(broadband routers) PC World: Flash Attack Could Take Over Your Router

Sean Donelan sean at donelan.com
Thu Jan 17 17:01:58 UTC 2008


On Wed, 16 Jan 2008, Gadi Evron wrote:
> Props to Jeff Chan who I saw it from.
>
> Yes, I still believe these ISP distributed machines called broadband routers 
> are a network operators issue. But not all may agree on that.

I doubt many ISP security or customer care folks are fans of UPnP.

The distribution channel (consumer electronics retail store, discount
mail order company, etc)  is less important than working with the CPE 
vendors.  I worked with a few CPE vendors for several years since 2003 to
improve some things.  You may be able to figure out which CPE vendors, 
because they have UPnP off by default (or don't have UPnP), and other 
nice things such as automatic security patch loading. CPE owners take even 
less care of the CPE than even PCs.

But even though a few other large ISPs copied some of my requirements for 
their RFPs, a lot of CPE is distributed through many channels.  I'm a bit 
suspicious of some security researcher's statistics about UPnP gateway
configurations in different markets.

If you just want to rant at network operators go ahead.  But it will
probably be more productive working with CPE vendors and ISPs on a few 
constructive things.

What specifications can consumer electronics stores and ISPs include in 
the RFPs to consumer CPE vendors? What can consumer CPE vendors include
at the price-points for the market for consumer CPE? Is the Carterphone
era over, and consumers just can't handle managing CPE anymore?



More information about the NANOG mailing list