December 14, 2016

BAD Gear

Gingsoft's Do Not Trust List

Everything that touches the Internet has design flaws, bugs, and exploitable vulnerabilities regardless of whether it’s cheap or the most expensive.  All operating systems such as Windows, Linux, Mac OS X, Apple IOS, Android, etc. all have problems.  Security patches come out, new bugs are found, then those are patched, and the saga continues.  But what isn’t forgivable is when backdoors are manufactured into their products or the manufacturer’s utter lack of the simplest security measures is a recurring theme.  That is when they get added to this DO NOT BUY list.

Laptops (do not buy these)

Do Not Trust Lenovo

  • Feb 2015 (Forbes) – Superfish, a piece of malware, or an adware pusher, that the Chinese firm pre-installs on consumer LENOVO laptops.
  • May 2016  (IB Times) – Lenovo updater vulnerable to Man-In-The-Middle

Do Not Trust Acer

  • May 2016 (IB Times) – ACER updater vulnerable to Man-In-The-Middle
  • Jun 2011 (The Hacker News) – Pakistan Cyber Army hacked the FTP server of ACER and Stole around 40,000 User Accounts and source code stored on server.

Do Not Trust Dell

  • May 2016 (IB Times) – Dell updater vulnerable to Man-In-The-Middle
  • Nov 2015 (Inquirer) – eDellRoot, a flaw allows hackers to create trusted certificates and impersonate sites and launch man-in-the-middle attacks.

Mobile Phones (do not buy these)

  • BLU
    • Nov 2016 (The Hacker News) – the firmware software has a backdoor installed by China-based company Shanghai AdUps Technology.
  • Huawei
    • Nov 2016 (The Hacker News) – the firmware software has a backdoor installed by China-based company Shanghai AdUps Technology.
  • ZTE
    • Nov 2016 (The Hacker News) – the firmware software has a backdoor installed by China-based company Shanghai AdUps Technology.

Routers (do not buy these)

  • D-Link
    • Feb 2017 (SecurityWeek) – Security researchers discovered that the D-Link DGS-1510 switches, have an weak authentication implementation. A remote attacker can bypass the weak authentication and execute commands on the switch, and extract the configuration and other data.
    • Jan 2017 (The FTC) – According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:
      • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
      • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
      • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
      • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
  •  FortiNet
    • Oct 2016 (CVE-2016-7560) – Hardcoded rsync account, which allows remote attackers to read or write to arbitrary files.
    • Aug 2016 (CVE-2016-6909) – Buffer overflow in the Cookie parser in Fortinet FortiOS allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.
  • Netis
    • Aug 2014 (The Hacker News) – A hardcoded backdoor listening on UDP port 53413, which can be accessed from the Internet side of the router. The password to this backdoor is hardcoded into the router’s firmware.
  • Netcore
    • Aug 2014 (The Hacker News) – A hardcoded backdoor listening on UDP port 53413, which can be accessed from the Internet side of the router. The password to this backdoor is hardcoded into the router’s firmware.
  • ASUS
    • Feb 2016 (The Hacker News) – Easily hackable, fake security, the “Check for Updates” button doesn’t actually do anything.  It’s so bad that there is a lawsuit  filed by the US Federal Trade Commission (FTC) regarding its Router Insecurity.

Security Cameras (do not buy these)

  • D-Link
    • Jan 2017 (The FTC) – According to the FTC’s complaint, D-Link promoted the security of its routers on the company’s website, which included materials headlined “EASY TO SECURE” and “ADVANCED NETWORK SECURITY.” But despite the claims made by D-Link, the FTC alleged, the company failed to take steps to address well-known and easily preventable security flaws, such as:
      • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
      • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
      • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
      • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.
  • Dahua Technology and Hangzhou Xiongmai Technology
    • Oct 2016 (The Hacker News) – These were used in the DynDNS attack that took down a huge part of the Internet.  They will be used again in bigger attacks in the future.  You can count on it.
  • Sony Chip HD 6 Camera 1080P PoE IP CCTV surveillance camera kit
    • Apr 2016 (ArtfulHacker) – Uses malicious 1 pixel iFrame that call out to brenz.pl which is known to host malware.