Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07)

Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07)

[Dave Taht]

The qsdk is on openwrt 15.

On Sun, Sep 3, 2023 at 9:51 AM Philip Prindeville
<philipp_subx@redfish-solutions.com> wrote:
>
> Hi all,
>
> As we work on the 23.05 release, I was stunned to receive a Mofi MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my Unlimitedville enrollment.
>
> I thought, "wow, this must have been sitting in a warehouse a while!  I'd better update it."  So I went to the company's support site, grabbed the latest image, flashed it, rebooted and... still running 14.07.
>
> For those of you too young to remember, Barrier Breaker was released 10/2014 and included the 3.10.14 kernel (released 6/2013).
>
> How is this not cyber security malpractice?  A firewall is your first line of defense against cyber attacks.  If your firewall has long known, well documented vulnerabilities and exploits, you might as well not have a firewall at all.
>
> I wrote them asking why there wasn't a more recent, more secure release of the firewall firmware and this was their response:
>
>
> > Dear Philip,
> > You dint seem to know what you are talking about and should leave software to Profesionals like us and relax
>
>
> I hope that most of the companies that use our software are more diligent, and don't incur repetitional damage to our efforts by continuing to ship EOL firmware.
>
> I get that not every company has kernel developers in-house, and frankly, providing an updated kernel release for their SoC is the manufacturer's responsibility, and MediaTek has not been responsive in this respect (for the longest time they were shipping a 2.6.36 SDK!).  Some of the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or their ODM partners have the option to hold their feet to the fire and make orders contingent on updated SDK's...  I doubt that Mofi does the sort of volume that gives them any leverage.
>
> But I regress.
>
> Class Action suits are becoming more prevalent with computer and networking equipment manufacturers, as the public becomes aware of the increasing cyber security threats as well as manufacturers' implied responsibility to address vulnerabilities in a timely fashion as they become aware of them.
>
> I'm calling this out because I honestly hope it's the far outlier in our ecosystem, and not the rule.
>
> Sadly,
>
> -Philip
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel



-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos

Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07)

[Stephen Hemminger]

[-- Attachment #1: Type: text/plain, Size: 3234 bytes --]

I ended up replacing an Asus router because they were still using 3.14 with
no upgrade planned
 The issue is vendor closed source blobs


On Sun, Sep 3, 2023, 7:04 PM Dave Taht via Cerowrt-devel <
cerowrt-devel@lists.bufferbloat.net> wrote:

> The qsdk is on openwrt 15.
>
> On Sun, Sep 3, 2023 at 9:51 AM Philip Prindeville
> <philipp_subx@redfish-solutions.com> wrote:
> >
> > Hi all,
> >
> > As we work on the 23.05 release, I was stunned to receive a Mofi
> MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my
> Unlimitedville enrollment.
> >
> > I thought, "wow, this must have been sitting in a warehouse a while!
> I'd better update it."  So I went to the company's support site, grabbed
> the latest image, flashed it, rebooted and... still running 14.07.
> >
> > For those of you too young to remember, Barrier Breaker was released
> 10/2014 and included the 3.10.14 kernel (released 6/2013).
> >
> > How is this not cyber security malpractice?  A firewall is your first
> line of defense against cyber attacks.  If your firewall has long known,
> well documented vulnerabilities and exploits, you might as well not have a
> firewall at all.
> >
> > I wrote them asking why there wasn't a more recent, more secure release
> of the firewall firmware and this was their response:
> >
> >
> > > Dear Philip,
> > > You dint seem to know what you are talking about and should leave
> software to Profesionals like us and relax
> >
> >
> > I hope that most of the companies that use our software are more
> diligent, and don't incur repetitional damage to our efforts by continuing
> to ship EOL firmware.
> >
> > I get that not every company has kernel developers in-house, and
> frankly, providing an updated kernel release for their SoC is the
> manufacturer's responsibility, and MediaTek has not been responsive in this
> respect (for the longest time they were shipping a 2.6.36 SDK!).  Some of
> the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or
> their ODM partners have the option to hold their feet to the fire and make
> orders contingent on updated SDK's...  I doubt that Mofi does the sort of
> volume that gives them any leverage.
> >
> > But I regress.
> >
> > Class Action suits are becoming more prevalent with computer and
> networking equipment manufacturers, as the public becomes aware of the
> increasing cyber security threats as well as manufacturers' implied
> responsibility to address vulnerabilities in a timely fashion as they
> become aware of them.
> >
> > I'm calling this out because I honestly hope it's the far outlier in our
> ecosystem, and not the rule.
> >
> > Sadly,
> >
> > -Philip
> >
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
>
>
>
> --
> Oct 30:
> https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
> Dave Täht CSO, LibreQos
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>

[-- Attachment #2: Type: text/html, Size: 4372 bytes --]

Re: [Cerowrt-devel] Mofi still shipping Barrier Breaker (14.07)

[Dave Taht]

On Sun, Sep 3, 2023 at 10:14 AM Robert Marko <robimarko@gmail.com> wrote:
>
> On Sun, 3 Sept 2023 at 19:05, Dave Taht <dave.taht@gmail.com> wrote:
> >
> > The qsdk is on openwrt 15.
>
> You won't believe it but they made it to 19.07 from the 12.0 release,
> and it seems they are preparing for 21.02.

It would be so nice if they tried to keep up with 23.x and released no
more than 6 months behind. But I should be filled with joy at hearing
19.07 is in there.

In other news, I have no idea what openwrt version this was but tplink
is vulnerable at least.

https://nvd.nist.gov/vuln/detail/CVE-2023-1389

>
> Regards,
> Robert
> >
> > On Sun, Sep 3, 2023 at 9:51 AM Philip Prindeville
> > <philipp_subx@redfish-solutions.com> wrote:
> > >
> > > Hi all,
> > >
> > > As we work on the 23.05 release, I was stunned to receive a Mofi MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my Unlimitedville enrollment.
> > >
> > > I thought, "wow, this must have been sitting in a warehouse a while!  I'd better update it."  So I went to the company's support site, grabbed the latest image, flashed it, rebooted and... still running 14.07.
> > >
> > > For those of you too young to remember, Barrier Breaker was released 10/2014 and included the 3.10.14 kernel (released 6/2013).
> > >
> > > How is this not cyber security malpractice?  A firewall is your first line of defense against cyber attacks.  If your firewall has long known, well documented vulnerabilities and exploits, you might as well not have a firewall at all.
> > >
> > > I wrote them asking why there wasn't a more recent, more secure release of the firewall firmware and this was their response:
> > >
> > >
> > > > Dear Philip,
> > > > You dint seem to know what you are talking about and should leave software to Profesionals like us and relax
> > >
> > >
> > > I hope that most of the companies that use our software are more diligent, and don't incur repetitional damage to our efforts by continuing to ship EOL firmware.
> > >
> > > I get that not every company has kernel developers in-house, and frankly, providing an updated kernel release for their SoC is the manufacturer's responsibility, and MediaTek has not been responsive in this respect (for the longest time they were shipping a 2.6.36 SDK!).  Some of the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or their ODM partners have the option to hold their feet to the fire and make orders contingent on updated SDK's...  I doubt that Mofi does the sort of volume that gives them any leverage.
> > >
> > > But I regress.
> > >
> > > Class Action suits are becoming more prevalent with computer and networking equipment manufacturers, as the public becomes aware of the increasing cyber security threats as well as manufacturers' implied responsibility to address vulnerabilities in a timely fashion as they become aware of them.
> > >
> > > I'm calling this out because I honestly hope it's the far outlier in our ecosystem, and not the rule.
> > >
> > > Sadly,
> > >
> > > -Philip
> > >
> > >
> > > _______________________________________________
> > > openwrt-devel mailing list
> > > openwrt-devel@lists.openwrt.org
> > > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
> >
> >
> >
> > --
> > Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
> > Dave Täht CSO, LibreQos
> >
> > _______________________________________________
> > openwrt-devel mailing list
> > openwrt-devel@lists.openwrt.org
> > https://lists.openwrt.org/mailman/listinfo/openwrt-devel



-- 
Oct 30: https://netdevconf.info/0x17/news/the-maestro-and-the-music-bof.html
Dave Täht CSO, LibreQos