Most active commenters

    ←back to thread

    Wanted to spy on my dog, ended up spying on TP-Link

    (kennedn.com)
    436 points kennedn | 25 comments | 15 Sep 25 16:28 UTC | HN request time: 0.621s | source | bottom
    1. selinkocalar ◴[15 Sep 25 22:43 UTC] No.45255874[source]
    IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.
    replies(9): >>45255922 #>>45256174 #>>45256498 #>>45256518 #>>45256767 #>>45257622 #>>45258241 #>>45258326 #>>45258348 #
    2. teaearlgraycold ◴[15 Sep 25 22:48 UTC] No.45255922[source]
    The solution is pfsense
    replies(4): >>45255936 #>>45255978 #>>45256113 #>>45256573 #
    3. arminiusreturns ◴[15 Sep 25 22:50 UTC] No.45255936[source]
    The soulutions is iptables.

    The solution is nftables.

    The solution is bpf.

    The solution is emacs-m-x-butterfly-bpf.

    4. baby_souffle ◴[15 Sep 25 22:55 UTC] No.45255978[source]
    Or openWRT.

    The bsd based distributions sure are powerful, but with the power/heat budget to match.

    replies(1): >>45256236 #
    5. nuker ◴[15 Sep 25 23:13 UTC] No.45256113[source]
    Better go OPNsense
    6. java-man ◴[15 Sep 25 23:24 UTC] No.45256174[source]
    IOT - "S" stands for "Security"!
    replies(1): >>45256584 #
    7. bmurphy1976 ◴[15 Sep 25 23:32 UTC] No.45256236{3}[source]
    I love me some OpenWRT but updating it has always been a risky chore.
    replies(1): >>45256512 #
    8. briHass ◴[16 Sep 25 00:09 UTC] No.45256498[source]
    The stuff on the shelf, sure, but you can always go 'prosumer-grade' like Ubiquiti or Mikrotik for hardware that actually receives timely updates and has competently written firmware.
    replies(1): >>45256548 #
    9. fignews ◴[16 Sep 25 00:11 UTC] No.45256512{4}[source]
    Check out attended sysupgrade
    10. cortesoft ◴[16 Sep 25 00:12 UTC] No.45256518[source]
    Most people are using routers given to them (and configured by) their ISP... so really they are blackboxes connected to an upstream blackbox for most people.

    I am always surprised by how many people give me their ISP chosen router name and ISP chosen password when I connect to their WiFi. I don't want to give my ISP that much control.

    replies(1): >>45257647 #
    11. drnick1 ◴[16 Sep 25 00:17 UTC] No.45256548[source]
    Ubiquiti is awful, it's a cloud-centric ecosystem. The best "prosumer-grade" stuff is probably OpenWrt. If you need more power, opnSense or a plain Linux distro on an x86 machine.
    replies(2): >>45256864 #>>45257345 #
    12. drnick1 ◴[16 Sep 25 00:20 UTC] No.45256573[source]
    Actually, pfsense kind of has a shitty reputation in the FOSS community and opnSense is preferred.

    But I don't like the limitations of BSD systems in terms of hardware compatibility and performance, so I build my router using a plain Linux distro (Debian).

    13. BLKNSLVR ◴[16 Sep 25 00:22 UTC] No.45256584[source]
    The password for my IoT wifi is "TheSInIoT"

    ;)

    14. Gigachad ◴[16 Sep 25 00:54 UTC] No.45256767[source]
    There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit. So unless your router is participating in a DDoS or mining bitcoins it doesn't really matter how secure it is.
    replies(1): >>45257765 #
    15. gradstudent ◴[16 Sep 25 01:11 UTC] No.45256864{3}[source]
    Not entirely true. There's a local admin option, where your Ubiquiti devices never see the internet (well, except your gateway). You can then connect and admin the whole thing remotely via your own VPN. It's quite nice, actually.
    16. 31337Logic ◴[16 Sep 25 02:23 UTC] No.45257345{3}[source]
    100% this.
    17. protocolture ◴[16 Sep 25 03:05 UTC] No.45257622[source]
    >IoT security is generally terrible

    I think IoT demands a rethink of security.

    Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.

    But some people do genuinely have use cases for cloud speaking IoT stuff.

    Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.

    18. tharkun__ ◴[16 Sep 25 03:09 UTC] No.45257647[source]
    Are you really surprised though or are you talking about the HN reading subset of your "many people"?

    Coz I would absolutely 100% not be surprised for your average consumer.

    For your average HN reader I would hope they treat whatever their ISP gave them as just some dumb "switch" type device that sits outside their trusted network and handles nothing but encrypted traffic. Like my ISPs device definitely does have a WiFi and such, which I disabled. I treat it as a bridge / modem and it's definitely not part of my "inner circle". Hasn't been in 25 years.

    19. johncolanduoni ◴[16 Sep 25 03:35 UTC] No.45257765[source]
    Many IoT devices (or Windows when the LAN network location is set to “Private”) expose a wider surface area to local network addresses. Having a competent firewall on your residential router is still useful, especially for those that have no idea how to configure their endpoints securely.

    Comparing a residential router to a network operator’s router is spurious: those routers don’t perform any sort of filtering for the public internet traffic flowing through them.

    replies(1): >>45259858 #
    20. ByteDrifter ◴[16 Sep 25 05:11 UTC] No.45258241[source]
    Most people only care about how strong the signal is when buying a router, but almost no one checks if the firmware is outdated, or bothers to change the default password or disable remote access. And manufacturers rarely remind you either, so over time it just becomes a hidden risk.
    replies(1): >>45259236 #
    21. pabs3 ◴[16 Sep 25 05:25 UTC] No.45258326[source]
    A lot of them violate the GPL and BSD licenses too.
    22. fulafel ◴[16 Sep 25 05:28 UTC] No.45258348[source]
    Nitpick but "known CVEs" doesn't mean a vulnerable device. The majority of CVEs in your NAT box sw (aside: NAT is not routing) are going to be things like "insecure temp file handling".

    Your point of course stands, the situation is terrible.

    23. t-3 ◴[16 Sep 25 07:42 UTC] No.45259236[source]
    Most people don't buy routers, they get them from the ISP and never think about them again unless the wifi goes out, in which case they unplug and plug back in.
    replies(1): >>45260001 #
    24. dracotomes ◴[16 Sep 25 09:08 UTC] No.45259858{3}[source]
    Is there any residential router that exposes internal endpoints be default? I've yet to come across one that does not have a deny-any policy on it's WAN interface and has incoming destination NATs setup up.

    What use is reducing the attack surface of a device which only ever initiates connections?

    Edit: also there are network operators that block customer traffic on certain ports liike NetBIOS, SMB or SMTP to name a few.

    25. johnisgood ◴[16 Sep 25 09:28 UTC] No.45260001{3}[source]
    Exactly. This really is the reality of it.