Mofi still shipping Barrier Breaker (14.07)

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Sep 3 09:47:22 PDT 2023 

Hi all,

As we work on the 23.05 release, I was stunned to receive a Mofi MOFI4500-4GXeLTE-V3 router with 14.07 installed on it as part of my Unlimitedville enrollment.

I thought, "wow, this must have been sitting in a warehouse a while!  I'd better update it."  So I went to the company's support site, grabbed the latest image, flashed it, rebooted and... still running 14.07.

For those of you too young to remember, Barrier Breaker was released 10/2014 and included the 3.10.14 kernel (released 6/2013).

How is this not cyber security malpractice?  A firewall is your first line of defense against cyber attacks.  If your firewall has long known, well documented vulnerabilities and exploits, you might as well not have a firewall at all.

I wrote them asking why there wasn't a more recent, more secure release of the firewall firmware and this was their response:


> Dear Philip,
> You dint seem to know what you are talking about and should leave software to Profesionals like us and relax


I hope that most of the companies that use our software are more diligent, and don't incur repetitional damage to our efforts by continuing to ship EOL firmware.

I get that not every company has kernel developers in-house, and frankly, providing an updated kernel release for their SoC is the manufacturer's responsibility, and MediaTek has not been responsive in this respect (for the longest time they were shipping a 2.6.36 SDK!).  Some of the larger vendors (TPLink, ActionTec, Linksys, DLink, Netgear, et al) or their ODM partners have the option to hold their feet to the fire and make orders contingent on updated SDK's...  I doubt that Mofi does the sort of volume that gives them any leverage.

But I regress.

Class Action suits are becoming more prevalent with computer and networking equipment manufacturers, as the public becomes aware of the increasing cyber security threats as well as manufacturers' implied responsibility to address vulnerabilities in a timely fashion as they become aware of them.

I'm calling this out because I honestly hope it's the far outlier in our ecosystem, and not the rule.

Sadly,

-Philip

More information about the openwrt-devel mailing list