So I got a new wireless router for my house today and was absolutely appalled at the way they have treated security in the thing. Now, this is not unique at all. I have tried most of the other common home routers as well, and they all sin in about the same ways. Frankly, I have yet to find a wireless product that does security as well as the venerable Microsoft MN-500 802.11b router. Of course, the MS device only does WEP, which is pretty much equivalent to no security at all these days, but when it came out, that was all there was, and it was on by default, and ordinary mortals could actually set it up. Not so with the recent crop of products. Here are some particularly egregious issues:
- This is an excerpt from the manual
The Router ships with NO password entered. If you wish to add a password for more security, you can set a password here. Keep your password in a safe place, as you will need this password if you need to log into the router in the future. It is also recommended that you set a password if you plan to use the Remote management feature of this Router.
Let me get this straight; if I wish to have security, I may optionally configure it? Why is security optional? What kinds of passwords might this thing support? There is no mention of it in the manual. However, since it is web-based, I presume it can’t have special characters in it since those get to be URL encoded. Oh, and the walkthrough configuration wizard thingie, that ensures you get a wireless network that is shared with every neighbor that can find it (which is a large number with a MIMO router like this one) does not allow you to set a password.
Hmm, even stranger. When I try to set the password and at the same time told it not to use NAT it actually does not take the password. Weird. It restarts the router, but I can still log in with the default blank password.
- The wireless network is on by default, with no security, and that handy blank password on the router. 'Nuf said. From what I saw in my testing anyone could connect to it and manage it as long as they were on the internal side of the network, but of course, all that takes is a pringles can and a convenient spot to park within about five miles of the router. I have said many times that one of these days I am just going to turn off my wireless network and use one of my neighbors. On any given day I can see at least 6 of them from my home office. I just think there is a company policy against that sort of thing.
- The use terms like “computer hackers use what is known as “pinging” to find potential victims on the Internet.” A hacker is not a criminal! Why is it that we keep using the term "hacker" when we really should be using "attacker" or "criminal"? Hacker is a proud term that was originally used in the computer world to refer to those who really loved computers and everything about them. Then some misguided journalist decided to equate it to criminal and it went downhill from there. Why can't we just refer to them as the criminals they are? If someone goes in and robs a bank branch there would be no question about which labels to put on him, but because the crime involved stealing someone's bank account details and electronically transfer all the money to some place you've never heard of they are somehow different than traditional robbers? I've even seen cases where prosecution was called off for fear of destroying the criminal's "career and chances of getting into the university of his choice." This is just appalling. Maybe if we used more descriptive terms to refer to these people we'd start actually putting them where they belong.
- Oh, but the fact that criminals use ping as a way to discover your system is not sufficient reason to block ICMP echo by default. You have to actually turn that blocking on. I wonder if the router blocks portscanning? They use that too. I suppose I need to find out.
- “Your Router is equipped with a firewall that will protect your network from a wide array of common hacker attacks including Ping of Death (PoD)”
Wow!!! It protects me against a really scary sounding attack!!! I guess I don’t need that patch Microsoft issued 8 YEARS AGO to fix that problem. BTW, exactly how many people are still running NT 4.0 on their home wireless network so they would be vulnerable to this? I guess the original release of Windows 95 was vulnerable too, but putting a firewall in front of those is not likely to help much.
- IP Address Lease Time: Forever. Yeah, that makes sense, because we will never ever change computers!
- The driver for the network cards that go along with the router is not signed. Not to worry, the manual explains it:
You might see a screen shot similar to this one <screenshot of unsigned driver approval screen here>. This DOES NOT mean there is a problem. Our drivers have been fully tested and are compatible with this operating system.
Good idea!!! Let’s train people to click “yes I want to install the malicious software” (or the equivalent) in every dialog that pops up and asks them to do so. Why is it so hard to understand that driver signing is about trust in the source of the driver, not about whether it has been tested to work or not. I don't think anyone expects a vendor to release a driver they have tested only insofar as to make sure it compiles.
People complain about Microsoft security, but frankly, the state of security in the rest of the industry scares me sometimes.