Tomato routers under attack

[splerdu]

https://arstechnica.com/information-technology/2020/01/internet-routers-running-tomato-are-under-attack-by-notorious-crime-gang/
"Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found and remote administration has been turned on, the exploit then makes the routers part of a botnet that’s used in a host of online attacks, researchers said on Tuesday."

[Mr. Bungle]

^ That's exactly one of the reasons why I stopped flashing my router and smartphone with custom firmware and custom ROMs respectively. While those do enable more functionality than stock, I'm not so sure about how the security of the device is being handled.

Manufacturers tend to address critical security holes in their own firmware more proactively, at least with the brands I use.

[jeremypv]

huh? you don't need to stop flashing thirdparty router with 'more' functionality with the default firmware, what you need to stop is /not/ change the default password, as that was the attack -- if you have a sensible mind, you'd change the password of anything with a password...

that article is quite misleading (misleading in a sense that this is not the norm), as very few in their right mind would not change the default password *AND* open turn on remote management... that actually would difficult to do both for novices, so it must be intentional (or some youtube tutorial instructs users to do this)

I think most (if not all) users that flash thirdparty firmware are competent enough to change the default password.


EDIT:
Now that I think about it, most likely these routers are sold as is (remember those Tomato-based routers from CDR-King?), then the one scanning for these routers are the one that sold them... (conspiracy theory mode activated  )

[splerdu]

The article was pretty detailed, the headline (and my thread title) are clickbait.

I'd actually like to see their infection stats. Can't imagine the intersection between the sets of A) people who know how to flash third-party firmware and B ) people who leave the default password on while C) turning on remote administration (which is off by default) is going to be very large.

[jeremypv]

It's very detailed, to quote:

there’s no indication the new variants are using any flaws in Tomato. That suggests that weak passwords are the sole means the botnet has for taking control of routers.
...
Post updated to note remote administration is turned off by default.

so that's quite indicative of what you wanna see...
and it's not going to be very large, since A alone are very small, couple that with B which is if you know how to install a third party firmware, you will be keen on security (and besides, if you are the one who installed the firmware, you will be asked to change the password upon first boot -- so for those routers with default credentials, most likely they are not the one who installed it...), and C will be idiotic, so that will be (contrary to your conclusion) will be very, very, very small, unless it is within what my conspiracy theory above suggests.