One myth that I hear over and over is that having a router on your Internet connection makes you invisible, and makes you somehow invincible. I even heard someone say recently that if you have a router/firewall, you don’t need to run antivirus software.
Security researcher HD Moore appeared last week on Risky Business and he talked about ways that entire classes of routers can be compromised. Give it a listen.
I think these myths persist thanks to Steve Gibson’s Shields Up page, where he used to get overly enthusiastic. The test served its purpose 15 years ago to get people to buy routers to protect their incredibly vulnerable Windows 98 boxes, and he has since toned his rhetoric way down, but unfortunately some people with good memories style themselves security experts because they were smart enough to buy a router in 2001 and tested it with Gibson’s page. Things change. Today a router is a necessity in order to allow all of our computers to share an Internet connection, but it’s not a security device. A good router improves your security somewhat, but a bad router is more vulnerable than the computers it’s supposed to be protecting. And unlike those computers, which get updates every month, the router probably never will get updated.
HD Moore’s research illustrates how routers are computer with vulnerabilities and exploits of their own. On the podcast I linked, he discussed a frightening bug that allows an outsider to use NAT-PMP to open ports on certain firewalls from the outside. Yes, exactly the opposite of the way firewalls are supposed to work.
Moore said that 85% of home networks use 192.168.0.x, 192.168.1.x, or 192.168.254.x, so one way to avoid this attack is to move off one of those networks if you’re using one. It’s a good idea anyway because so many exploits assume you’re sitting on one of those three networks. Why not, when it works 85% of the time? And let’s face it: Now that the word is out, maybe it’ll only work 84% of the time going forward.
The other mitigation, once Moore figures out what specific routers are affected and discloses it, is to apply a patch. Assuming the vendor ever patches it.
But I heard Moore speak about a year ago, about most of this same stuff, and a few things did get fixed here and there based on him talking about it. He says these problems will exist for at least 10-15 more years, and he’s probably right. But you and I don’t have to make it any easier for the attackers.