We’ve mentioned CloudFlare’s 1.1.1.1 DNS Service before, and the possible effects of its use on gateways. One of its features is the ability to use DNS over TLS, also called “DNS Privacy” by the people at DNSPrivacy.org. DNS over TLS, defined in IETF RFC 7858, is a standard developed to provide secure communication of DNS queries and responses between a DNS client and a DNS server. As more end devices and service providers seek to make use of it to benefit their end users, it has become an important feature to test on home and business network devices. Read more...
For our article on the alleged TR-069 vulnerability during the Mirai bot scare, go here. As one of the most largely deployed broadband management protocols in the world, TR-069 has quite a footprint, and a compromised system could potentially affect many broadband subscribers adversely. Luckily, TR-069 is built to operate on secure transport protocols. While there is nothing inherently insecure to the protocol itself, improper implementation of TR-069 clients and servers may expose problems that can be exploited by malicious attackers, as is the case with any web service. Read more...
Holes in home gateway security allow for a malicious hacker to take over a gateway in the way they would any other computer system. While the holes in most cases have been complex and deep seated bugs that would be hard to find without a lot of work, there are some easy to find bugs that seem obvious but would be missed without negative testing. The Problem Most application protocols use some method of authentication to ensure security and control identity management of users of the service. Read more...
Well, it’s official, the IETF is deprecating SSL version 3.0. This means that it will no longer be standard to fall back to SSL 3.0 in protocol negotiations, and for good reason: there have been a host of vulnerabilities in Secure Socket Layer, some of which are of particular concern to home networking devices that have web-based configuration tools or support TR-069. We hadn’t brought up the POODLE vulnerability before, but it, along with other vulnerabilities found in older versions of SSL and TLS, can be exploited even if your DUT is using the most recent versions of these protocols. Read more...
You may have recently heard of a major bug in the OpenSSL implementation, widely used to provide secure communications on the web. This vulnerability is fairly widespread, but has been corrected and will be fixed as more systems are patched. We also made an example capture and explanation of the bug and a packet capture of the attack in action at our CloudShark Appliance website. The security community quickly moved on this vulnerability, and in addition to the OpenSSL patch that is available to fix the problem, there have been several tools built to test servers for the Heartbleed vulnerability. Read more...
Here are solutions to a few common TR-069 SSL-related issues. The CPE does not have a time source Some CPE devices will not validate a SSL/TLS certificate from the ACS until a time source is established. TR-069 states that devices should skip date validation of certificates if a time source is not established. However, in practice some CPE devices simple end the SSL connection. A common symptom of this problem are DNS requests to an NTP server which is not configured. Read more...
To convert a Java keystore certificate to .pem format, follow these steps: Download and run the KeyTool IUI. Export the private key and certificate chains file from the keystore to a .pem file. This can be done by selecting Export > Keystore’s Entry > Private Key from the KeyTool IUI. Choose a target private key file and a target certificate chains file, and select .pem as the export format for both. Read more...
You can display the contents of a PEM formatted certificate under Linux, using openssl: # openssl x509 -in acs.qacafe.com.pem -text The output of the above command should look something like this: cdrouter@linux:/usr/share/doc/cdrouter> openssl x509 -in acs.qacafe.com.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 73:10:d8:99:cd:08:43:56:57:e0:56:17:84:87:8e:e3 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority Validity Not Before: Jun 9 00:00:00 2006 GMT Not After : Jun 9 23:59:59 2007 GMT Subject: C=US, ST=New Hampshire, L=Portsmouth, O=QA Cafe, OU=CDRouter, OU=Terms of use at www. Read more...
