In Germany we have "Störerhaftung" where routerowners are responsible for everything that happens through their router.
I wonder how this would hold up in court, couldn't you argue that routers are generally buggy, how can they force any responsibility if they can easily be hacked?
Nearly every stock consumer router keeps getting these RCE’s. Perhaps that’s the point, they can get any arbitrary household in trouble if it’s expedient to do so.
It won't work. You would need to back up your claim with proof that someone hacked your router. You can't drive a car that is easily breakable and expect the court to clear you of any responsibility if it causes harm because it broke while you were driving.
I would assume that liability is avoided when someone has done a reasonable effort to secure the device. The user needs to make sure they've secured their router from unauthorized access by using proper passwords. The ISP needs to make sure the router is delivered with the latest firmware and is pre-configured to be secure.
The last few routers I've had from an ISP are totally turnkey. There's no configuration, no passwords set (maybe the local Wifi password), any config is done with an app that talks to the ISP, who then updates the router settings remotely. There isn't even an admin interface you can access from the local network side.
Because British government has just made leaseholders of apartments liable for costs of fixing forged and fraudulently obtained fire safety certification of apartment blocks.
The manufacturers of cladding materials have forged the fire safety certificate, the construction company has not followed the law when it comes to fire breaks and other fire safety system, the government building control has examined the building and signed it off as correct, possibly corruptly.
But after a skyscraper burned down with all the residents inside, now the residents are liable.
An allegory here would be someone stealing an easily stealable car (e.g. doing the Kia Challenge) and causing damage or injury. The thief would be liable, not the owner
Generally any damage done by a car is the responsibility of its owner. The owner will likely be sued anyway, because they have insurance and assets, and the thief (even if known) does not.
> The majority common law rule among the 50 states is that the owner of a stolen vehicle will not be held liable for damages when the vehicle is stolen and then involved in an accident that causes injury or property damage. This is because the vehicle was taken without the consent of the owner, who did not cause the accident.
It would depend on the laws of the jurisdiction. I would imagine if you can show you kept the firmware up to date and had a secure as possible config (eg not having admin interfaces exposed to the internet), you could argue that there's no negligence - outside of maybe using a known insecure vendor; sometimes I think that would be a good idea (cough cough Fortinet).
Germany has some sensible laws about personal responsibility, like it being an offence to run out of gas on the autobahn and seriously treating driving in general as a privilege. But it requires a certain cultural mindset.
Sometimes I wonder if the white hat hackers who find such a thing should just take it a step further and patch those hosts. Take the firmware, fix those bugs and update those 42 routers.
Or upgrade them to modern OpenWrt, which has supported the near identical (minus USB port) D-Link DIR-882 since 2021: https://openwrt.org/toh/d-link/dir-882_a1 , as User 6SixTy has hinted at.
I actually have put that firmware on a MR2600, and it boots, not so sure about working well though. Screwing with OpenWRT and a vague sense it has a twin were my only memories of it. I had to retrace my own research from 4 years ago to come up with something worthy of a comment.
Isn't just as illegal as exploiting them for nefarious purposes? That's a pretty big risk to take to help a few dozen strangers on the Internet. What happens if your fix has an unforeseen interaction with some configuration on a remote system and your actions cause outage or worse?
That would be “gray hat”. It would be illegal, though it has happened in the past and to my knowledge no one has yet been prosecuted for illegally fixing vulnerabilities.
The MR2600 is a rebranded (or same ODM) D Link DIR-882 with a different plastic case, but the MR doesn't come with a rear USB 2.0 port. The FCC photos for each are identical otherwise, right down to the silkscreened board revision.
There's already an OpenWRT image for the DLink model, so coming up with an entry for the Motorola version shouldn't be hard.
Someone did, a Russian dude (or at least Russian speaking) updated over a 100.000 Mikrotik routers. While he did get a few "Thank you" notes, some users was also pretty angry with him.
Vendor wise, these were never really made by a “Motorola” -this is a Zoom router (thus the domain) that used the Motorola name under license.
The “old” Motorola router division Motorola Home got sold to Arris _without_ the brand name in 2013, and then the brand name went to Zoom in 2016. Zoom merged with another vendor called Minim, went bankrupt in 2023, and the assets were bought by a company called e2Companies in 2024.
So e2Companies is who the author should email, but good luck. I’m shocked these were even “maintained” until 2024.
Really curious the use of the "zoom.com" domain. However, since the endpoint uses insecure HTTP, maybe this should be a simple endpoint/hostname redirection.
A search of "router/firmware/query.aspx" leads me to D-Link endpoints who also uses the "wrpd" subdomain.
In Germany we have "Störerhaftung" where routerowners are responsible for everything that happens through their router.
I wonder how this would hold up in court, couldn't you argue that routers are generally buggy, how can they force any responsibility if they can easily be hacked?
Nearly every stock consumer router keeps getting these RCE’s. Perhaps that’s the point, they can get any arbitrary household in trouble if it’s expedient to do so.
It won't work. You would need to back up your claim with proof that someone hacked your router. You can't drive a car that is easily breakable and expect the court to clear you of any responsibility if it causes harm because it broke while you were driving.
But if it’s the isp delivered router they should carry the responsibility
I would assume that liability is avoided when someone has done a reasonable effort to secure the device. The user needs to make sure they've secured their router from unauthorized access by using proper passwords. The ISP needs to make sure the router is delivered with the latest firmware and is pre-configured to be secure.
The last few routers I've had from an ISP are totally turnkey. There's no configuration, no passwords set (maybe the local Wifi password), any config is done with an app that talks to the ISP, who then updates the router settings remotely. There isn't even an admin interface you can access from the local network side.
I would not assume that.
Because British government has just made leaseholders of apartments liable for costs of fixing forged and fraudulently obtained fire safety certification of apartment blocks.
The manufacturers of cladding materials have forged the fire safety certificate, the construction company has not followed the law when it comes to fire breaks and other fire safety system, the government building control has examined the building and signed it off as correct, possibly corruptly.
But after a skyscraper burned down with all the residents inside, now the residents are liable.
An allegory here would be someone stealing an easily stealable car (e.g. doing the Kia Challenge) and causing damage or injury. The thief would be liable, not the owner
Generally any damage done by a car is the responsibility of its owner. The owner will likely be sued anyway, because they have insurance and assets, and the thief (even if known) does not.
> The majority common law rule among the 50 states is that the owner of a stolen vehicle will not be held liable for damages when the vehicle is stolen and then involved in an accident that causes injury or property damage. This is because the vehicle was taken without the consent of the owner, who did not cause the accident.
https://www.mwl-law.com/wp-content/uploads/2018/02/OWNER-LIA...
It would depend on the laws of the jurisdiction. I would imagine if you can show you kept the firmware up to date and had a secure as possible config (eg not having admin interfaces exposed to the internet), you could argue that there's no negligence - outside of maybe using a known insecure vendor; sometimes I think that would be a good idea (cough cough Fortinet).
Germany has some sensible laws about personal responsibility, like it being an offence to run out of gas on the autobahn and seriously treating driving in general as a privilege. But it requires a certain cultural mindset.
>42 hosts with remote management
>vender doesn’t want to fix it
Sometimes I wonder if the white hat hackers who find such a thing should just take it a step further and patch those hosts. Take the firmware, fix those bugs and update those 42 routers.
Probably simpler to brick them, forcing the owners to upgrade to a modern and supported device.
https://en.wikipedia.org/wiki/BrickerBot
Or upgrade them to modern OpenWrt, which has supported the near identical (minus USB port) D-Link DIR-882 since 2021: https://openwrt.org/toh/d-link/dir-882_a1 , as User 6SixTy has hinted at.
I actually have put that firmware on a MR2600, and it boots, not so sure about working well though. Screwing with OpenWRT and a vague sense it has a twin were my only memories of it. I had to retrace my own research from 4 years ago to come up with something worthy of a comment.
Isn't just as illegal as exploiting them for nefarious purposes? That's a pretty big risk to take to help a few dozen strangers on the Internet. What happens if your fix has an unforeseen interaction with some configuration on a remote system and your actions cause outage or worse?
That would be “gray hat”. It would be illegal, though it has happened in the past and to my knowledge no one has yet been prosecuted for illegally fixing vulnerabilities.
But it’s definitely not white hat.
Just flash OpenWRT to them? :) (a script could prepare a matching default config)
The MR2600 is a rebranded (or same ODM) D Link DIR-882 with a different plastic case, but the MR doesn't come with a rear USB 2.0 port. The FCC photos for each are identical otherwise, right down to the silkscreened board revision.
There's already an OpenWRT image for the DLink model, so coming up with an entry for the Motorola version shouldn't be hard.
Someone did, a Russian dude (or at least Russian speaking) updated over a 100.000 Mikrotik routers. While he did get a few "Thank you" notes, some users was also pretty angry with him.
https://www.zdnet.com/article/a-mysterious-grey-hat-is-patch...
Vendor wise, these were never really made by a “Motorola” -this is a Zoom router (thus the domain) that used the Motorola name under license.
The “old” Motorola router division Motorola Home got sold to Arris _without_ the brand name in 2013, and then the brand name went to Zoom in 2016. Zoom merged with another vendor called Minim, went bankrupt in 2023, and the assets were bought by a company called e2Companies in 2024.
So e2Companies is who the author should email, but good luck. I’m shocked these were even “maintained” until 2024.
Really curious the use of the "zoom.com" domain. However, since the endpoint uses insecure HTTP, maybe this should be a simple endpoint/hostname redirection.
A search of "router/firmware/query.aspx" leads me to D-Link endpoints who also uses the "wrpd" subdomain.
Zoom were a very longstanding modem company who expanded into cable and routers and licensed the Motorola brand in 2016.
... Because it is a D-Link DIR-882 in a different box: https://openwrt.org/toh/d-link/dir-882_a1