Plusnet Hub One; A few thoughts on Router security [12 December 2017].

I do not claim originality or expertise in this field, I am not a security expert by any definition.
I am however a security and privacy evangelist, I believe that security and privacy are important and do not get the attention and respect they deserve. I especially believe that big companies should provide much higher standards of basic security and privacy by default than they currently do and are currently required to do by regulation.
We are rapidly approaching the point at which there will be some disaster [or string thereof] caused by insecure internet devices that will cause kneejerk regulation that tightens security regulations. Such regulation will almost inevitably be bad, as kneejerk regulation always is.
It would be far better to improve security and privacy and protect ourselves now when we can think calmly and clearly BEFORE the disaster/s strike, and the lawsuits come. I would say that hoping that the disaster botnet that finally causes change be on someone else’s network is not a gamble worth taking.

To that end, here is a basic feature checklist, with an explanation for why the features are valuable for security and privacy, for a home router that the Plusnet Hub One and its ilk should be expected to live up to.

This is based upon the work of defensive computing expert Michael Horowitz who runs the site routersecurity.org and to who’s work/site I credit for much of what follows.

https://www.routersecurity.org/

While he advises never buying/using consumer grade or ISP provided routers, I firmly believe that just because such devices ARE bad does not mean that they SHOULD be bad or that this is a situation that should be accepted or can never be changed. Particularly as the overwhelming majority of users will never hear, let alone heed, his advice. [or be able to afford the multi-hundred pound routers currently required to follow it]

By pushing for Plusnet/BT to follow/implement the features/steps outlined below, we could all benefit from having routers and home networks that are more reasonably secured. And don’t just claim to be because they are compliant with hopelessly inadequate and out-of-date regulation.

Plusnet Hub One:
Local Admin. [All this applies to remote admin as well but more so]
The first and most basic step in securing all device to device communications and preventing man-in-the-middle attacks [ Computerphile – Secure Web Browsing https://www.youtube.com/watch?v=E_wX40fQwEA For a brief introduction to some of the reasons you want to use TLS/https as opposed to http] is to use a properly certificated encrypted connection.
In this case represented by an HTTPS web interface using TLS 1.2 minimum with a properly pinned and signed certificate.
What you actually get if you try to log into your Hub One is an unencrypted HTTP webpage that sends everything in plaintext. So...

Step one; Securing the router by making ALL connections to the Router go over properly encrypted connections. [and yes that will include checks for updates, update downloads, any remote access, and connections on internal networks even over Ethernet. Basically EVERYTHING the router sends to ANYONE ANYWHERE should be REQUIRED to be encrypted before it can be claimed the router is at all secure. That also means using the latest encryption standards and not being able to fall back to insecure out-of-date standards]

Step two; in the case of the Hub One incredibly, the local admin web portal provides privileged information that should only be available to an authorized administrator right there on the landing screen before it even asks for your username and password. Information like the firmware version & time of last update [useful for any hacker that wants to target a particular firmware version with known vulnerabilities]. Your Broadband username! Status of Plusnet Access Control and Internet services... And a complete map of the current network including all connected devices, the device names, MAC address, and IP address. Information which can be used to launch further targeted attacks on your network and is made available on an unencrypted landing page before any logon is required. All that information is useful and should be made available; it should just be hidden behind a secure login and an encrypted connection. The landing page for a routers admin website should contain nothing other than the login to the router and no other information until login has been completed successfully.

Step three; Having got your encrypted login, you should have a button that lets you end the session and log out, [And has big advisories reminding you to do so] you shouldn’t rely on having to wait for the session to time out as this leaves a vulnerable window when a third party can use your session cookie [that they intercepted over your unencrypted connection] to pretend to be you and continue the as yet untimed-out session and not even need your password... although at present they can also steal that over the unencrypted connection, however the beauty of using a valid users session and tacking your malicious actions on at the end using the same session is that the logs will not show any extra unaccounted for logins making detection of malicious activity that much harder. Also an option to change/see timeout period would be beneficial here.

Step four; Only one person should be able to log into the router at a time, the Hub One currently allows multiple simultaneous logins. This isn’t just bad from a security standpoint but can cause issues if multiple people try changing settings at the same time.

Step five; Access to Local Admin should have an option to be able to be disabled on the WiFi and be made Ethernet only. This means that in the event that someone bad gets on your wireless network they still can’t get into your router.

Step six; Minimum PW length should be 15 chars, not 5 or 8.  Any PW that short can be trivially broken. A Max length of 20 is just about ok, 30 would be better, 60 would be best, but 20 is ok.
Also PW Hint is a giant exercise in getting people to make memorable [i.e. easy to break] passwords and then adding in information a hacker can use to make them even easier to break.
This should be ditched entirely in favor of support for PW Managers and strongly recommending customers use PW managers [e.g. lastpass] to create and securely store and manage their passwords for all their sites including their router. Good PW managers are available for all major browsers/OS’s including mobile and improve security across the web and as an ISP Plusnet should be encouraging and supporting their use broadly.

Step seven; Ability to change the username as well as the password thus massively increasing the difficulty of breaking in as you have to guess both. [you always have the manual reset to factory defaults button if you forget, which doesn’t lose you data you just have to reconfigure settings, which you should have been prompted to backup [hint hint]]

Step eight; You can’t hack a network when it’s off. The ability to schedule the WiFi to turn off at night [or if you’re out all day during work hours] and back on in the morning [similar to your access control feature] would improve security [and power consumption] by making the network unavailable for attack while it’s not in use.
If not this, then at least the ability to easily turn the WiFi on and off [like airplane mode but for the router]. Ideally for future models with an external button. So you can just turn the network off before you go to bed/out to work and back on when you wake up/get back home.

Step nine; Remove WPS!
WPS (Wi-Fi Protected Setup) is a ‘network security’ [big air quotes] standard for wireless home networks. It includes 4 different methods for connecting devices the most troubling one being ‘the pin method’. Every device that is WPS enabled MUST according to the standard be issued with its own unique 8 digit pin that CANNOT be changed. If this 8 digit pin is used you can connect to the wireless network on this device WITHOUT knowing the wireless password.
Unfortunately it’s not actually an 8 digit PIN because the last digit is a checksum created from the first 7 digits so it’s really a 7 digit PIN. And unfortunately it’s not really a 7 digit pin because the device authenticates the first 4 digits and then authenticates the last 3 which means you only need to do a brute force attack on a 4 digit number and then a 3 digit number which gives you a max of 11,000 combinations of which you will need to try on average 5,500. Trying all 11,000 combinations @ 1/sec will take a computer ~3hours.... If you have WPS enabled your WiFi can be broken into in a couple of hours and it doesn’t matter what your PW is. The pin is hardcoded so you can never change it. And this isn’t even the only vulnerability in WPS, it’s riddled with them.
If you haven’t already, turn off WPS on your router. And Plusnet/BT .... Don’t put it on any more routers ever please. Thank you.

Step ten; After making sure that all communications are encrypted; That the router verifies this when it does things like check for updates and it verifies that it’s checking for updates from the right place over the right kind of signed secured connection. The router should securely validate that any firmware updates it receives are actually genuine signed updates from plusnet/BT and have not been corrupted/provided by anyone else. This is hard, companies like Apple and Microsoft work hard to make things like this work for their operating systems and it was this system for an iPhone that the FBI wanted Apple to compromise to create a backdoor into a [dead] terrorists phone a while back. Because it’s hard to do, and this router is 'free' and fails so many security basics, I’m pretty confident that the Plusnet Hub One does not currently receive securely validated signed updates over a TLS encrypted connection that it checks to make sure are actually genuine. I will fall off my chair if it turns out this is in fact the case. Never-the-less it should be the case. The popular tool CCleaner was recently compromised by a malicious third party [probably nation state] compromising it’s update system and pushing out a malicious update to a large portion of its user base. And that was just one of many recent examples of such attacks. So ‘the bad guys’ are definitively targeting update mechanisms this is not a theoretical threat.

Step eleven; read the router security checklist at the following site and really think about the security features it suggests and those ones that you could actually provide. There are many more than I have suggested here. Including many marked as essential.
https://www.routersecurity.org/checklist.php

To claim that you care about security and privacy of your users, and genuinely mean it, you need to do a better job than you are currently doing. I hope that you are genuine in your desire to do better and that this feedback can point you in the right direction to do so. I also hope that it might start to raise awareness about the importance of router security and how lacking it currently is.
The amount of material I did not include in this post to prevent it becoming too long J is far greater than that actually included, just to give a hint at the scale of the problem.

Convincing Illusion

EDIT: For all the mistakes my proofreading didn't pickup the firstime... sigh.