[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Jul 9 23:04:44 EDT 2020
Jerry Leichter <leichter at lrw.com> writes:
>A third are running Linux kernel version 2.6.36 or older. The latest
>security update for 2.6.36 was in February of 2011. One Linksys router was
>running 2.4.20, released in 2002. There are 579 high-severity CVEs affecting
>that.
2.4.x and 2.6.x is the standard kernel of Linux embedded devices. With
supporting programs of roughly the same vintage.
>I thought of Linksys as good because they were owned by Cisco. Not so much -
>but then again, I didn't realize that Cisco sold them to Belkin (also pretty
>good?) who then sold them to Foxconn - which, as it happens, also owns ASUS!
>You just can't tell.
You also have to go even further down the rabbit hole than Linksys, a lot, if
not all of their gear is actually made by Gemtek, who also OEM for Buffalo,
Zyxel, Fortinet, Cisco, Alcatel-Lucent, Belkin, 3Com, Dell, Intel, and many
others, I've seen them described somewhere as "a prolific OEM".
Ah, here it is:
https://deviwiki.com/wiki/List_of_Gemtek_Wireless_Devices
Oh yeah, and they hardcode private keys into their devices and have been doing
so for years, just pulled up one of their certs and it's dated 2007.
Peter.
More information about the cryptography
mailing list