> These reports led us to believe the problem was likely a firmware issue, as most other issues could be resolved through a factory reset.<p>My dream is to intercept the write-enable lines on the flash chips holding these firmwares so I can lock out updates. And schedule a daily reboot for any memory-resident-only crap.<p>That’s what we used to do on, ahem, satellite receivers, 20 years ago and maybe we all need to treat every device attached to the internet as having a similar susceptibility to “electronic counter-measures”.<p>Or at least monitor them for updates and light up a light when an update happens if it was my own equipment and I’d know if it should go off or not.
Article is light on the interesting details. How did they came in? Do these routers have open ports and services by default and answer to the Internet in a meaningful way?<p>Couldn't someone grab different firmware versions and compare them?<p>Looks like they are doing what everyone else is doing and using OpenWrt with a vendor SDK: <a href="https://forum.openwrt.org/t/openwrt-support-for-actiontec-t3200m/154720" rel="nofollow">https://forum.openwrt.org/t/openwrt-support-for-actiontec-t3...</a><p>What's interesting here is speculated the vendor send a malicious/broken update: <a href="https://www.reddit.com/r/Windstream/comments/17g9qdu/solid_red_light_on_t3200_modem/" rel="nofollow">https://www.reddit.com/r/Windstream/comments/17g9qdu/solid_r...</a><p>So why is there no official statement from the ISP? If it was an attack shouldn't there be an investigation?<p>I'm not familiar with how this is handled in the USA but this looks really strange.<p>Maybe these machines were bot infested <i>and</i> the vendor pushed an update that broke everything?<p>Maybe it's like in the article and it was a coordinated attack maybe involving ransom and everyone got told it's a faulty firmware update, keep calm?<p>which is also kind of bad, as the customer I'd like to know if there security incidents.<p>Has anyone links to firmware images for these devices? Or any more details?
> Lumen identified over 330,000 unique IP addresses that communicated with one of 75 observed C2 nodes<p>How does Black Lotus Labs global telemetry know which IP communicated with which other IP if they have control of neither endpoint? Who/what is keeping traffic logs?<p>If these guys can do it, remind me again how Tor is secure because nobody could possibly be able to follow packets from your machine, through the onion hops, to the exit node where the same packet is available unencrypted...
For a few years now I only buy a small x86 box with dual nics and run OpenWRT. I love it. It's open source, lots of support, good community. It supports wireguard. Latest version allows you to even run docker containers.
Well if you backdoor 600k routers and introduce a firmware bug with one of your patches, this is what happens.<p>Can't they just stage their updates? Surely, malware authors and users must be too cool for adopting standard prod practices.
For anyone else that was confused by the headline, this is about the destruction of 600,000 individual (small) routers. Not routers that are worth $600,000 (each or combined).
@dang, if there are karma points at HN, you could add some for submitters who improve upon the oft-execrable original clickbait headlines/titles.
(Here, I see present verb tense being used for an incident from October of last year.)
related article from Ars Technica:
<a href="https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/" rel="nofollow">https://arstechnica.com/security/2024/05/mystery-malware-des...</a>
For my home network I've purchased a networking appliance form-factor computer, which is basically a regular old an i3 with VT-x support in a fanless case and 4 2.5GiB NICs. I've installed my favorite stable Linux distro that gets regular automated security updates in both host and a VM, and I've device-mapped 3 of the NICs into that VM. The remaining NIC remains unattached to anything unless I want to SSH in to the host. I'm running UFW and Shorewall in the VM to perform firewall and routing tasks. If I want to tweak anything I just SSH in to that VM. I have a snapshot of the VM disk in case I mess something up so I can trivially roll back to something that I know works.<p>I've purchased a couple of cheaper commercial WiFi access points, and I've placed them in my house with channels set up to minimize interference.<p>Prior to this I've gone through several iterations of network products from the likes of Apple, Google, and ASUS, and they all had issues with performance and reliability. For example infuriating random periods of 3-5 seconds of dropped packets in the middle of Zoom conferences and what not.<p>Since I've rolled my own I've had zero issues, and I have a higher degree of confidence that it's configured securely and is getting relevant security updates. In short, my home network doesn't have a problem unless some significant chunk of the world that's running the same well-known stable Linux distro also has a problem.
Useful recommendations from the canadian government<p><a href="https://www.cyber.gc.ca/en/guidance/routers-cyber-security-best-practices-itsap80019" rel="nofollow">https://www.cyber.gc.ca/en/guidance/routers-cyber-security-b...</a>
I read the lotus labs blog post they linked and they mentioned no analysis of the actual firmware payload that actually bricked them, is this out there or a sample?<p>I'd be curious to know if it was actually meant to brick or someone f'ed the image and accidentally bricked them trying to be clever.<p>Also if it was a nation state why would you so publically burn your capability bricking residential routers on an ISP that seems to mostly serve rural areas, if they did it for testing that'd be real dumb.