cancel
Showing results for 
Search instead for 
Did you mean: 

Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I am looking in to the viability of buying myself a FireBrick 2700 (Fully Loaded) but I can recommend without hesitation a DrayTek, of which there are many variations available.

It sounds to me that you really have had the sleeves rolled up on this one so it may be advantageous for your argument to make available (privately) to Plusnet the full results of your penetration testing, as I assume you’ve been using Metasploit or RouterSploit to prove your assumptions.

You may also want to write an exploit (in Python) for the device where your are given root. You could then forward this to Plusnet / BT as indisputable evidence of the devices insecurity and may well have a beneficial effect in future hardware releases or even firmware upgrades.

Convin_Illusion
Dabbler
Posts: 14
Thanks: 1
Registered: ‎11-12-2017

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].


@Anonymous wrote:


It sounds to me that you really have had the sleeves rolled up on this one so it may be advantageous for your argument to make available (privately) to Plusnet the full results of your penetration testing, as I assume you’ve been using Metasploit or RouterSploit to prove your assumptions.

You may also want to write an exploit (in Python) for the device where your are given root. You could then forward this to Plusnet / BT as indisputable evidence of the devices insecurity and may well have a beneficial effect in future hardware releases or even firmware upgrades.


 

I don't think you've quite grasped how basic these flaws are. You don't need to do a penetration test to prove that you can man-in-the-middle an unsecured http connection [for example].

As I said right up top, I am not a computer security expert. This is BASIC stuff.
This is like saying I'm not an expert in nutrition but I know that chowing down 14 hamburgers and 15 cokes a day is bad for you. You don't need to be an expert in nutrition to know that.

WPS has a list of unpatched exploits built into the protocol as long as your arm and you can read about them on freaking Wikipedia.

There will always be bugs, errors in coding that allow for exploits, and when they are found they need to be reported fixed and those fixes securely sent out to peoples devices.
But that is not what we are talking about here.

By analogy this is like talking about home security and you are asking me to submit my new method for picking the lock.
I'm telling you that the house has no door in the frame and there are giant holes in the wall.

We haven't got to picking the locks yet the problems are more fundamental and more basic than that.

It's common for criminals to seek out private information so that they can do spear phishing attacks, where they specifically target individuals and pretend to be somebody they're not [like say an ISP] and get those people to hand over their bank details [or whatever].

Doing this it helps to have as much 'secret' information as possible so that you can plausibly pretend to be whoever you are impersonating [like say an ISP]. The information on the unencrypted landing page for the router prior to login is not only useful for launching further attacks on the router and home network. But it includes information that can be used for future spear phishing attacks on the user [most notably the broadband username... which will also give you a good idea as to plusnet email addresses...]

I don't need to do pen testing to be able to point this out to Plusnet and say "hey, maybe you don't want to have this information visible on your landing page before you log in!" ...
I mean do I actually have to launch a spear phishing attack* to prove that this is viable or can we all just use experience and say, "oh yeah that's totally information that would be useful to criminals, we should do a better job protecting that."?

If this router were handed to any competent pen-tester they would undoubtedly find countless bugs/out of date software/etc. And any good dev team for this kind of product should employ red team/blue team testing to do just that. [as well as a bug bounty program].
But we're currently at the first stage of "hey, have you guys heard of this thing called encryption?".

 

Let’s try putting a door in the frame before we start working on what kind of lock it has.

 

*To be clear, I'm not going to do this.

 

If seeing is beleiving... Then what happens when what you're seing is an Illusion?
Anonymous
Not applicable

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Oh I can assure you @Convin_Illusion I know full well what you mean. But I assume your findings are based on the LAN side view, but does what you say still affect or apply to the WAN side view where the bad guys are? Hence my suggestion regarding proof.

It doesn’t matter how secure your router is if all it takes in someone rogue on the LAN side to bypass it. Granted HTTP doesn’t help the case but that can be negated by the installation of a key logger on the client PC, then it doesn’t matter what protocol the router is or isn’t running.

To me the biggest risk is on the WAN side as that is where the bad guys come knocking. If what you say applies to the WAN view of the router then I agree with you 100% something needs to be done about it. But as the discussion above implies I doubt this will happen due to costs regardless of what common sense argument you put forward.

ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].


@Convin_Illusion wrote:

There are hundreds of thousands of compromised routers in this country [millions around the world] right now who's owners have not the slightest clue.


The vast majority of these will be due to having remotely accessible admin interfaces with default login credentials, a fantastically encrypted ssh connection with a login of admin and a password of 1234 is no better than an unencrypted telnet connection in this regard.

A lot of the things you've suggested seem to be having a load of extra security without much thought for what you're actually trying to secure it against or if there's really any point in it. There will be plenty of other ways for a device within your LAN to obtain the IP and MAC addresses of other devices in the LAN.

It's a bit like having no number/name on your front door because you don't want your front door broadcasting your street address to anyone outside, for security reasons.

VileReynard
Hero
Posts: 12,616
Thanks: 579
Fixes: 20
Registered: ‎01-09-2007

Re: Plusnet Hub One; A few thoughts on Router security [12 December 2017].

Doesn't help sending email passwords in clear to web mail software.

I'm willing to bet that no Plusnet router has ever used secure DNS lookups...

"In The Beginning Was The Word, And The Word Was Aardvark."