a companion discussion area for blog.codinghorror.com

Welcome To The Internet of Compromised Things


Yikes! Thanks for posting… It’s the world where evil lurks in everything around us… :confused:

I still get a bit paranoid on my Mac when the window opens up that requires you to type your admin password to install something… I mean it looks like the official OSX admin password dialog, but maybe some app is just spoofing it.

Part of my frustration with cryptography isn’t how it works (I get that, yay math!) but rather the lack of transparency in software for what is really going on, and how I can audit it if I want to. Yeah, my software package X says that certificate ABC is valid and that this file has been signed by person Y, but how do I really know that? Ugh.

On a separate note: are DSL modems prone to this problem, too? Or just routers? I’ve been meaning to use a good wireless router, rather than the crap one that comes with my DSL modem, for a long time now, ever since noticing a slowdown and an acquaintance of mine said Oh yeah, the crap routers have software that has memory leaks, and you have to reboot it periodically or it slows to a crawl. >:( Your article I think has pushed me over the edge enough to get a good wireless router instead, but I wonder if that point is moot when I still have to go through a DSL modem.


Everything in your path is compromised 100% of the time.

This post tries to claim that some set of solutions will actually solve your problem - they will not. You must secure your end stations. There is no other alternative.

Posts like this give you guidelines on how to secure the hops in the path that you might actually control, and it does a good job at that, but then consequently lulls you into a false sense of security assuming you did so.

Your end station is the only thing that factors into this discussion, and it must be secured. You take that device places, and VPN or not you traverse networks you cannot trust. And networks you think you can trust? You can’t. This discussion starts and ends with securing your end station (which is also why trying to fight the compromise battle with posts like this won’t actually help). Vendors could help by securing their edge, but until consumers (and the products they buy) provide a hardened edge, these devices will be consistently compromised.


You should be more concerned that the app asking is the right app, and yet going to use those privileges for nefarious purposes - this is much more likely. Definitely ask yourself why any app needs admin privileges (the question every phone/tablet app downloader never seems to ask while every vendor sells your data to subsidize their costs).

As to your other question, as I’ve pointed out above, every hop can be compromised. Modems, switches, routers. Any consumer wifi router is eventually going to get compromised - they are simply a too-appealing target given market penetration and lack of ability to secure them. The more popular, the more attackers will try to compromise it (and the more likely such a compromise will find itself as part of a general rootkit available to any idiot on the internet).

That being said, while using wired connections, custom routers, and VPNs may reduce your risk, they won’t eliminate it entirely as there are always zero-day vulnerabilities for any platform (and from your perspective you may not find out about that “zero” day until “negative 500” days).

The internet is a hive of scum and villainy, to steal a phrase, and you must always be cautious. Employ multiple layers of defense starting with the security of your end stations.


I can recommend the Asus RT-AC87U … this is probably an upgrade over what you currently have without being totally bleeding edge overkill.

This router shows up as $234 on Amazon. That’s kind of overkill for me! I also haven’t always had happy, bug-free times with the firmware on Asus routers. Are there any cheaper routers that aren’t trash?


When recommending Asus, how about the “Dear Asus router user: You’ve been pwned” attack?

And by the way CZ.NIC elaborates on something called a Turris router, but that’s apparently a “not-for-profit research project.”


Re: You must secure your end stations.

Easier said than done.

This thread was started by a malicious DNS server. Did you know that every client OS implicitly trusts the configured DNS server? Even if the DNS server does DNSSEC validation, it just tells the client that it’s doing DNSSEC validation; the typical client doesn’t check. Furthermore, the communication between the client and the server is not authenticated, so it’s trivially vulnerable to MitM attack.

Like everything else DNSSEC, getting client systems to do DNSSEC validation is a lazy back-burner job. I guess you could make yourself more secure by installing Unbound and configuring your system to use the DNS server on localhost.

If you want to be extreme about your endpoint security, I suppose you should get a computer with VT-d in the CPU, so you can run Qubes OS like Rutkowska intended. Make sure to have DDR4 and a good variety of ECC, to avoid rowhammer attacks.


Sure try the RT-AC66U, currently $142, top recommended router within its band at SmallNetBuilder, too.

For even less, the TP-LINK Archer C5 is also a recommended model by SmallNetBuilder at $75


Just wanted to point to a router I really enjoy: fonera

It was based on OpenWRT, easy to update and manage, got lots of features.


As the root is signed (and has been for a little over 5 years now) you cannot (for all practical purposes) MitM a DNSSEC query that is properly validated.

Yes, unfortunately users have to take end station security into their own hands as vendors are not doing enough (not that they could ever do enough, but they could trivially do much better than they are now). I’m not sure if we’ll ever get out of the hole we’ve created by not taking security seriously from the start, but we need to try, and the only thing that works is to secure the edge, as you will never secure the network unless you can restrict your use to paths 100% within your control.


I am also baffled that HTTPS stripping attack was not mentioned. It is really simple and requires no complicated certificate spoofing. In my experience most users will no notice that they are actually using HTTP instead of HTTPS.


For those looking to go the DIY route, I use an Asus RT-N16 which is a bit older, but I always swap it for the TomatoUSB (http://tomatousb.org/) firmware. If you’re looking to dive in and try it, beware that you can brick a router by swapping the firmware, but with this specific router, the firmware is nearly one-click install reducing the risk if you use EasyTomato. I also find that tomato is much more reliable than the stock firmware. I have 6 roomates and 2 48 port switches. We host LAN parties and constantly stream Netflix, Youtube, and XBox Live all while hosting several websites out of the house. This used to kill a router in about 3 months (that was when the daily resets that always seemed to be needed stopped fixing the problems). We have been using RT-N16s for years now only ever resetting them when I make changes to them and we have yet to have one die on us.


I’m really interested in this topic and I was actually thinking on paying for a VPN connection for my phone to use it when I’m connected to potentially harmful routers. However I wonder if a VPN will fully protect me against a compromised router. Is there any known attack that can fake a VPN connection without me noticing about this?

Thanks in advance!


Re: The danger of faked “known SSIDs”:

Troy Hunt had some examples for that a while ago: Your Mac, iPhone or iPad may have left the Apple store with a serious security risk (applies not just to Macs).


Something I use all the time when surfing (With Firefox, unsure is there’s something like it for others) is the add-on NoScript. It prevents all scripts from executing until they’re allowed, so it will break alot of websites before you’ve allowed some, but I find it to be the best protection for my browser.
It’s also neat being able to block more of Google’s tracking… Alot of sites has “google-analytics.com” in it. ;p

I’d say this is an intermediate difficulty add-on to use, and I really recommend it. :slight_smile:

Only negative is that performing certain actions, like purchasing stuff with confirmation and some WYSIWYG real time editing functions won’t work unless you disable NoScript completely, else the XSS protection makes it… uncertain. :stuck_out_tongue:


Yeah, properly validating it is the rub, isn’t it. If a client wants to check, it will have to query each of the domains back to the root to build the signature chain. If your DNS server is DNSSEC-aware, then it will have those in its cache, but it’s still several round trips before trusting the result enough to connect to the server.

Though, most domains are not signed, so you just need to climb the hierarchy to find a properly signed lack-of-DNSSEC record, and then you know that you can totally trust these unauthenticated DNS records. And most deployed DNS servers don’t understand DNSSEC at all, so you need to find a more remote DNS server with more latency per round trip, or just do the whole recursive query yourself, defeating the purpose of DNS caching.

In practice, if a client does DNSSEC at all, then it is non-validating and DNSSEC-aware. The client just asks the configured DNS server to do DNSSEC validation, and the server just says that it has done so. The communication between the client and the server is also unauthenticated, so if your ISP doesn’t support DNSSEC and you have configured Google DNS instead (e.g., because Google does DNSSEC validation even though Google.com has no DNSSEC records), then every agent in the Internet between you and Google can spoof a reply, saying this is the result of your query and you can totally trust it because it says that it has done DNSSEC validation on this.

I don’t see a good solution to this. DNSCurve has the same problems; it just has smaller records and eliminates the possibility of running DNS slave servers that you don’t control and has even less adoption. TLS security doesn’t depend on the server that you’re connecting to actually being the right one, but everybody ignores its warnings anyway. We really need to move to a security model with trust agility.



But if you insist, then the only 802.11ac router that I would buy right now is the TP-LINK Archer C7, purely because it’s fully supported by OpenWRT. No closed-source Ethernet and WiFi on this. I do not trust its manufacturer-provided firmware to run any longer than needed to replace it with OpenWRT.

But most of the TP-LINK product line is low-performance Mediatek (née Ralink) or binary closed-source Broadcom, including the TP-LINK Archer C5 v2. Yes, the router that they sell you now is not the router that they sent to the reviewers last year. Even buying the C7 is risky, because consumer router manufacturers suck donkey balls. (C7 v1 has pre-standard-ac WiFi that doesn’t work properly. C7 v2 works. Not much information in the wild about C7 v3, but at least it’s software-compatible with v2.)

The router that I use is the Buffalo WZR-600DHP. Same reason. Everything else in Buffalo’s product line sucks.

To shop for routers, I look for support for OpenWRT, and I also look for specs and model revisions on TechInfoDepot.info. Since most router companies completely change the router without changing the model number, SmallNetBuilder is almost useless.

Trying to do router security yourself is very tedious.


How about using two different browsers; one for internet and one for configuring the router?
Of course you should always replace the factory credentials.

(There’s some logistics involved in installing (or rather downloading) the second browser with the same browser that you used to configure the router in the first place, but that could probably be solved with thumbdrives.)


Along with the Eero, this new Google wifi router looks promising!


Your assumption that an off-the-shelf router is going to be more reliable than your ISP’s offering is questionable, unless you are ready to buy a new router every year or so. Router manufacturer will not maintain legacy products forever, and firmware upgrades will depend on your good will. On the other hand, your ISP might maintain the router firmware for years, monitor security flaws all along, and force patches onto your router remotely.


How does the Apple time capsule stand in the security list? I have been thinking of upgrading to it for some time. Mainly due to in built storage. However not sure about its flexibility with other major OS. I have microsoft, ubuntu, mac, android and ios devices. I guess its pretty common to have these many devices however security is the last thing most of us think about.