Software that runs home routers, cell phones and personal digital assistants is rife with security bugs.
Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference here on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D-Link router using a yet-to-be-patched hole.
“Security flaws are abundant on these devices,” Jack said. “Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration.” He has discovered a way to turn a common type of computing error — called a null pointer dereferencing error — into something far more dangerous than previously thought. Researchers have known for years how to create these flaws, which occur when the computer tells a program that the part of memory that it’s looking for is invalid, or “null.”
Jack’s null pointer exploit is effective on the Arm and xScale processors that are widely used in embedded devices, but it does not work on Intel architecture processors used by PCs.
Above excerpts from C|Net and Network World. Links to full articles here:
http://www.networkworld.com/news/2007/041907-new-attack-puts-routers-cell.html?page=1
http://news.com.com/Bug+hunter+targets+routers%2C+other+gadgets/2100-1002_3-6177754.html
Q: So what can we do to prevent such attacks on these devices today?
A1: Utilize a defense-in-depth strategy. Protect yourself as though your home router has already been compromised. This means putting firewall software on every home computer. Make sure your anti-virus and anti-spyware software are up-to-date. Consider putting an additional firewall (from a different manufacturer) inline with your first firewall (experts only).
A2: Know your make and model of home router. Visit the manufacturer’s or service provider’s website and see if there are updates that address this problem.
Peter H. Gregory 