(broadband routers) PC World: Flash Attack Could Take Over Your Router

Gadi Evron ge at linuxbox.org
Fri Jan 18 01:32:27 UTC 2008


On Thu, 17 Jan 2008, Sean Donelan wrote:
> On Wed, 16 Jan 2008, Gadi Evron wrote:
>> Yes, I still believe these ISP distributed machines called broadband 
>> routers are a network operators issue. But not all may agree on that.
>
> What specifications can consumer electronics stores and ISPs include in the 
> RFPs to consumer CPE vendors? What can consumer CPE vendors include
> at the price-points for the market for consumer CPE? Is the Carterphone
> era over, and consumers just can't handle managing CPE anymore?
>

Thanks for putting the discussion in focus, Sean. These are splendidly 
good questions! And cosumers may be able to handle CPE, but not most of 
the ones on broadband providers. "Anymore" ?

The questions you raise are very good, and I don't intend to attack their 
validity. My purpose here is to say that: yes, vendors should do better 
and it is good to form relationships with them, but currently there are 
millions of customers who consider these "modems" plug and play, 
regardless of technology.

The recursive DNS servers, linux machine, default passwords and whatever 
else may be on that CPE device is outside their realm of care. I'd be 
happy if Windows Update is turned on for even some of them, which is in 
their realm of care.

These devices are on the client end, and are not under client care. I 
believe this needs to be re-emphasized. I do not believe spreading gospel 
on how to secure them to end users is what we need, but rather the other 
part you mentioned, which is working with vendors.

Working with vendors aside (as you mentioned, can be frustrating) network 
operators need to realize these are in fact their problem, as the vendors 
are not quite up to scratch yet, are they?

These devices are:

1. Botnets waiting to happen.
2. Sniffers waiting to infringe on user privacy.
3. Recursive DNS servers waiting to be abused.

I believe the main points of interest are #1 and #3. I've worked with a 
few ISPs on this in the past couple of years, but it is obvious the issue 
remains un-noticed for most.

Flash and UPnP I am honestly not that interested in.

 	Gadi.



More information about the NANOG mailing list