North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: (broadband routers) PC World: Flash Attack Could Take Over Your Router

  • From: Gadi Evron
  • Date: Thu Jan 17 20:43:00 2008

On Thu, 17 Jan 2008, Sean Donelan wrote:
On Wed, 16 Jan 2008, Gadi Evron wrote:
Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that.

What specifications can consumer electronics stores and ISPs include in the RFPs to consumer CPE vendors? What can consumer CPE vendors include
at the price-points for the market for consumer CPE? Is the Carterphone
era over, and consumers just can't handle managing CPE anymore?

Thanks for putting the discussion in focus, Sean. These are splendidly good questions! And cosumers may be able to handle CPE, but not most of the ones on broadband providers. "Anymore" ?

The questions you raise are very good, and I don't intend to attack their validity. My purpose here is to say that: yes, vendors should do better and it is good to form relationships with them, but currently there are millions of customers who consider these "modems" plug and play, regardless of technology.

The recursive DNS servers, linux machine, default passwords and whatever else may be on that CPE device is outside their realm of care. I'd be happy if Windows Update is turned on for even some of them, which is in their realm of care.

These devices are on the client end, and are not under client care. I believe this needs to be re-emphasized. I do not believe spreading gospel on how to secure them to end users is what we need, but rather the other part you mentioned, which is working with vendors.

Working with vendors aside (as you mentioned, can be frustrating) network operators need to realize these are in fact their problem, as the vendors are not quite up to scratch yet, are they?

These devices are:

1. Botnets waiting to happen.
2. Sniffers waiting to infringe on user privacy.
3. Recursive DNS servers waiting to be abused.

I believe the main points of interest are #1 and #3. I've worked with a few ISPs on this in the past couple of years, but it is obvious the issue remains un-noticed for most.

Flash and UPnP I am honestly not that interested in.