Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Nobody should be trusting a modem. You don't put your private keys on a modem. Your credit card number isn't saved on the modem.

So if hackers break into the modem, the worst they can do is shut off your internet. And if you really cared about reliability of your internet, you'd have two connections anyway.

Really this is a non-issue.



There are considerable attack vectors opened up here... a quick glance at the front page shows:

> Change default DNS server > Conduct remote man-in-the-middle attacks > Hot-swap code or even the entire firmware > Upload, flash, and upgrade firmware silently > Disable ISP firmware upgrade > Change every config file and settings > Get and Set SNMP OID values > Change all associated MAC Addresses > Change serial numbers > Be exploited in botnet

A simple change in DNS servers combined with man-in-the-middle attacks is enough to fool many people into entering CC details into rogue sites for example.

(Edit for typos!)


"A simple change in DNS servers "

Would this matter if the devices on the network are all themselves configured to use other DNS servers?


> the worst they can do is shut off your internet

No, if your modem gets owned, you are in a whole lot of trouble.

You become vulnerable for all sorts of MITM attacks. The attacker now also has access to your LAN, which is usually trusted by all devices on it.


> You become vulnerable for all sorts of MITM attacks. The attacker now also has access to your LAN, which is usually trusted by all devices on it.

Good points; these two issues are quite different.

You could stop the network-access problem by putting an extra router (a secure one) between the modem and your local network, but that wouldn't save you from MITM.


You mean you're not using end to end certificate based encryption for all your applications these days?

And all the pushback we get from people here that DoH/DoT is a bad thing.


Not all applications are, and there are specific automated downgrade attacks for encrypted comms that force some back to plaintext. Giving outsiders access to your internal network is rarely a good idea.


You're implying we shouldn't bother with firewalls


It's not my applications, but applications that auto-update over unencrypted HTTP. Also, IoT devices with software built by the lowest bidder.


Many or most devices don't support this and the average consumer isn't capable of doing it himself.


For most home users, the NAT on their router is also their firewall. It's akin to saying that it doesn't matter if someone can open your front door as they will only get access to the entrance hall...


> the worst they can do is shut off your internet

I can imagine just a couple of more things about having complete control of the only internet gateway most of us have at home.


I see your point, but the vast majority of people who own a modem, have no idea that a private key does not refer to the one under their doormat.

And even if the worst thing is shutting off peoples internet, I fail to see how, at this scale, it is not at least a tiny issue?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: