something like DHCP snooping is simply not possible because the RA packet doesn't tell the switch which IP belongs to which device.
SLAAC-snooping protects against ARP poisonning, not against ARP table overflow.
If it doesn't protect against ARP table overflow then that is again a missing feature in that software. Just like it's not IPv4's fault if there are no protections against someone sending a thousand DHCP requests and depleting the pool or filling some tables.
It's not really that there's no support. It's more that the support isn't very good.
In theory, you send router advertisements, with priorities for all your routes, and when a connection drops, you stop sending that route's advertisements or start sending announcements showing that prefix is now didabled. And all the clients would do useful things with it.
But of course, they don't. They'll use an address from Prefix A and send it through router B. Or prefer the first announcement they see rather than the most preferred route. And that's assuming you can convince your CPE to set the preferrences you want.
> For IPv6, this doesn't work anymore, because the IP prefix is set by the provider, without NAT the second provider will simply refuse to forward any packet which originates from an IP which doesn't have their prefix.
Is multi-WAN without a static IPv6 assignment common? For home users, generally you get one assignment. If you do need this, then you can use IPv6 ULA internally and NPTv6 for prefix translation. You can still get mostly end-to-end connectivity because the external-internal is stateless. See "IPv6 Multihoming without Network Address Translation:
> SLAAC works by simply taking the prefix from the router and filling the rest with the mac address. Which means that anybody on the internet gets to know your mac address.
Except that this hasn't been how its worked on most OSes by default for several years; see "Temporary addresses", "Cryptographically generated addresses", and "Stable privacy addresses":
> So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64. Makes the whole network abysmally slow, or completely down.
And the same thing can be done with in the IPv4 world by trying to overflow a switch's ARP table. I think switch manufacturers have figured that out.
> Most of these issues are solved by using NAT6 (or NPT), but the issue with it, is that it breaks some applications. Ipv6 promised to get rid of NAT
Except that NAT re-writes both the IP and port and thus you have to use state tracking for replies and port mapping with IPv4 NAT. Whereas NPTv6 is stateless:
This document describes a stateless, transport-agnostic IPv6-to-IPv6
Network Prefix Translation (NPTv6) function that provides the
address-independence benefit associated with IPv4-to-IPv4 NAT
(NAPT44) and provides a 1:1 relationship between addresses in the
"inside" and "outside" prefixes, preserving end-to-end reachability
at the network layer.
So you can send a message to a packet to a public IP:port combo and it will be mapped to an internal IP:port without much fuss since only the first /64 needs to be re-written. Of course only if your router/firewall is configured to allow new connections, which most consumer CPEs are not by default: they only allow replies to previous outgoing connections.
IMHO, most of the problems you describe haven't been a problem for years.
> Is multi-WAN without a static IPv6 assignment common?
Yes, it’s incredibly common in the small business/retail/food/shop business with fibre primary and cellular backup. These places don’t have the budget for BGP, but can afford an extra €$£20-50/month for a backup cellular circuit. They don’t need static IPs, they just need working outbound internet access. And they want failover to occur within a few seconds, not 30s or 2-3mins.
> And the same thing can be done with in the IPv4 world by trying to overflow a switch's ARP table. I think switch manufacturers have figured that out.
Not really though, because in Ipv4, a DHCP server can be authoritative, and switches can ignore IPs which are not assigned by the DHCP server. That's how it's usually figured out for Ipv4.
> Except that NAT re-writes both the IP and port and thus you have to use state tracking for replies and port mapping with IPv4 NAT. Whereas NPTv6 is stateless.
Yes, I didn't meant to state anything contrarily to that, but you still break applications which assumes that the local IP is the same than what is visible from a remote server on the internet.
For the captive portals, I stand corrected, and wasn't aware that you can now embed DNS directly in RAs, but stayed with the original implementation which delegates the DNS part to DHCP.
I probably have an outdated understanding of Ipv6, but to be fair it's quite a challenging exactly because of all the amendments that you linked. These are only some of the problems I encountered personally, and as you showed, each individual problem has a different RFC to solve it. You never know how stable they are and if they are properly implemented. And most of the time the safe default is to only work with the initial standard.
My current favorite approach to home routing is a "router in a box" setup.
- 1x VLAN capable managed switch
- 1x any Linux capable SBC with 1x gbit ehternet port
- any systemd based Linux distro (I like Arch Linux ARM for this purpose)
Pretty much all the networking aside from firewall, and wifi setup can be configured via systemd-networkd/resolved these days.
Once you have your installation and setup done, if your HW gives you trouble you can always replace it with anything else you have at hand.
It's very flexible, and you can do a lot of things a typical router GUI would never allow you. It's great if you want to explore Linux networking. HW is cheap, low-power, doesn't need to be a "router" HW with multiple ports, and if anything happens you know you can replace the broken router with pretty much anything that has an ethernet port and can run a Linux distro.
I’ve always been concerned (probably irrationally), that it seems to halve WAN bandwidth (since all traffic has to travel both in and out of the router over the same cable). Do you find this is an issue?
Yes, router on a stick. :) I don't have a gigabit internet connection, but it should not be a huge issue for your typical unidirectional download or upload even on a gigabit. Ethernet is full-duplex, so you'll be able to saturate either direction (just not at once).
> I've noticed some new routers (e.g. the Eero from our ISP) can only be controlled via an app. Does that mean they can be controlled remotely?
Probably.
On top of this a lot of routers will use TR-069 that allows for remote management of your router by your ISP. So even without a app its likely it can be controlled remotely.
For ISP-provided routers, this is a valued feature (for the ISP). It's a lot cheaper to reconfigure a customer's router remotely than it is to send an engineer out when something is not working.
I read this to find out if my Ubiquiti edge router 4 was secure or not and only saw one statement: "Ubiquiti is not recommended. More on why below." Only Ubiquiti isn't mentioned anywhere else that I can find. Kinda frustrating.
They got framed by a disgruntled employee a while back to make it look like an insider had leaked user data. I didn't see any mention of Ubiquiti on this page at all, but that may have been the reason if this guy isn't up to date on what happened. The other thing is their devices are enterprise devices and tend to require remote management capabilities, which this guy appears to always be against for home devices.
It's worth understanding the whys of the tradeoffs for these types of enterprise WAPs that are remote-management only. They're often installed in more or less public places like airport lobbies, hotel hallways, stadiums. The ability to gain physical access is trivial and you really don't want anyone who can get physical access to be able to configure the device. Even in corporate settings, you don't want an employee who can get access to a device to be able to configure it, either. So having remote-only management, protected by all of the usual account provisioning that would protect any other critical service, makes a lot of sense.
Does it make sense in the home? That depends. This guy, and probably a lot of consumers, really distrust any and all vendors, Ubiquiti included. But do you trust everyone in your home? I had a houseguest almost all of last summer. My wife's friend needed a place to stay after leaving his wife for a few months. I barely know the guy. I have Aruba WAPs, not Ubiquiti, but same idea. They can only be configured via an account-based mobile management app. This meant I could force his devices onto guest WiFi and there was no way for him to get around, even though he was in my house and could plug an ethernet cable into the WAPs if he wanted to. Do you trust all of your kids' friends or house party guests? More or less than the people who develop the mobile management app for your enterprise networking products?
Security for those who work in IT without physics/RF background is mostly just a layer on top of the fundamentals that only a select few know and can apply. Rest is mostly theatre. If you tighten these here and there, and make sure it's really tight, you are properly protected. All while the standards you must use for Wifi area like an ementaler cheese, a ridiculous shitshow, just like bluetooth and the rest of the terrible standards that are forced on you.
I’m a big fan of the Turris Omnia. The author seems to write it off because he doesn’t like the UI, not because it’s insecure which is a bit odd to me.
So you want a non-unique SSID in order not to have your address uniquely identifiable everywhere you take your phone or other device that's trying to connect to it..but not a common one such that it aids cracking the password... How is one supposed to come up with a common enough but not too common SSID?
Also, if your phone is trying to connect to your 'Bob's Hotspot' say, but you have it turned off, and someone else (er, Alice, why not) notices this and starts broadcasting 'Bob's Hotspot', does the phone send the passphrase, to Alice (who doesn't know it a priori), or is there some kind of certificate verification that it's the expected seen-before router, that fails in this case so the passphrase isn't sent?
This person seems to think that cloud-based router control is worse but I think it’s better. The router initiates the control connection and never accepts connections of any kind. This is strictly better. If someone wants to take over a cloud-managed router they have to exploit its packet-handling features, DHCP or DNS services and this is far more difficult.
I Dont know if Tomato publishes CVEs. But you could check the release notes for OpenWrt for CVEs over the last couple of years.
I would trust OpenWrt more, especially their continued support for old devices, one accesspoint of mine is 11 years old, supported in the 2022 release and still going strong (128MB RAM, 32MB flash)
FreshTomato I think uses old kernel versions (2.6.xx) where security fixes are not backported. OpenWRT uses modern kernels (5.10) and mainline or external open source drivers but doesn't work on Broadcom devices.
I don’t see the point of disabling WPS,as every implementation I’ve seen requires pressing a hardware button on the router to switch it on for a minute.
I have only one device that requires WPS (a wifi-only printer), but there is no other way to get it onto a wifi network.
This freaking site. I bought the pepwave surf soho because they recommended it. It has been such a PITA. I ended up setting it to reboot nightly so it would stop disconnecting us all the time. That helped a bit, it still needs manual reboots sometimes.
Also articles on the page fail to show any practical implications and what does happen instead on what can happen. Don't get me wrong having your router used for DDoS and C2 is not great but it has 0 practical implications for you. The summaries on the page also omit that most of the nasty sounding issues are directly mitigated by using HTTPS.
Delivering malware will have an affect but none of these articles actually mention such cases (other than it can be done) and how prevalent this is compared to other malware delivery methods. I'd say it is safe to assume it isn't.
Also notice most of the recommendations have nothing to do with the these threats. That can be summed up to update your router and change password.