FTC Sues D-Link For Pretending To Give A Damn About Hardware Security

(Mis)Uses of Technology

from the cutting-edge-incompetence dept

If you’ve been paying attention, you’ve probably noticed that the so-called Internet of Things isn’t particularly secure. Hardware vendors were so excited to market a universe of new internet-connected devices, they treated things like privacy, security, and end-user control as afterthoughts. As a result, we’ve now got smart TVs, smart tea kettles, WiFi-connected barbies and all manner of other devices that are not only leaking private customer data, but are being quickly hacked, rolled into botnets, and used in historically unprecedented new, larger DDoS attacks.

This isn’t a problem exclusive to new companies breaking into the IoT space. Long-standing hardware vendors that have consistently paid lip service to security are fueling the problem. Asus, you’ll recall, was dinged by the FTC last year for marketing its routers as incredibly secure, yet shipping them with easily-guessed default username/login credentials and cloud-based functionality that was easily exploitable.

The FTC is back again, this time suing D-Link for routers and video cameras that the company claimed were “easy to secure” and delivered “advanced network security,” yet were about as secure as a kitten-guarded pillow fort. Like Asus, D-Link’s hardware also frequently ships with easily-guessed default login credentials. This frequently allows “hackers” (that term is generous since it takes just a few keystrokes) to peruse an ocean of unsecured cameras via search engines like Shodan, allowing them to spy on families and businesses in real time.

According to the FTC, D-Link’s hardware also consistently suffers from a number of other vulnerabilities the regulator says the company simply refused to seriously address, including command injection software flaws that let remote attackers take control of consumers’ routers via any IP address. D-Link is also accused of mishandling the private key used to sign into D-Link software (said key was openly available on a public website for six months), and of leaving users’ login credentials for the mobile D-Link app unsecured in clear, readable text directly on the mobile device.

Needless to say, the FTC thinks D-Link should have done a little more to keep its products, and by proxy the internet at large, more secure:

?Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,? said Jessica Rich, director of the FTC?s Bureau of Consumer Protection. ?When manufacturers tell consumers that their equipment is secure, it?s critical that they take the necessary steps to make sure that?s true.?

Unsurprisingly, D-Link didn’t think much of the FTC lawsuit, quickly posting a new FAQ and a press release implying that because the FTC didn’t cite specific products and document clear instances of harm, there’s no problem. The statement laments the FTC’s “unwarranted allegations” and “contested 2-1 decision” to hold D-Link to account:

“The FTC complaint alleges certain security hacking concerns for consumer routers and IP cameras, and we firmly believe that charges alleged in the complaint against D-Link Systems are unwarranted,” said William Brown, chief information security officer, D-Link Systems, Inc. “We will vigorously defend the security and integrity of our routers and IP cameras and are fully prepared to contest the complaint. Furthermore, we are continually working to address the overall security features of D-Link Systems’ products for their intended applications and to regularly inform consumers of the appropriate steps to take to secure devices.”

Granted you only need to spend a few moments with IoT-specific search engines to realize how common poorly-secured webcams (from D-Link and everybody else) are. And D-Link’s router hardware has been well-represented in the recent rise of DDoS attacks on companies like Dyn. So the end result of this neglect should be pretty clear, and given the agency’s recent warnings (pdf), the FTC’s crackdown (which may or may not persist under a new administration) shouldn’t be a surprise. Companies had every opportunity to prioritize privacy and security in their products, but instead chose to pay lip service to the concept.

Filed Under: ftc, iot, routers, security
Companies: d-link

Leaked NSA Zero Days Already Being Exploited By Whoever Thinks They Can Manipulate Them

(Mis)Uses of Technology

from the the-best-offense-is-not-giving-a-fuck-about-playing-defense dept

There are still people out there who think it’s a good idea for the government — whether it’s the FBI, NSA, or other agency — to hoover up exploits and hoard vulnerabilities. This activity is still being defended despite recent events, in which an NSA operative apparently left a hard drive full of exploits in a compromised computer. These exploits are now in the hands of the hacking group that took them… and, consequently, also in the hands of people who aren’t nearly as interested in keeping nations secure.

The problem is you can’t possibly keep every secret a secret forever. Edward Snowden proved that in 2013. The hacking group known as the Shadow Brokers are proving it again. The secrets are out and those who wish to use exploits the NSA never disclosed to affected developers are free to wreak havoc. Lily Hay Newman of Wired examines the aftermath of the TAO tools hacking.

Whoever they are, the Shadow Brokers say they still have more data to dump. But the preview has already unleashed some notable vulnerabilities, complete with tips for how to use them.

All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.

Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities.

Dolan-Gavitt used the Cisco zero-day — one which the company is still unable to completely thwart — for his honeypot. This exploit was in the hands of the NSA for at least three years and was never disclosed to Cisco. The security researcher saw one attack in the first 24 hours. Since then, there have been a handful of attacks mounted every day.

This is the end result of someone hacking the hackers. The Shadow Brokers have turned the agency’s exploit toolkit into NSA Everywhere!™ — the NSA’s new “Inadvertent Disclosure” project. The hackers have divulged far more exploits than the NSA ever has, even with the (severely loopholed) “presumption of disclosure” mandate handed down by the Obama Administration.

The NSA — and its defenders — remain mostly unworried about this collateral damage. Presumably the nation is still secure, even if its companies and their customers aren’t. I guess that’s supposed to be good enough. Every war inflicts a toll on non-combatants, and the neverending War on Terror will be no different than the neverending War on Drugs in this respect.

But those at the top of the IC heap — and those who work closely with them, like the FBI — need to stop pretending the government can be trusted with keeping its most secret secrets secure. And officials need to stop applying pressure on lawmakers to craft encryption backdoor legislation, because this debacle should make it clear — even to true believers like FBI director James Comey — that any hole labeled “GOVERNMENT USE ONLY” isn’t going to keep bad guys out forever.

Filed Under: 0days, exploits, nsa, routers, zero days

FCC Demands TP-Link Support Open Source Third-Party Firmware On Its Routers

Surprises

from the freedom-to-tinker dept

Last year, we noted how the FCC updated its rules governing routers in the 5 GHz band over safety concerns, stating that some illegally modified router radios operating in the unlicensed bands were interfering with terminal doppler weather radar (TDWR) at airports. The rule changes prohibited tinkering with just the RF capabilities of the devices. But engineers, the EFF, hobbyists and custom-firmware developers feared that because many routers have systems-on-a-chip (SOC) where the radio isn’t fully distinguishable from other hardware — vendors would take the lazy route and block third-party firmware entirely.

That only partially happened.

While the FCC told us explicitly that locking down third-party firmware was not its intent, router manufacturers like TP-Link did indeed take the lazy route — locking down its routers to prevent third-party firmware installs, then blaming the FCC for it. Fortunately other router manufacturers like Belkin/Linksys took the opposite tack, going so far as to use the new rules as a marketing opportunity, highlighting how they’d continue to support tinkerers (at least in regards to its WRT line of routers). Companies like Asus also stated they’d continue supporting the tinkering community.

Fast forward to this week, when the FCC took some interesting steps to try and force TP-Link’s hand on the subject. The regulator announced that it had reached a $200,000 settlement with TP-Link (pdf) for marketing routers to consumers that operated outside of FCC parameters. The FCC’s full consent decree (pdf) offers a bit more detail, noting that TP-Link effectively let some router models be modified to operate outside of accepted U.S. parameters via a toggle setting that let users pretend they lived in other countries, opening the door to potential interference.

Note that this settlement involved routers in the 2.4 GHz band, while the rule changes above governed the 5 GHz band. But in an interesting wrinkle, the FCC used the settlement to push TP-Link back toward supporting open source third-party firmware for 5 GHz devices:

“TP-Link has also agreed to take steps to support innovation in third-party router firmware by committing to investigate security solutions for certain 5 GHz band routers that would permit the use of third-party firmware while meeting the Commission?s security requirements and maintaining the integrity of critical radio parameters.”

The FCC stated the move was an attempt to balance RF safety and interference policy while supporting the freedom to tinker:

“The Commission?s equipment rules strike a careful balance of spurring innovation while protecting against harmful interference,? said Travis LeBlanc, Chief of the Enforcement Bureau. ?While manufacturers of Wi-Fi routers must ensure reasonable safeguards to protect radio parameters, users are otherwise free to customize their routers and we support TP-Link?s commitment to work with the opensource community and Wi-Fi chipset manufacturers to enable third-party firmware on TP-Link routers.”

Note it’s not entirely clear just how hard the FCC will push to ensure TP-Link compliance, and what “steps” TP-Link has to take to return to supporting third-party open source firmware remains a little murky. It’s also likely that other router manufacturers will continue to take the lazy route and shut out tinkerers from installing third-party firmware. Still, it’s a solid signal from the FCC that it at least realizes the value in open source modifications (or the bad PR in hindering it), an increasingly rare position in an era where you often no longer actually own the hardware and devices you buy.

Filed Under: fcc, firmware, open source, routers, third party
Companies: tp-link

Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Wireless

from the apocalypse-averted dept

The apocalypse for those who like to tinker with their router firmware may be postponed.

Last year we noted how the FCC updated router and RF device rules for safety reasons, stating that some illegally modified router radios operating in the unlicensed bands were interfering with terminal doppler weather radar (TDWR) at airports. The rule changes prohibited tinkering with the just the RF capabilities of devices. But some sloppy FCC language worried tinker advocates and custom-firmware developers, who feared that because many routers have systems-on-a-chip (SOC) where the radio isn’t fully distinguishable from other hardware — vendors would take the lazy route and block third-party firmware entirely.

And, at least with some companies, that’s exactly what happened. TP-Link for example stated that it would be preventing custom router firmware installations with gear built after June 2016, blaming the FCC for the decision while giving a half-assed statement about respecting the hobbyist community’s “creativity.” Again: the rules don’t mandate anything of the kind; TP-Link just decided to take the laziest, most economical route.

Fortunately, not all hardware vendors are following TP-Link’s lead. Linksys has announced that while it will lock down modifications on some router models, the company will continue to let enthusiasts tinker with its WRT lineup of hardware, which has been a hobbyist favorite for years. From its comments the company is well aware that while custom firmware flashers may comprise a minority of overall customers, they’re a vocal minority that companies really don’t want to piss off. As such, a company spokesman was quick to breathlessly praise third party custom firmware options:

“The real benefit of open source is not breaking the rules and doing something with malicious intent, the value of open source is being able to customize your router, to be able to do privacy browsing through Tor, being able to build an OpenVPN client, being able to strip down the firmware to do super lean, low-latency gaming,? La Duca said. ?It’s not about ?I’m going to go get OpenWrt to go and piss off the FCC.’ It’s about what you can do in expanding the capabilities of what we ship with.”

While it would be nice to see more models supported, it’s certainly a step in the right direction. It should be noted that (now Belkin-owned) Linksys said it wasn’t a very big deal to lock down the radio specifically, contrary to what some vendors have claimed:

“The hardware design of the WRT platform allows us to isolate the RF parameter data and secure it outside of the host firmware separately,” Linksys said in a written statement given to Ars. La Duca declined to get more specific about Linksys’s exact method. Even though this is about enabling open source, Linksys?s method is proprietary and provides a competitive advantage over other router makers that aren?t supporting open source, La Duca said.”

So while one vendor used the FCC rule change as an opportunity to be lazy and cheap, others are using the news as an opportunity to embrace an important part of their community. And from the looks of thinks Linksys won’t be alone in the effort; representatives from Asus have been telling some hardware enthusiasts that they plan to continue supporting third-party open source firmware as a point of pride as well:

“As you may know, FCC requires all manufactures to prevent users from changing RF parameters. Not only manufactures’ firmware but 3rd party firmware need to follow this instruction. Some manufactures’ strategy is blocking all 3rd party firmware, and ASUS’s idea is still following GNU, opening the source code, and welcome 3rd party firmware. ASUS are co-working with developers such as Merlin and DDWRT to make sure 3rd party firmware’s power are the same as ASUS firmware and obey the regulations.”

None of this is to say these companies can’t go back on their word down the line (concerned users should keep the pressure up), but it’s refreshing to see at least a few vendors actually standing behind their communities’ right to tinker.

Filed Under: fcc, firmware, open source, routers
Companies: asus, linksys, tp-link

Medialink Threatens Customer With Lawsuit For Writing A Negative Amazon Review

Failures

from the how-not-to-win-fans dept

It’s an age-old story. Guy buys a router. Router sucks. Guy writes negative 1-star review on Amazon. Company threatens to sue him for defamation. Because it’s not like every other attempt to sue over negative reviews ends badly.

It is true that Reddit user trevely’s original review did make some strong claims, which clearly, the router maker, Medialink, objected to. Trevely has since edited his review to clarify which parts were opinion and which were clear facts. Medialink’s main complaints were that the original review claimed that many of the positive reviews of their router were fake, and that the router was just a rebranded version of someone else’s router. Still, the original review was no worse than many standard negative reviews, and given how many other reviews Medialink had, you’d think that Medialink would just let this go, rather than call in the lawyers — and suddenly get so much more attention to the negative review. Oh, and more attention to the positive reviews… and their legitimacy.

Whether or not they are actually fake, some Reddit users have certainly spotted some fairly questionable 5-star reviews, like the one guy who seems to think that the router is actually a set of car headlight bulbs. And, others have long suspected fake reviews on the product, so it’s not like trevely just made this up out of nowhere.

As for the rebranding claim, well, as the original review noted, that seems to be confirmed by a filing with the FCC, in which Medialink directly says that the equipment is “electrically identical” to the Tenda router that trevely was pointing to. Oops.

Meanwhile, Amazon’s seller rules are pretty strict about not letting its merchants try to influence user reviews — either pushing for positive reviews or threatening over negative ones. Given, as treverly noted in his own initial review, that Medialink seems to exist almost entirely based on Amazon, breaking Amazon’s rules by threatening a negative review (with a questionable lawsuit, no less) may wipe out the channel the company relies on. Either way, what Amazon does might not matter, because now the Reddit crowd has jumped in, and Medialink/Mediabridge’s name may be even more associated with bogus legal bullying than crappy routers — though I can’t see how either one helps the company very much.

Filed Under: defamation, lawsuits, medialink, reviews, routers, threats
Companies: amazon, mediabridge

Huawei's Global Head Of Cyber Security Wants The Government 'To Have As Much Data As Possible'

Say That Again

from the thinking-it-through dept

In Der Spiegel’s recent revelations about the far-reaching nature of the NSA’s spykit, it mentions several US companies, Samsung from South Korea, and one from China — Huawei. Like the others, Huawei denied any knowledge of the modifications to its products that Der Spiegel claims are used by the NSA to break into systems. This isn’t the first time that the finger has been pointed at Huawei. Some years back, Huawei was accused of facilitating spying for the Chinese government, but after an 18-month investigation, no evidence was found of this. That fact allowed John Suffolk, Global Head of Cyber Security for Huawei and the former UK Government CIO, to enjoy the irony of Snowden’s leaks about backdoors in US products:

Perhaps triggered by the latest Der Spiegel article that mentions Huawei in the context of spying, Suffolk has another blog post on the subject. Discussing the Tailored Access Operations (TAO) that Der Spiegel revealed, he writes:

Since when did people operate in a moral vacuum? I seem to recall the “just following orders” excuse was rejected definitively some years ago. The morality and legality of TAO is precisely the point. Suffolk then goes on to explain:

Leaving aside both the false dichotomy (either total surveillance or terrorist carnage) and the implicit emotional blackmail (if you don’t agree that the government should spy on everyone, any deaths will be on your head), it would seem that Suffolk hasn’t thought this through.

“I want my Government to have as much data as possible,” he writes. Really? So he’s happy for CCTV cameras to be installed in every room in every building in the land — because that’s certainly extremely useful data for the government. It is quite likely that such CCTV footage, suitably analyzed using all those tools that Suffolk wants the government to have at its disposal, would lead to the occasional careless or incompetent terrorist being caught before any harm could be caused. And remember, even if this 24×7 CCTV surveillance of everyone in the country only stops “one event”, that’s still a good enough justification according to him.

I can’t really believe Suffolk is advocating such an extreme approach, but it’s where his logic leads. That’s why there must be some proportionality in the government’s efforts to keep us safe, and a weighing of what we would lose in terms of privacy and personal freedom if we allowed it to “have as much data as possible”. If there isn’t either, Suffolk’s naïve acquiescence in maximalist surveillance opens the door to a deep and possibly long-lasting oppression far worse than extremely rare terrorist attacks whose impact pales into insignificance compared to dozens of everyday risks we accept without a moment’s thought.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: john suffolk, routers, security, surveillance
Companies: huawei

Court Says Cisco Has No Right To Sue To Invalidate A Patent That Is Being Used Against Its Customers

Patents

from the that-just-seems-wrong dept

Yet another unfortunate patent decision has come out of the appeals court for the federal circuit. This involves a case where certain customers of Cisco products were being sued for patent infringement by TR Labs, and part of its argument was that certain Cisco equipment resulted in the infringement by those customers. In response, Cisco filed a lawsuit in federal court, asking for a declaratory judgment that TR Labs’ patents were invalid. TR Labs hit back that it had not sued Cisco, had no intention of suing Cisco, and thus Cisco could not sue for declaratory judgment. Unfortunately, the lower courts and now the appeals court have agreed that Cisco has no basis to bring a lawsuit, because there is no direct threat against it.

There are reasons why it makes sense to require an actual potential dispute before allowing someone to bring a declaratory judgment action, but it seems silly to argue that Cisco can’t file this lawsuit. After all, its business can clearly be impacted by TR Labs’ lawsuits. First, it automatically makes Cisco’s offerings more expensive, in that buyers may either face increased liability or direct licensing costs just to use those products. Thus, Cisco has a direct financial stake in the outcome of those lawsuits and has a very good reason to see the patents invalidated. Unfortunately, the court just doesn’t think that’s enough:

In the circumstances presented here, that interest is simply insufficient to give rise to a current, justiciable case or controversy upon which federal declaratory judgment jurisdiction may be predicated

Of course, a better solution all around would be to make it much easier for anyone to get bad patents thrown out, but that’s just not how our patent system works, unfortunately.

Filed Under: patents, routers, third parties
Companies: cisco, tr labs