Home » Posts tagged "router"

D-Link 因為路由器與網路鏡頭不夠安全,被美國聯邦貿易委員會告

FTC 對於 D-Link 產品的安全性不符合宣稱而告下去了:「FTC sues D-Link over router and camera security flaws」。

D-Link claimed its routers were “EASY TO SECURE” with “ADVANCED NETWORK SECURITY,” but the FTC says the company failed to protect its routers and cameras from widely known and reasonably foreseeable risks.

The complaint also says security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft, or record private conversations.

Linksys 的 WRT54GL

前幾天跟同事聊到 Android 刷機的事情,而最近剛好看到介紹這台無線分享器裡的名機,LinksysWRT54GL:「
The WRT54GL: A 54Mbps router from 2005 still makes millions for Linksys」,第一款被廣泛應用在各種客製化硬體的機器。

取自維基百科的「File:Linksys WRT54G.jpg

從 2005 年開始賣,到現在 2016 年還是繼續在賣,而且這東西支援的無線規格很舊,還比其他的無線分享器貴不少:

Witness the Linksys WRT54GL, the famous wireless router that came out in 2005 and is still for sale. At first glance, there seems to be little reason to buy the WRT54GL in the year 2016. It uses the 802.11g Wi-Fi standard, which has been surpassed by 802.11n and 802.11ac. It delivers data over the crowded 2.4GHz frequency band and is limited to speeds of 54Mbps. You can buy a new router—for less money—and get the benefit of modern standards, expansion into the 5GHz band, and data rates more than 20 times higher.


Despite all that, people still buy the WRT54GL in large enough numbers that Linksys continues to earn millions of dollars per year selling an 11-year-old product without ever changing its specs or design.

量大到 Broadcom 還是繼續支援,然後產品 PM 就抱怨他搞不懂:

"To be honest, it somewhat baffles my mind," Linksys Global Product Manager Vince La Duca told Ars. But production won't stop any time soon as long as Linksys' suppliers, including chipmaker Broadcom, keep selling the parts needed to build the WRT54GL. "We'll keep building it because people keep buying it," La Duca said.


Cisco 釋出偵測是否有被植入後門的程式

前幾天在「在 Cisco Router 上被植入的後門」這邊提到了 Cisco 的 router 被植入後門,剛剛在 Zite 上看到 Cisco 放出檢查程式:「Cisco released a tool to scan for SYNful_Knock implants」。

程式是用 Python 寫的,可以在「Talos Intel - Synful Knock Scanner」這邊取得,但這個網站沒有用 HTTPS 保護,網站上提供的 Hash 簽名也沒有 PGP 簽名的資訊,從無信任起...

找了一下 Cisco 官方的資訊,在「SYNful Knock Scanner」這邊也有提供 Hash,請用這邊的值確認吧,這是目前能做到最好的確認了。

在 Cisco Router 上被植入的後門

FireEye 發表了一篇在 Cisco Router 上發現被植入的後門:「SYNful Knock - A Cisco router implant - Part I」。

發現這些被植入的 router 被散佈在四個地區:

Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.


  • Cisco 1841 router
  • Cisco 2811 router
  • Cisco 3825 router


SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.

最主要的重點是把記憶體保護機制關閉 (都變成 RW):

The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.

文後也有提到 Cisco 的文章,如何 dump image 分析:「Offline Analysis of IOS Image Integrity」。

Cisco 會將硬體寄送到貨運商,以提高 NSA 攔截安裝後門的難度

在「To Avoid NSA Interception, Cisco Will Ship To Decoy Addresses」這篇看到的報導,出自「Cisco posts kit to empty houses to dodge NSA chop shops」這篇。

去年 Snowden 揭露的資料顯示 NSA 會攔截 Cisco 的硬體,並且在上面安裝後門再打包寄出:「Greenwald alleges NSA tampers with routers to plant backdoors」:

"The NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers."

The agency then implants backdoor surveillance tools, repackages the devices with a factory seal and sends them on. The NSA thus gains access to entire networks and all their users.

不過 Cisco 的反應好慢,去年五月就有的消息,現在才提出改善方案。

改善的方法是寄送到集散地,再請人去拿。讓 NSA 之類的單位想要攔截的成本提高。

利用觀察流量的技巧可以抓出 81% 的 Tor 使用者

Slashdot 上看到「81% of Tor Users Can Be De-anonymized By Analysing Router Information」,原報導在「81% of Tor users can be de-anonymised by analysing router information, research indicates」。

PDF 論文在「On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records」這邊。

當 Entry node 與 Exit node 都能夠被 Netflow 涵蓋觀察時,就可以利用流量資訊分析得到原始 Tor 使用者的原始 IP address,這意味著 ISP 與政府是有能力反匿名的。

但 Tor 其中一個目標是 low latency,繞太多節點以避開監控的速度會掉太多... 這不知道要怎麼取捨 :o

Anonabox 被停權中止募資

前幾天提到的「自動將流量轉到 Tor 上面的硬體」,在 10/17 的時候被 Kickstarter 停權中止募資了,在「Kickstarter Suspends Anonabox Security Appliance Project」有些說明:

The policy allows for suspension if the project's creator is presenting someone else's work as their own.

現在看起來的情況是,Anonabox 像是直接拿別人的東西就來用,沒有實質上的改進。

文章裡有提到一些既有的方案可以用,如果有需求的人可以直接參考 :o

自動將流量轉到 Tor 上面的硬體

Zite 上看到「Tiny Anonabox to offer online anonymity through Tor」這篇文章。

Kickstarter 上可以看到更完整的資料:「anonabox : a Tor hardware router」。

可以想像出來大概是什麼技術組合起來。分別處理 DNS query 以及實際連線的部份應該就可以搞定很多應用了。

不知道隱私的部份可以做到什麼程度,畢竟在 Tor 上面仍然有監聽的風險,如果讓 HTTP traffic 在上面跑的話等於是裸奔...