IT'S MONDAY and you have a new security vulnerability to worry about. Stop looking at Windows, and stop considering your mobile phone, as we are talking about your bloody router here.
Ah router, always there, always on and always reliable. Not. It turns out that the shady little bastard is as open to manipulation as the rest of your technology crew and as likely to be lured to the dark side.
F-Secure researchers said in a security alert that Inteno routers have a problem that could give bad parties the kind of access that you could really do without. The flaw is applicable only to some models, according to the firm, but that is plenty.
"By changing the firmware the attacker can change any and all rules of the router," explained Janne Kauhanen, cyber security expert at F-Secure.
"Watching video content you're storing on another computer? So is the attacker. Updating another device through the router? Hopefully it's not vulnerable like this, or they'll own that too.
"Of course, HTTPS traffic is encrypted, so the attacker won't see that as easily. But they can still redirect all your traffic to malicious sites that enable them to drop malware on your machine."
This is bad stuff indeed. F-Secure told Inteno about the discovery before disclosing the details. The flaw reportedly still exists, and the security firm appears to be tired of the whole mess and the constant toppling of security expectations.
"It's ridiculous how insecure the devices we're sold are. We and other security companies find vulnerabilities in these devices all the time," said Kauhanen.
"The firmware used in routers and IoT devices is neglected by manufacturers and their customers - by everyone except hackers, who use the vulnerabilities to hijack internet traffic, steal information and spread malware."
We have attempted to contact Inteno about the problem, and F-Secure said that it is trying to determine whether the flaw is patched or not.
However, according to reports, Inteno hasn't patched the flaw, and doesn't plan to. F Secure told us that as far as it knows the thing is patched, but that due to some communications issues, it cannot be sure that this is blanket coverage.
Our understanding is that a patch existed prior to the public disclosure (In other words, Inteno has patched the vulnerability sometime in the six months between our initial disclosure to them, and this public disclosure)," said Kauhanen.
"They have assured some operators that the patch has already been applied to devices distributed by those operators. However, we have not seen this patch, or been able to verify whether it fixes the issue, due to lack of cooperation from Inteno." µ
Sadly that doesn't include offering you a beer
It's like the Hokey Cokey only for the stock market
FruityArmor and SandCat have already made use of the privilege escalation bug
A small village in Siberia will eat well tonight