Injecting JavaScript into a page that’s served up by someone else is basically as good as hacking their server and uploading your own JavaScript to it. In other words, by putting booby-trapped JavaScript in your release notes, you could provoke the server to include your script in a page that was served up under one of its own URLs. That’s where a web server puts data that you originally provided, typically text, into a web page it sends back to you, but accidentally allows the text to include JavaScript commands. The second bug relied on what’s known as cross-site scripting. Also don’t require the URL host name to match the common name presented by the certificate. …but added the non-default command line option -no-check-certificate so that a download from a bogus site would not be detected.Īs the wget documentation explains, this option tells the software:ĭon’t check the server certificate against the available certificate authorities. Simply put, the router – which runs Linux and standard Linux tools, like many IoT devices – used the well-known wget command utility to organise its downloads, and correctly used an HTTPS (secure) web link… The first bug seems to have been a simple oversight – perhaps code added for testing that was never removed, or an insecure option left over from years ago that was never revisited and reviewed. A fake firmware update notice with booby-trapped JavaScript would be enough. In theory, crooks wouldn’t even need a full-blown fake firmware download in order to launch an attack. Firmware updates could include release notes with JavaScript that your browser would run without warning.In theory, crooks could advertise a fake update, or subvert a genuine one, and go undetected. A bogus firmware update wouldn’t have had any digital signature checking during download.Trustwave found two vulnerabilities, dubbed CVE-2020-15498 and CVE-2020-15499, that could have allowed crooks to pull off a double-barrelled attack: Ironically, the bugs related to the router’s firmware update process, so the update actually patches the update system itself. Researchers at Trustwave found security holes in this router’s firmware late in 2019, which ASUS duly patched, and those researchers have now gone public with a security advisory that details their findings. Well, if you have an ASUS RT-AC1900P home router – a high-end, high-bandwidth home device – then we recommend that you do an update check now. So even if your home router gets updated reguarly with security improvements, when was the last time you went and checked if your device actually has the latest firmware version installed? Nevertheless, some vendors of low-cost devices are responsive to bug reports and publish security fixes promptly, which leads to another problem with the IoT ecosystem, namely that many consumers take a “set and forget” attitude to these devices. That can work out well, because the more features you leave out, the fewer places there are for bugs to lurk but it can also end badly because what gets omitted often includes security checks that might otherwise have been included, or implemented more thoroughly. IoT devices also typically have limited memory, disk and processing capacity, for reasons of size and weight as much as price, so their software is often stripped down to fit. …but it doesn’t leave a whole lot of time or money for vendors to expend on security. That’s disappointing, but hardly surprising.Ĭomputing gear of this sort – a market segment often referred to as the Internet of Things (IoT), because the devices are typically tiny and don’t look or feel like traditional computers – is generally simple to use, and thanks to a highly competitive market is usually built down to a price, which is good news for consumers… It is not meant to replace existing projects such as Tomato or DD-WRT, but rather to offer an alternativeįor people who prefer the original firmware featureset.If you’re interested in cybersecurity you’ve probably read any number of reports in recent years about the often tenuous state of security in consumer devices.įrom insecure doorbells to webcams, and from light bulbs to home routers, we’ve written our own share of horror stories in recent years. While some features do get added, this is not the main focus of this project. The goal of this project is to fix issues and bring some minor functionality adjustments to the AboutĪsuswrt-Merlin is an enhanced version of Asuswrt, the firmware used by Asus's modern routers. The tracker was 90% noise and 10% genuine bug reports, and I grew tired of cleaning it up. I have disabled the issue tracker because apparently people can't read. This is the legacy 380.xx branch - this branch is no longer actively developed.Īll development has now been moved to the NG (New Generation) code branch:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |