(broadband routers) PC World: Flash Attack Could Take Over Your Router

Props to Jeff Chan who I saw it from.

Yes, I still believe these ISP distributed machines called broadband routers are a network operators issue. But not all may agree on that.

I doubt many ISP security or customer care folks are fans of UPnP.

The distribution channel (consumer electronics retail store, discount
mail order company, etc) is less important than working with the CPE vendors. I worked with a few CPE vendors for several years since 2003 to
improve some things. You may be able to figure out which CPE vendors, because they have UPnP off by default (or don't have UPnP), and other nice things such as automatic security patch loading. CPE owners take even less care of the CPE than even PCs.

But even though a few other large ISPs copied some of my requirements for their RFPs, a lot of CPE is distributed through many channels. I'm a bit suspicious of some security researcher's statistics about UPnP gateway
configurations in different markets.

If you just want to rant at network operators go ahead. But it will
probably be more productive working with CPE vendors and ISPs on a few constructive things.

What specifications can consumer electronics stores and ISPs include in the RFPs to consumer CPE vendors? What can consumer CPE vendors include
at the price-points for the market for consumer CPE? Is the Carterphone
era over, and consumers just can't handle managing CPE anymore?

Thanks for putting the discussion in focus, Sean. These are splendidly good questions! And cosumers may be able to handle CPE, but not most of the ones on broadband providers. "Anymore" ?

The questions you raise are very good, and I don't intend to attack their validity. My purpose here is to say that: yes, vendors should do better and it is good to form relationships with them, but currently there are millions of customers who consider these "modems" plug and play, regardless of technology.

The recursive DNS servers, linux machine, default passwords and whatever else may be on that CPE device is outside their realm of care. I'd be happy if Windows Update is turned on for even some of them, which is in their realm of care.

These devices are on the client end, and are not under client care. I believe this needs to be re-emphasized. I do not believe spreading gospel on how to secure them to end users is what we need, but rather the other part you mentioned, which is working with vendors.

Working with vendors aside (as you mentioned, can be frustrating) network operators need to realize these are in fact their problem, as the vendors are not quite up to scratch yet, are they?

These devices are:

1. Botnets waiting to happen.
2. Sniffers waiting to infringe on user privacy.
3. Recursive DNS servers waiting to be abused.

I believe the main points of interest are #1 and #3. I've worked with a few ISPs on this in the past couple of years, but it is obvious the issue remains un-noticed for most.

Flash and UPnP I am honestly not that interested in.