Zero-Day Found in Humax WiFi Router

[LASER_oneXM]

... a quote from the article:

An unpatched vulnerability affecting Humax WiFi Router model HG-100R allows attackers to compromise the WiFi credentials and even retrieve the router console administrative password, Trustwave SpiderLabs researchers discovered.

The vulnerability was found in May 2017, but repeated attempts to alert the manufacturer on it remained unanswered, the researchers say. According to Trustwave, the device is a default brand/version distributed by a major Internet provider in Brazil, while also being used in various other parts of the world.

The issue, Trustwave explains, starts with specially crafted requests sent to the management console, which allow the attacker to bypass authentication. This attack is possible because the router fails to validate the session token while returning answers for some methods in "url/api".

By exploiting the vulnerability, an attacker could retrieve sensitive information, including the private/public IP addresses, SSID names and passwords.

 

[orthonovum]

It seems like here in NA we only have a few options: Linksys, D-Link, Netgear, and sometimes ASUS. When I see things like this it makes me realize EU has way more options out there for home use wifi routers. Seems like 80% of them have some sort of backdoor or vulnerability like this I feel gross saying it but it seems like there needs to be some regulation around IoT things that will penalize these companies or something

 

[ForgottenSeer 58943]

It seems like here in NA we only have a few options: Linksys, D-Link, Netgear, and sometimes ASUS. When I see things like this it makes me realize EU has way more options out there for home use wifi routers. Seems like 80% of them have some sort of backdoor or vulnerability like this I feel gross saying it but it seems like there needs to be some regulation around IoT things that will penalize these companies or something

US Consumers have a massive array of router brands beyond the normal ASUS/Netgear stuff.. Kasda for example has many OpenWRT routers available as just one brand. Also don't forget your choices for a UTM/NGFW - SOHO stuff, Fortinet, ZyXEL, Cyberroam, etc. Add to that the opensource stuff, PfSense, OPNSense, Untangle, etc... US Consumers have tons of options. You just need to look past Best Buy. Keep in mind, most of the common US Brands appear on the 'compromised' list from Wikileaks, including supply-chain compromises so you are probably safer using an non-mainstream big box brand.

Or at least installing something like Merlin on ASUS as an extra layer of security.

 

[orthonovum]

US Consumers have a massive array of router brands beyond the normal ASUS/Netgear stuff.. Kasda for example has many OpenWRT routers available as just one brand. Also don't forget your choices for a UTM/NGFW - SOHO stuff, Fortinet, ZyXEL, Cyberroam, etc. Add to that the opensource stuff, PfSense, OPNSense, Untangle, etc... US Consumers have tons of options. You just need to look past Best Buy. Keep in mind, most of the common US Brands appear on the 'compromised' list from Wikileaks, including supply-chain compromises so you are probably safer using an non-mainstream big box brand.

Or at least installing something like Merlin on ASUS as an extra layer of security.

That is my point, the average consumer does not know to look past best buy or walmart. The "main" brands are over-saturating the market and nobody knows about the ones they don't see on a shelf

 

[ForgottenSeer 58943]

That is my point, the average consumer does not know to look past best buy or walmart. The "main" brands are over-saturating the market and nobody knows about the ones they don't see on a shelf

I think the major problem is consumers don't take anything seriously when it comes to IT. For example my inlaws.. They know they have a network/security engineer on hand (me).. Instead of asking the best thing to do they drive over to the last Radioshack in the county and buy a garbage low end Netgear router and plug it in.. It works? Good enough! I come out, find it on default password, WPS and UPNP turned on, blah blah blah.. So not only didn't they purchase a junk product, they didn't bother to spend more than 3 minutes setting it up. Yet when they are trying to decide what blinds to put in a bedroom they spend weeks researching it, hours talking to blind experts, then import the best blinds in from Italy.. Personally, I think it's ignorance that drives all of this.

 

[orthonovum]

I think the major problem is consumers don't take anything seriously when it comes to IT. For example my inlaws.. They know they have a network/security engineer on hand (me).. Instead of asking the best thing to do they drive over to the last Radioshack in the county and buy a garbage low end Netgear router and plug it in.. It works? Good enough! I come out, find it on default password, WPS and UPNP turned on, blah blah blah.. So not only didn't they purchase a junk product, they didn't bother to spend more than 3 minutes setting it up. Yet when they are trying to decide what blinds to put in a bedroom they spend weeks researching it, hours talking to blind experts, then import the best blinds in from Italy.. Personally, I think it's ignorance that drives all of this.

agree 100% and if you don't mind I want to borrow the "blinds in the bedroom" analogy