I suppose ISPs could be more restrictive about which routers they allow their customers to use, but I'm not sure I'm a fan of further lockdown in that department.
fun fact, part of the reason this botnet exists is because europe required the ability to install security updates unattended that you cannot disable and they compromised one of the servers that had the capability to push these updates compromising hundreds of thousands of routers.
If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?
The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...
the problem is that these laws just make the problem bigger - instead of having to compromise 100 thousand routers they can just compromise a single update server from a vendor that doesn't care about security.
the fallout is some companies losing their revenue: https://status.neoprotect.net/ and other headaches for people all over the world
might be too old, my asus router updated and I could no longer disable updates and you could just look up the relevant law here: EU Cyber Resilience Act (CRA) 2024.
While it doesn't make it mandatory, it does require patching devices in a timely fasion which in other terms: requires forced updates - pushing updated firmware is not enough if you read between the lines.
Even stronger requirements come into effect at the end of 2027.
it's one of the (i believe) hundreds (at this point) of zero-days that is used to build this botnet, at this point they are using funds that they get from selling this botnet to purchase new zero days
The "S" in IoT stands for "security".
We need IoST!
Internet of Thingsecurity?
I suppose ISPs could be more restrictive about which routers they allow their customers to use, but I'm not sure I'm a fan of further lockdown in that department.
I doubt that would do much, most people don't even know they can use a non ISP provided router
> There's gotta be a better way.
Until then... There's gonna be a bigger wave.
You’re gonna need a bigger boat.
fun fact, part of the reason this botnet exists is because europe required the ability to install security updates unattended that you cannot disable and they compromised one of the servers that had the capability to push these updates compromising hundreds of thousands of routers.
That's really impressive finger pointing.
If the vendor can't even secure their update server; how long do you think it would be until some RCE on these 100k un-patchable routers gets exploited?
The only people to blame for this is the vendor, and they failed on multiple levels here. It's not hard to sign a firmware, or even just fetch checksums from a different site than you serve the files from...
the problem is that these laws just make the problem bigger - instead of having to compromise 100 thousand routers they can just compromise a single update server from a vendor that doesn't care about security.
the fallout is some companies losing their revenue: https://status.neoprotect.net/ and other headaches for people all over the world
6 replies →
That's just not true. I'm in Europe and all of my routers allow me to disable unattended updates and most don't enable it by default.
might be too old, my asus router updated and I could no longer disable updates and you could just look up the relevant law here: EU Cyber Resilience Act (CRA) 2024.
While it doesn't make it mandatory, it does require patching devices in a timely fasion which in other terms: requires forced updates - pushing updated firmware is not enough if you read between the lines.
Even stronger requirements come into effect at the end of 2027.
Wait when was this?? Did it fly under the news??
it's one of the (i believe) hundreds (at this point) of zero-days that is used to build this botnet, at this point they are using funds that they get from selling this botnet to purchase new zero days