I’ve talked about default passwords before. The basic idea is that manufacturers want to make their products easy for purchasers to configure. To that end, they use a standard password on all products they make or all products in a product line. All routers in Foozle line, for instance, may have the password Foozleconfig. This makes sense from a business standpoint as all the routers could then be configured identically at the factory. It is terrible from a security sense as it means that if the user neglects to change the password, it remains at the default and makes the device vulnerable to attack. To be fair, most manufacturers today only allow logging into routers from inside the network, and many require or at least suggest a password change on the router’s first configuration.
But there are additional issues that may be more subtle. A device may allow injection attacks. An embedded web server may send authentication information insecurely between pages. These vulnerabilities may be repairable with a firmware update, or they may not.
It is unlikely purchasers of a product will be aware of insecurities in the products the buy. Since there is no standard recall scheme as there is with cars, for example, they may never be made aware of issues with a product. Many vendors are responsible and notify registered users of a product, but that requires one to actually fill out the product registration. And is the product is “beyond its support lifetime” manufacturers may not notify even registered users.
I Googled “Netgear router security.” I found a link to an article about a serious security vulnerability in the some of the vendor’s routers. The vulnerability dealt with the router’s web server SOAP API. Attackers could use specially-crafted messages to expose the device’s administrator password. Netgear released a description of the issue and a subsequent patch. Other websites have posted exploit code, but I’m not going to include the links.
In the case of this particular bug, the user had to make two configuration changes the manufacturer recommended does not recommend: allow remote configuration and turn off authentication. In fact, the default configuration is to disallow remote configuration and to require authentication.
Netgear did it right: they had a proper default configuration, they told users how to protect themselves from the bug, and they patched the firmware. I commend them for that. (And, yes, I use Netgear routers in addition to others.)
Here are three recommendations for helping keep off-the-shelf devices secure:
I do all of these myself, by the way. The key point is to be proactive: you cannot count on automatic solutions or notifications.
To your safe computing,