cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Convin_Illusion
Dabbler
Posts: 14
Thanks: 1
Registered: ‎11-12-2017

Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I do not claim originality or expertise in this field, I am not a security expert by any definition.
I am however a security and privacy evangelist, I believe that security and privacy are important and do not get the attention and respect they deserve. I especially believe that big companies should provide much higher standards of basic security and privacy by default than they currently do and are currently required to do by regulation.
We are rapidly approaching the point at which there will be some disaster [or string thereof] caused by insecure internet devices that will cause kneejerk regulation that tightens security regulations. Such regulation will almost inevitably be bad, as kneejerk regulation always is.
It would be far better to improve security and privacy and protect ourselves now when we can think calmly and clearly BEFORE the disaster/s strike, and the lawsuits come. I would say that hoping that the disaster botnet that finally causes change be on someone else’s network is not a gamble worth taking.

To that end, here is a basic feature checklist, with an explanation for why the features are valuable for security and privacy, for a home router that the Plusnet Hub One and its ilk should be expected to live up to.

This is based upon the work of defensive computing expert Michael Horowitz who runs the site routersecurity.org and to who’s work/site I credit for much of what follows.

https://www.routersecurity.org/

While he advises never buying/using consumer grade or ISP provided routers, I firmly believe that just because such devices ARE bad does not mean that they SHOULD be bad or that this is a situation that should be accepted or can never be changed. Particularly as the overwhelming majority of users will never hear, let alone heed, his advice. [or be able to afford the multi-hundred pound routers currently required to follow it]

By pushing for Plusnet/BT to follow/implement the features/steps outlined below, we could all benefit from having routers and home networks that are more reasonably secured. And don’t just claim to be because they are compliant with hopelessly inadequate and out-of-date regulation.

Plusnet Hub One:
Local Admin. [All this applies to remote admin as well but more so]
The first and most basic step in securing all device to device communications and preventing man-in-the-middle attacks [ Computerphile – Secure Web Browsing https://www.youtube.com/watch?v=E_wX40fQwEA For a brief introduction to some of the reasons you want to use TLS/https as opposed to http] is to use a properly certificated encrypted connection.
In this case represented by an HTTPS web interface using TLS 1.2 minimum with a properly pinned and signed certificate.
What you actually get if you try to log into your Hub One is an unencrypted HTTP webpage that sends everything in plaintext. So...

Step one; Securing the router by making ALL connections to the Router go over properly encrypted connections. [and yes that will include checks for updates, update downloads, any remote access, and connections on internal networks even over Ethernet. Basically EVERYTHING the router sends to ANYONE ANYWHERE should be REQUIRED to be encrypted before it can be claimed the router is at all secure. That also means using the latest encryption standards and not being able to fall back to insecure out-of-date standards]

Step two; in the case of the Hub One incredibly, the local admin web portal provides privileged information that should only be available to an authorized administrator right there on the landing screen before it even asks for your username and password. Information like the firmware version & time of last update [useful for any hacker that wants to target a particular firmware version with known vulnerabilities]. Your Broadband username! Status of Plusnet Access Control and Internet services... And a complete map of the current network including all connected devices, the device names, MAC address, and IP address. Information which can be used to launch further targeted attacks on your network and is made available on an unencrypted landing page before any logon is required. All that information is useful and should be made available; it should just be hidden behind a secure login and an encrypted connection. The landing page for a routers admin website should contain nothing other than the login to the router and no other information until login has been completed successfully.

Step three; Having got your encrypted login, you should have a button that lets you end the session and log out, [And has big advisories reminding you to do so] you shouldn’t rely on having to wait for the session to time out as this leaves a vulnerable window when a third party can use your session cookie [that they intercepted over your unencrypted connection] to pretend to be you and continue the as yet untimed-out session and not even need your password... although at present they can also steal that over the unencrypted connection, however the beauty of using a valid users session and tacking your malicious actions on at the end using the same session is that the logs will not show any extra unaccounted for logins making detection of malicious activity that much harder. Also an option to change/see timeout period would be beneficial here.

Step four; Only one person should be able to log into the router at a time, the Hub One currently allows multiple simultaneous logins. This isn’t just bad from a security standpoint but can cause issues if multiple people try changing settings at the same time.

Step five; Access to Local Admin should have an option to be able to be disabled on the WiFi and be made Ethernet only. This means that in the event that someone bad gets on your wireless network they still can’t get into your router.

Step six; Minimum PW length should be 15 chars, not 5 or 8.  Any PW that short can be trivially broken. A Max length of 20 is just about ok, 30 would be better, 60 would be best, but 20 is ok.
Also PW Hint is a giant exercise in getting people to make memorable [i.e. easy to break] passwords and then adding in information a hacker can use to make them even easier to break.
This should be ditched entirely in favor of support for PW Managers and strongly recommending customers use PW managers [e.g. lastpass] to create and securely store and manage their passwords for all their sites including their router. Good PW managers are available for all major browsers/OS’s including mobile and improve security across the web and as an ISP Plusnet should be encouraging and supporting their use broadly.

Step seven; Ability to change the username as well as the password thus massively increasing the difficulty of breaking in as you have to guess both. [you always have the manual reset to factory defaults button if you forget, which doesn’t lose you data you just have to reconfigure settings, which you should have been prompted to backup [hint hint]]

Step eight; You can’t hack a network when it’s off. The ability to schedule the WiFi to turn off at night [or if you’re out all day during work hours] and back on in the morning [similar to your access control feature] would improve security [and power consumption] by making the network unavailable for attack while it’s not in use.
If not this, then at least the ability to easily turn the WiFi on and off [like airplane mode but for the router]. Ideally for future models with an external button. So you can just turn the network off before you go to bed/out to work and back on when you wake up/get back home.

Step nine; Remove WPS!
WPS (Wi-Fi Protected Setup) is a ‘network security’ [big air quotes] standard for wireless home networks. It includes 4 different methods for connecting devices the most troubling one being ‘the pin method’. Every device that is WPS enabled MUST according to the standard be issued with its own unique 8 digit pin that CANNOT be changed. If this 8 digit pin is used you can connect to the wireless network on this device WITHOUT knowing the wireless password.
Unfortunately it’s not actually an 8 digit PIN because the last digit is a checksum created from the first 7 digits so it’s really a 7 digit PIN. And unfortunately it’s not really a 7 digit pin because the device authenticates the first 4 digits and then authenticates the last 3 which means you only need to do a brute force attack on a 4 digit number and then a 3 digit number which gives you a max of 11,000 combinations of which you will need to try on average 5,500. Trying all 11,000 combinations @ 1/sec will take a computer ~3hours.... If you have WPS enabled your WiFi can be broken into in a couple of hours and it doesn’t matter what your PW is. The pin is hardcoded so you can never change it. And this isn’t even the only vulnerability in WPS, it’s riddled with them.
If you haven’t already, turn off WPS on your router. And Plusnet/BT .... Don’t put it on any more routers ever please. Thank you.

Step ten; After making sure that all communications are encrypted; That the router verifies this when it does things like check for updates and it verifies that it’s checking for updates from the right place over the right kind of signed secured connection. The router should securely validate that any firmware updates it receives are actually genuine signed updates from plusnet/BT and have not been corrupted/provided by anyone else. This is hard, companies like Apple and Microsoft work hard to make things like this work for their operating systems and it was this system for an iPhone that the FBI wanted Apple to compromise to create a backdoor into a [dead] terrorists phone a while back. Because it’s hard to do, and this router is 'free' and fails so many security basics, I’m pretty confident that the Plusnet Hub One does not currently receive securely validated signed updates over a TLS encrypted connection that it checks to make sure are actually genuine. I will fall off my chair if it turns out this is in fact the case. Never-the-less it should be the case. The popular tool CCleaner was recently compromised by a malicious third party [probably nation state] compromising it’s update system and pushing out a malicious update to a large portion of its user base. And that was just one of many recent examples of such attacks. So ‘the bad guys’ are definitively targeting update mechanisms this is not a theoretical threat.

Step eleven; read the router security checklist at the following site and really think about the security features it suggests and those ones that you could actually provide. There are many more than I have suggested here. Including many marked as essential.
https://www.routersecurity.org/checklist.php

To claim that you care about security and privacy of your users, and genuinely mean it, you need to do a better job than you are currently doing. I hope that you are genuine in your desire to do better and that this feedback can point you in the right direction to do so. I also hope that it might start to raise awareness about the importance of router security and how lacking it currently is.
The amount of material I did not include in this post to prevent it becoming too long J is far greater than that actually included, just to give a hint at the scale of the problem.

Convincing Illusion

 

EDIT: For all the mistakes my proofreading didn't pickup the firstime... sigh.

If seeing is beleiving... Then what happens when what you're seing is an Illusion?
19 REPLIES 19
jab1
Legend
Posts: 19,257
Thanks: 6,325
Fixes: 290
Registered: ‎24-02-2012

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Having read through your long post @Convin_Illusion, I have one question - are there any consumer grade routers that have the features you say are needed?

I accept that the Hub One is not the nicest of equipment from the point of view of anyone who wishes for more control/information, but that is a separate discussion, and easily remedied by obtaining your own router.

John
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I use a DrayTek router that covers 95% of the above as it allows for the WPS support to be disabled, schedule the availability of the LAN and Wireless access. Configure it to restrict access to its UI from an Internal LAN and if needed a specific IP Address as well. Along with user configurable sessions durations and timeouts, and password lengths.

The only thing I’m not sure about (the other 5%) is if the endpoint for auto detected firmware updates is SSL enabled and if the firmware updates are verified when applied. But what I do know is that if these updates are downloaded directly from draytek the come from an SSL enabled site.

Having said all that I suspect its a case of “you get what you pay for” as when I bought this router I was lucky to get change out of 300!

ITWorks
Superuser
Superuser
Posts: 2,117
Thanks: 739
Fixes: 9
Registered: ‎05-11-2008

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Whilst having they very best security is always desirable, I doubt the mass market ISPs can provide these features, at the current price point of bundled phone and broadband.

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

jab1
Legend
Posts: 19,257
Thanks: 6,325
Fixes: 290
Registered: ‎24-02-2012

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

@Anonymous I can understand why you have a router like that, but for the usual consumer - would they pay £300 +? and would they really need to worry?

I've been on the web from dial-up days and apart from 3 years when I used a Netgear DGG834, I've always used ISP supplied modem/routers. Must admit though, if the two TG582n's I have both fail while with PN, or I change providers, I will be sourcing my own router - provided ones these days are too locked-down for my taste.

John
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I very much doubt it @jab1, the vast majority of users don’t care they simply want to get online to login to faceache, twatter and watch cat videos on uchoob. And it is this lack of interest / caring that the bad guys are taking advantage of. As I said above and as re-iterated by @ITWorks, you get what you pay for.

I too have been on the internet for more years than I care to mention and thankfully never fallen victim, but who knows what is around the corner with regards to exploits.

jab1
Legend
Posts: 19,257
Thanks: 6,325
Fixes: 290
Registered: ‎24-02-2012

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Fortunately @Anonymous I don't fall into the faceache/twatter/uchoob (love the re-naming) camp, although I do have FB and Tw accounts, used very rarely, to access information not easily available elsewhere. Ditto YouTube for informative videos I need.

John
rongtw
Seasoned Hero
Posts: 6,973
Thanks: 1,540
Fixes: 12
Registered: ‎01-12-2010

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

online to login to faceache, twatter and watch cat videos on uchoobFunny  nice @Anonymous

Whilst i agree that the Pink footed PN router is gatering dust in the bottom of a drawer , it just a poor basic free one thats why i went and bought my own Asus which is more reliable for what my needs are

Asus ROG Hero Vii Z97 , Intel i5 4690k ,ROG Asus Strix 1070,
samsung 850evo 250gig , WD black 2 TB . Asus Phoebus sound ,
16 gig Avexir ram 2400 , water cooling Corsair H100i gtx ,
Corsair 750HXI Psu , Phanteks Enthoo pro case .
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Don't get me wrong I use uchoob as well, because as you say there is a lot of informative content on it but equally or more so there is even more drivel.

Convin_Illusion
Dabbler
Posts: 14
Thanks: 1
Registered: ‎11-12-2017

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].


@ITWorks wrote:

Whilst having they very best security is always desirable, I doubt the mass market ISPs can provide these features, at the current price point of bundled phone and broadband.

 


That is entirely possible. Security costs money... However having the vast majority of the users of the internet using bad insecure routers is bad for the security of EVERYONE on the internet. Those routers get taken over and used in botnets that get used to attack critical infrastructure used by everyone else. At some point someone is going to decide that the ISP's and other IoT manufacturers are liable for the damage caused by insecure devices, and company ending lawsuits will follow.

 

Additionally the number of people who can afford to [and are willing] to pay £200+ upfront for a decent router is always going to be very small, particularly when from their perspective the only selling point is the security that they don't really get or understand/care about.

 

However, people get very expensive mobile devices all the time [say iPhones as an example] that they do not pay for up front because those costs are covered by the mobile provider on the condition you stay on a long enough contract.
There is no reason the same cannot apply to routers and internet contracts. Particularly as the 'cost' is not better hardware it's better software [firmware] that runs on it. So the cost is hiring a bunch of decent programmers and paying their wages. While not insignificant it's pretty trivial divvied up amongst tens/hundreds of thousands of subscribers.
Which is how iPhones can have rock hard security features and still be affordable on a contract.

That is the only model on which the general public actually gets decently secure routers at an affordable price.

And it starts with ISP's caring about router security, and that starts with their customers actually giving a damn about it and complaining that the routers they are provided with are utterly terrible useless pieces of junk that deserve to be reprogrammed with a sledgehammer. [Or it starts with some epic securty disaster that motivates the government to give a damn and legislate tough new security guidlines for IoT that leaves the ISP's suddenly scrambling to implement tough secuirty quickly on the fly... or have their asses sued out of existence]

 

Sure, I could do whatever other 'savvy' tech person doe and silently upgrade my personal router to a high quality business grade router with decent security features that is actually kept up-to-date and leave everyone else on the network who doesn't know to rot. I've done it before.
But just as you shouldn't have to be a food hygiene expert to be able to go grocery shopping and not get salmonella, because all the food in the stores is [required to be] safe by default. You shouldn't have to be a tech expert to buy a safe router, they should all be safe and secure by default. And then people could buy them on the features they cared about, speed, price, features.

 

If seeing is beleiving... Then what happens when what you're seing is an Illusion?
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I don’t know about you guys, but I have quite a collection of routers here. All of which have been bought due to a progression of need. Like @jab1 says ISP stock routers are to limited, so you buy a third party one. Later as your network expands and you realise what can be done, you have to get a new one to support your ideas and needs, so you buy yet another one and so the cycle goes on.

Convin_Illusion
Dabbler
Posts: 14
Thanks: 1
Registered: ‎11-12-2017

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].


@rongtw wrote:

online to login to faceache, twatter and watch cat videos on uchoobFunny  nice @Anonymous

Whilst i agree that the Pink footed PN router is gatering dust in the bottom of a drawer , it just a poor basic free one thats why i went and bought my own Asus which is more reliable for what my needs are


And yet is still almost certainly epically insecure.
Asus do not do well from a security/privacy standpoint with their routers.

 

And for those saying "I’ve never had a problem".... how would you know?
The overwhelming majority of those who have their router compromised and turned into part of a botnet never know about it.
It can be sitting there silently stealing data and launching DDOS attacks and you never know.
Or maybe you just think it's gotten old and slow because your internets have gotten a bit slow and buggy and maybe you have some dropouts or other weird stuff happen so you get your router replaced never knowing that your router wasn't 'buggy', it was owned...

There are hundreds of thousands of compromised routers in this country [millions around the world] right now who's owners have not the slightest clue.

How do any of you know you are not one of them? [and have never been one of them]

You can have your personal details stolen but then not used for years afterwards because identity thieves have so many people’s data that yours can sit around for years before one of them actually gets around to using it. At which point how would you ever tell it was from a router that you've now thrown away that the breach came?

ISP routers should be required to be made more secure, consumer grade routers generally should also be required to be made more secure, and that won’t happen if the people who understand the issues just silently upgrade their gear and never complain about the stuff that everyone else has to live with. Or just arrogantly mock everyone else for not being smart or knowledgeable enough to have upgraded like they did.

 

If seeing is beleiving... Then what happens when what you're seing is an Illusion?
jab1
Legend
Posts: 19,257
Thanks: 6,325
Fixes: 290
Registered: ‎24-02-2012

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

@Anonymous - I'm Cry - I only have my TinyWorld dangly thing, the one supplied by Tiscali, and four modem/routers (the Netgear, a Sumvision I could never get to work, and the two 582n's)

John
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Might one enquire @Convin_Illusion as to what router you use yourself?

As for the iPhone analogy I understand what you are saying as regards the funding model, but the majority of people don’t buy iPhone because they’re secure they buy them as a statement, vanity or fashion piece. Those that do buy it for its inherent security are akin to, and likely to be the same users that upgrade their routers!

Convin_Illusion
Dabbler
Posts: 14
Thanks: 1
Registered: ‎11-12-2017

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

 

I am currently shopping around because my old good router died, so currently for a brief period I am actually using the Hub One. I will be changing that and switching to a business grade replacement. It's partly the shock of seeing HOW BAD this damn thing was that prompted me to get on the forums and kick this thing off [and lodge a complaint more formally].

I agree the vast majority of users probably don't buy iPhones or anything else FOR the security. Which is why a market model for security is doomed to failure and in the end regulation is probably going to be required.
But at least SOME action might be achieved in getting ISP's and in this case specifically BT/Plusnet to implement BASIC security by shaming them with how EPICLY bad their devices security is and by making people aware of that.

Having the device communicate entirely by https/TLS1.2 for example is an utter no-brainer first step for ANYTHING that has the remotest pretentions to being 'secure'. The fact that anyone can have the gall to claim that their product is secure when it uses http in this day and age beggars belief. And fixing that should not cause the router to suddenly cost the moon.
The bulk of the security fixes I enumerated should be as standard on your basic cheap router, they are not expensive features.
The stuff that will tend to make a high end expensive business router more expensive didn't make the list.

For example, IF BT/Plusnet were to provide an itemised list of all the different pieces of software that went into the firmware currently on the latest edition of the Hub One, I would bet you a years salary that many of those pieces of software will be multiple years old and out-of-date. A router uses lots of core third party bits of code that make all the protocols and systems work. They get regularly updated to fix bugs/add new features etcetera. On most consumer grade routers the Firmware you get shipped is built with versions that are years old and tens of iterations behind the current version.
Keeping up with all those bits of software and keeping your firmware fully patched and up-to-date requires far more resources than consumer router manufacturers typically have. So they don't.

THAT is the part that costs the most money, almost all the 'features' are otherwise on-off costs of development that are pretty trivial. It's the ongoing continuous maintenance and upgrades that costs the big money... Particularly if you have to earn it all as part of a single up-front payment for the hardware [which is itself dirt cheap] which you then have to support indefinitely into the future.

ISP's actually have an advantage here, because unlike typical consumer router manufacturers they have subscribers that pay them money every month. Given that the actual cost of the hardware is a pittance and what you actually pay for is the cost of having a team of programmers/designers who build/maintain the software/firmware it would be much easier for an ISP to bring router development fully in-house and provide the dirt-cheap hardware for 'free/cheap' as part of their internet package and then cover the continuing firmware development cost through the internet subscription. The last figure I could spot with a quick look put plusnet at ~750k subs. @ [say] £2 per month that’s  £18m pa. Given that Plusnet work with BT on their routers and share resources on that front... You are talking more than enough to have a serious dev team for an acceptable per-month-sum per-customer.

Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.

If seeing is beleiving... Then what happens when what you're seing is an Illusion?