Which accounts for "most if not all Ubiquiti routers and AP's", according to one expert.
UBNT routers and AP's have been vulnerable for over a decade, have known about it, and have done nothing. Next up are revelations of how the equipment has been exploited and by whom.
And, yes, Robert Pera continues to treat UBNT as his personal bank.
this goes for all mips based routers and AP's
you cant seem to relativate your personal hate again UBNT.
take your crap somewhere else please
here some other affected devices :
The following table groups devices together by vendor and reports on percentages of binaries
that incorporate essential hardening features. To illustrate how well, or poorly, vendors have
done in comparison to Linux equivalents, the first line item represents statistics for a default
installation of the 2016 Linux Long Term Support distribution 16.04.
Brand Model Count ASLR (%)
Non Exec Stack
(%)
RELRO
(%)
Stack Guards
(%) CPU
Ubuntu
Desktop -
Reference 16.04, 64bit 5379 23.21 98.99 100 79.43 x86
Asus rt-ac55u 334 0 0 1.8 0 MIPS
D-LINK dir-850l 118 0 0 3.39 0 MIPS
D-LINK dir-880l 128 0 99.22 7.81 0 ARM
Linksys e2500 201 8.79 0 3.48 0 MIPS
Linksys ea6100 414 5.82 0 0.97 0 MIPS
Linksys ea6900 468 2.50 0.21 1.28 0 MIPS
Linksys ea8500 484 2.26 99.79 2.07 0 ARM
Netgear WNDR4300v2 228 1.52 0 2.19 0 MIPS
Netgear r6100 170 1.96 0 2.35 0 MIPS
Netgear r7000 457 0 99.78 21.44 13.43 ARM
The ‘Non Exec Stack’ column shows that across all MIPS-based devices, only one binary
correctly, from a basic security standpoint, marks the stack as non-executable. By contrast,
ARM binaries mark the stack segment as RW almost all of the time. Per our paper on this MIPS
issue we expect the ARM toolchain, and ARM Kernel, do not suffer from the situations we
documented on MIPS.
Whereas MIPS lacked basic stack-based DEP we found that nearly all the devices, both MIPS
and ARM, generally lack other basic security and safety hygiene, such as ASLR and Stack
Guards. Both of these defensive techniques have been widely known and deployed for over a
decade. The data above shows that home routers are soft targets in comparison to the security
hygiene present in modern desktop operating systems (e.g. Windows 10, OS X 10.13, and
non-default, hardened, builds of Linux).
The data shows poor use of application armoring features across the board for these home
router embedded devices: stack guards are almost completely missing (besides just 13.43% of
binaries on the Netgear r7000)
Asus rt-ac88u 430 1.926 99.07 2.79 0.93 ARM
D-LINK dir-842 129 01 0 4.65 5.47 MIPS
D-LINK dir-890l 140 0 99.29 7.14 0 ARM
D-LINK dir-895l 138 0 99.28 7.25 0 ARM
Linksys wrt1900ac 503 4.15 99.8 3.18 0.62 ARM
Linksys wrt32x 139 4.05 100 94.96 81.58 ARM
Netgear r8000 440 0 100 22.05 13.65 ARM
Netgear r9000 477 .44 100 17.82 0 ARM
Netgear rbr50 340 .98 100 2.94 0 ARM
Netgear xr500 421 07 99.76 6.89 9.28 ARM
Synology rt2600ac 1835 6.72 99.56 16.68 5.48 ARM
TP-Link ac1750 175 0 0 3.43 0 MIPS
TP-Link ad7200 276 0 99.64 3.62 0 ARM
TP-Link c3150_v2 160 0 99.38 14.37 0 ARM
Trendnet tew-827dru_v2 197 0 0 77.66 0 MIPS
The Consumer Reports home router models we analyzed were made up of 3 ARM and 7 MIPS
devices (30% ARM, 70% MIPS). The firmware we analyzed from the ‘other 2018’ lists we
collected were made up of 15 ARM and 3 MIPS devices (83.33% ARM, 16.67% MIPS). Thus
bringing the total devices analyzed to 28 home router models, made up of 18 ARM and 10 MIPS
systems (64.3% ARM, 35.7% MIPS). Although the ratio of ARM to MIPS devices increased, the
overall use of basic hardening features was still poor. The Linksys wrt32x did better on basic
safety and security build hygiene than the routers in the Consumer Reports article with the most
consistent use of stack guards, RELRO, and non-executable stack marking, making it the best
in class among its peers for security features. The Linksys wrt32x was still missing ASLR almost
entirely, so there is still room for improvement. The router with the highest usage of ASLR
across binaries was the Linksys e2500 from the first group, with a still extremely poor 9% ASLR.
Given that ASLR is an easy safety hygiene feature to accomplish for binary applications, this is
a major industry-wide security lapse.
One method CITL uses internally to visualize comparisons between different devices is radar
charts. These charts show the percentage of binaries in the firmware image that have particular
hardening features, and plotting more than one at a time allows easy comparison. Here are two
samples from the above data that show the two extremes. Larger areas covered represent a
binary that is better hardened. The following plot shows the three best secured routers out of all
models that we reviewed.