Everyday security horrors
May 2, 2017  

I recently picked up three brand new pieces of computer hardware. Let’s take a look at their security.

Netgear Nighthawk wireless router

Here’s Netgear’s description.

The out-of-the-box experience isn’t great. Netgear has an iOS app for the router but the app can’t do the first configuration of the device to set up a password; instead you have to use a web browser to visit “routerlogin.net” which connects you to the router configuration. This is just for the first use, mind; all other router configuration must happen through an app. Weirdly it asks whether to set things up in “router” or “access point” mode, which makes no sense because every access point is a router.

This is a dual-band router and you can set different SSIDs (network names) for the 2.4MHz and 5MHz bands; however for some random reason setting the password on one band also sets the password on the other band.

Next, the configuration software has a near fatal flaw: it does not allow you to assign a network name containing a space character! Naturally my current network name contains a space character and I bought the router to extend that network, which means I either change my existing network name and reconfigure all of my devices that currently use it, or I find some way to hack in a space character.

A little investigation shows that this screwup is intentional: Netgear used to support space characters but no longer does because of some Android bug which I can’t read because I do not have a Google account (thanks, Google!) and which presumably causes compatibility problems for Netgear customers who use Android. (Thanks, Netgear!)

So, it stands to reason that I should be able to assign an SSID with a space character if I can find an older version of Netgear’s app. Unfortunately Netgear does not seem to offer these but random third-party sites do have some old, non-phone versions. Of course it’s dangerous to download random software from third-party sites to update your router firmware, but what choice do I have? Luckily, everything seems to work out and I can set my desired SSID. Hopefully my router is not completely compromised.

Next, I see that the firmware is out of date. There appears to be no way to update the firmware from the mobile app, but the desktop app seems to support it. Except that it fails, so I’m living with out-of-date firmware.

Taking a quick look at the firmware release notes, I see that the only thing I need to be concerned about is that the firmware “Fixes security issues and bugs.” So we’re good.

Gigabyte BRIX small form factor computer

Gigabyte’s product page.

This is a nice, small, quiet computer with 2 ethernet ports that I’m using for some networking experiments.

The BIOS is either one or two versions out of date (hard to tell because of Gigabyte’s confusing support page). In any case, there appears to be no BIOS available that fixes this recent serious problem, and it not clear that it will ever be patched for the particular model that I’ve got.

Also, the only way to update the BIOS is to use a Windows or DOS utility. Since I’m running Linux on the machine, that means I have to create a DOS live-USB key to boot into and flash the BIOS. So now I have an up-to-date BIOS that protects me from most known vulnerabilities, except for the very serious one featured at the last BlackHat conference.

Intel NUC “Skull Canyon”

Intel’s product page

Another small form factor device, this one from Intel. These are flagship devices from the biggest CPU manufacturer, intended to showcase their latest technologies.

As delivered, the BIOS is three versions out-of-date. Fortunately, unlike Gigabyte, I don’t have to boot up DOS to install the BIOS updates, and the updates are available over HTTPS, and Intel lists a cryptographic hash for the update (weirdly, though, they are still using MD5).

But wait! Coincidentally, Intel announced a remote vulnerability in their implementation of Active Management Technology! This is kind of a big deal, but I’m not sure whether it applies to my machine. According to Intel, to find out I just need to run their handy… Windows utility! At any rate, no patch is available.

The verdict

I have a computer science PhD from MIT, I have been using computers since the DOS/Apple II days, and I work in computer security, but I’m unable to secure 3 out of 3 brand new computer products against known vulnerabilities.

Supposedly the one thing “security experts” agree on is that you must keep your software up-to-date, but none of these companies have made that possible, much less easy.

You hear a lot about how the Internet of Things will lead to security horrors but in fact I see a lot of work being done to make them much more secure than the old-school routers and computers I can buy today. SAD!