(broadband routers) PC World: Flash Attack Could Take Over Your Router
Sean Donelan
sean at donelan.com
Thu Jan 17 17:01:58 UTC 2008
On Wed, 16 Jan 2008, Gadi Evron wrote:
> Props to Jeff Chan who I saw it from.
>
> Yes, I still believe these ISP distributed machines called broadband routers
> are a network operators issue. But not all may agree on that.
I doubt many ISP security or customer care folks are fans of UPnP.
The distribution channel (consumer electronics retail store, discount
mail order company, etc) is less important than working with the CPE
vendors. I worked with a few CPE vendors for several years since 2003 to
improve some things. You may be able to figure out which CPE vendors,
because they have UPnP off by default (or don't have UPnP), and other
nice things such as automatic security patch loading. CPE owners take even
less care of the CPE than even PCs.
But even though a few other large ISPs copied some of my requirements for
their RFPs, a lot of CPE is distributed through many channels. I'm a bit
suspicious of some security researcher's statistics about UPnP gateway
configurations in different markets.
If you just want to rant at network operators go ahead. But it will
probably be more productive working with CPE vendors and ISPs on a few
constructive things.
What specifications can consumer electronics stores and ISPs include in
the RFPs to consumer CPE vendors? What can consumer CPE vendors include
at the price-points for the market for consumer CPE? Is the Carterphone
era over, and consumers just can't handle managing CPE anymore?
More information about the NANOG
mailing list