Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: bob.gas on May 06, 2021, 10:02:46 PM
-
Sorry if I'm going over old ground here...
Exactly how safe are routers from hackers these days?
I've heard from a friend, who reads the Which mag ( I told him to cancel his subscription lol)
he's worried and told me to check mine.
I have a Talk Talk router, and apparently, I'm up to date with it. :fingers:
how is it possible to check, please?
I appreciate that NO router is safe from hack's...right?
-
That Which? article isn't worth paying too much attention to. It went into no specifics. Had it listed actual software problems then I'd pay attention but it just mentioned weak passwords.
-
That Which? article isn't worth paying too much attention to. It went into no specifics. Had it listed actual software problems then I'd pay attention but it just mentioned weak passwords.
It did only focus on ISP supplied routers and as well as password issues did also mention lack of updates on:
Sky SR101
Sky SR102
TalkTalk HG523a
TalkTalk HG635
TalkTalk HG533
Virgin Media Super Hub
Virgin Media Super Hub 2
and local network vulnerabilities on the EE Brightbox 2.
-
It did only focus on ISP supplied routers and as well as password issues did also mention lack of updates on:
Sky SR101
Sky SR102
TalkTalk HG523a
TalkTalk HG635
TalkTalk HG533
Virgin Media Super Hub
Virgin Media Super Hub 2
and local network vulnerabilities on the EE Brightbox 2.
Was the article sponsored by BT?
-
I think you need to define 'secure'. The only 100% 'secure' router is one in its box switched off. :)
-
I believe that my router is pretty safe from hacks either from within the LAN or from the internet. This vague belief is from an even more vague belief about the way the software was written. I have also inspected the firewalling’s blocking of attempts to communicate with the router’s own internal services. Over-confidence like this is deadly, but it is at least combined with a healthy dose of paranoia. I’ve never seen a security-related fix mentioned in the list of software updates.
If you do have random software or dubious visitors on your LAN then you might have a problem. But I would set strong passwords on your router, apply all updates and you will probably be ok. Make sure no one can access the router’s services from the internet.
-
I'm probably still living in the past, as I remember reading (here I think, or C/Active?) that routers have their own firewalls and are very safe.
Has this changed in this day & age?
-
I'm probably still living in the past, as I remember reading (here I think, or C/Active?) that routers have their own firewalls and are very safe.
Has this changed in this day & age?
Poorly configured firewalls leaving ports open on the WAN side that shouldn't be.
The ability for malware running in a browser to hack into the LAN side of the router.
I do think the risks are overblown, but due to the wide range of routers from excellent to terrible, old to new, and most users completely oblivious to how anything works....
-
I had a bit of trouble with films etc stopping midway.
Called TT ( got through very quick would you believe)
The guy I spoke to went through a load of tests etc and said he thought there is a fault somewhere
Sent a BT eng round a week later. He found a burnt-out ( I think he said) wire in the master box) fixed it and did more test's
He did say the router is a very good one (Which made me feel better lol).
Whatever he did certainly improved the range of the router, the amazon echo-dot we had in the summerhouse now works, which didn't before.
-
Bob you can go to
https://www.grc.com/x/ne.dll?bh0bkyd2
Do a full port scan
I once had a linksys router many years ago and it had a few open ports so returned it.
If i remember a bt one had two or so open ports,
You will have a firewall on your PC's and can get norton and so on
For Android you can use no root firewall, that uses part of the vpn so you cant use that and a vpn at the same time.
But you should get a none isp router in most cases if you can
Dont worry about setup as the newer ones ask what isp you have and they set up then its just your username and password from your isp
I had a isp router and PCs started turning on in the night, and lets just say they weren't just ticking over, the hdds and cpu cores were very high, plus the network meter showed a lot of traffic.
I have a video and screens of this but i cant get to them at the moment.
The log showed a tr69 comand sent every time they turned on
Binning the isp router for a kits review one stopped this right away.
A wiki page and other sites said the tr69 database is used by your isp and the spooks
but as of late its been edited and references to the missuse by the spooks seems to have been removed
Though if i remember right its in the book GCHQ taking back the internet (i think thats the title)
Oh and dont put you devices in a DMZ if you dont need to, also keep plug n play off
For PC's and tablets/phones try malware bytes
It blocks websites, stops drivebys and so on
For PC's and none isp routers use a DNS like addguard as it blocks adds and bad sites
And open DNS, they go in the router so cover all devices on your network not just PC's
For a pc by pc option use DNS Angel (you can edit the .cfg) to lockdown kids pcs.
Also on PC's use a modified hosts file from https://winhelp2002.mvps.org/hosts.htm
Ive never seen a add since 2002 :)
In the end how safe is safe
What was that worm called, stuxnet worm, now that was high level stuff ;)
-
Great, thank you SE for the link to "Shields up".
I remember it now from years back when I think kitz on CA forums also gave it to me but forgot all about that site.
anyway, did the most common ports check and true stealth analysis has flagged two green Passed box's.
And everything is marked "Stealth".
So I assume it's all good (so far) yes?
Do I need to do anything else for peace of mind? ;)
-
Shield Up is known in some circles as an absolutely paranoid tinfoil hat site. So if that site says you're okay, you're probably as okay as you can be. ;)
It does potentially get more complicated if you have IPv6 though.
-
...
It does potentially get more complicated if you have IPv6 though.
Is there an easily available test tool for that too as I'm interested now?
:)
-
For iOS and MacOS there is the app https://networktoolbox.de/ which has an ipv6 port scan function and it also has a rage of specific router tests for common vulnerabilities / security bugs. See earlier discussion and review (https://forum.kitz.co.uk/index.php/topic,19269.msg341801.html#msg341801).
-
Bob
What hardware have you got?
I guess its a mix of computers and WiFi devices
But anything that can use a hosts file (I think Linux can) use a modded one
To test software or extend a trial a little longer I use sandboxie
Yep shields up is a bit tinfoil but :) but handy
Today isps seem to do more that before, there's less viruses
I used to run a home server for military games
Within a few minutes of opening a few ports I got attracted and a virus :-[
Back then NIS traced it back to the ISP it came through
This was 2005
Today i think better safe than sorry.
-
Way back then I used to run Windows Server 2003 on my large Dell workstation, just because it came with a somewhat hardened security configuration. That was even before DSL, to begin with.
-
Bob
What hardware have you got?
I guess its a mix of computers and WiFi devices
Hi SE.
my PC is an oldy I'm afraid (not sure if that'll make a difference or not?)
It's a Dell Optiplex 790.
It's a refurb, as when my other PC died I couldn't afford a brand new one, so took a chance on the Dell.
it's been fine to date (fingers crossed)
Spec....
Intel Core i5 2400 @ 3.10GHz
238GB Hitachi HX256GSSDSATA3 (SATA (SSD)
16GB Ram
A Talk talk Router wired to PC.
Canon Printer also wired
The only other wireless items is an Amazon Echo Dot and me & my wife phones.
-
Just to add...
Thanks, guys for all your post's so far.
I'm afraid a lot of it is way over my head right now, so sorry if I haven't answered correctly (or at all)
I need to sit down and Google all the acronyms etc and educate myself. lol
-
Any questions about acronyms and TLAs, do just ask. There will always be someone else who will benefit. Everyone had to start somewhere.
-
The risk to routers is less likely to be a fault in the firewall's design but in the implementation. i.e. having a 'firewall' isn't any good if the firewall or its host device has a vulnerability. It's impossible to make a product vulnerability free. Some vendors may have vulnerabilities discovered or fixed more often than others (though that may relfect their popularity/market size rather than coder competence). Vulnerabilities on routers can be caused by:
1. A coding error so that it doesn't work as designed. Routers which use opensource or an easily decompiled code binary make it easy for a hacker to study the code and identify vulnerabilities. That is a double edged sword - white hats can find laws but so can black hats. Source examination or reverse engineering aren't the only methods though; some flaws are discovered by 3rd parties by trial and error.
2. Default WAN admin access. Remote admin should be done through a VPN whenever possible (and if not, at least through a TLS/HTTPS connection).
3. A default admin password where the user is not encouraged to change it. This is more likely a problem on ISP supplied routers where the router is pre-configured so they have no need to ever visit the router's GUI - it's plug and play so the user would never think of it.
4. Backdoor admin access. That makes the vendor's support easier, but also a hacker's access.
5. A flaw in a necessary industry standard protocol. This isn't an error by the vendor but by the designers of a protocol that they need to follow (e.g. WEP). In some cases it was an 'acceptable' flaw at the time of design because cracking it was impractical or impossible but a decade later, cracking older protocols becomes feasible with newer methods and greater consumer processing power.
6. Having ports 'open' isn't in itself a vulnerability. It may identify an endpoint for a hacker but that's it so when GRC or whatever warns you that a service/port is "open" it just means 'responding'. Your doorbell doesn't open your front door :-)