Once I scanned barcodes from a competing store rewards program into a PointOfSale terminal of a grocery store. The machine promptly shutdown. Sometimes I wonder if that was a failure mode to prevent attacks or a lack of sanitizing inputs.
In the early days of our local rfid-powered public transport payment system, i tried scanning a random misc rfid card from my wallet instead of the correct payment card.
The gate locked up and started screeching its "i scanned a card" chime on loop.
It was hilarious... and i guess a matter of poorly sanitized inputs.
[1] Is what (I believe) they were talking about. Rather than configuring these in a sane way you just scan configuration barcodes. I didn't see anything on the list that was too dangerous but you could change the maximum input length or allow full ASCII encoding which could be dangerous if the programmers assumed that the barcode reader returns a fixed length string of numbers.
Bingo. The better ones will only accept scantags if you scan the "enter config mode" within 30 seconds after power-on, for instance. Or yes, a hidden button on the underside of the checklane.
That's rare though, and sometimes the installer disables it for convenience while they're debugging the system and never re-enables it. So the vast majority of scanners in the wild will happily accept an enter-config-mode at any time.
A lot of them are configured by literally scanning settings. These "settings" barcodes are often left out in the open, or east to recreate. I used to have a "cheat sheet" when i managed scanners in a warehouse
Keyboard-wedge is only one of a dozen ways a barcode scanner can send data. Most also have legacy serial interfaces for use with old POS systems, so you have scantags that enable and disable those, and configure the baud rate, start bits, stop bits, parity bits, flow control (like a dozen different types), minimum idle time between subsequent codes, etc. And some of the old stuff isn't exactly ASCII, like there are systems that operate in MSI/Plessey mode which is all sorts of martian. It has its own whole config tree. I don't even remember how Nixdorf mode works, I never had to deal with it.
And even within USB, sometimes you emulate a HID keyboard and send scancodes, sometimes you enumerate as an actual USB HID barcode scanner (that's a dedicated device class), sometimes you emulate a USB CDC serial device and inherit all the serial config from above minus the baud rate. Oh, and sometimes you can configure the USB polling interval for performance.
Do you start with a special key/character to signal that a barcode is coming, or just begin vomiting digits into wherever the cursor happens to be? Pad shorter codes with leading zeroes? Do you send CR or LF at the end, perhaps both? Or some other key/character like tab?
Oh and keep in mind that some barcodes can do alpha characters too. Which keyboard layout are you emulating, because the whole world isn't US-English? Convert to upper or lower case? Filter characters? Send a different start-character to indicate that an alpha code is coming?
And then you've got the symbology selection. There are hundreds of different types of barcodes, and they're used for different things. Have you ever scanned a box and the scanner picked up a barcode from the shipping label rather than the UPC? That's because whoever set up the POS didn't disable the other symbologies. They should have. So there are config variables for all that. Even just the UPC/EAN/JAN family has a dozen subvariants, and some POS systems want a prefix to indicate which variant is coming down the wire.
Then there's scan tuning. How many times does the laser/imager need to read the code before it considers it good? Crank this up to increase confidence, crank it down to favor speed. How much "dead time" should the reader take after scanning one code before it can scan another code? How much should it have before it can scan the SAME code again? Picture the way a clerk whips products across the scan window and try to tune it so you can easily scan multiples of an identical product, without scanning the very same item twice if it remains within the window too long.
Newer scanners also have tunables for recognizing barcodes displayed on LCDs since customers now sometimes present coupons on their phone screens. That's its own whole can of worms and largely newer than my time in the industry so I don't know the specifics, but again it's a performance tradeoff depending on the situation.
There's also minimum and maximum distance and apparent line width, which can help in certain handheld situations (think of the handheld style used at convenience store counters) where it otherwise might pick up distant products on the counter by mistake. But sometimes you might want to be able to scan things from a few feet away, so that's configurable.
Then you've got UX variables. Beep after a good read? Configure pitch, duration, and volume. Different beep/tone for error? All of the above again. Turn the feedback LED(s) green/red for those statuses? Or does green mean "ready for scan", like at self-checkouts? Scanner always active, or only when activated by button push (handheld) or proximity sensor (pedestal) or scale (checklane)? Or active only when DTR line high (serial)? Timeout after activation if no valid read? There's so much more, this only scratches the surface.
Finally, all these config variables can be stored, recalled, defaulted, protected, and unprotected.
I have a credit card that bluescreens (some) PoS terminals. I theorize the upstream server is returning a rare error code when it's used in contactless mode, because that account's never been approved for contactless. In that case I'm going with lack of sanitizing inputs.
Terminals that only supported the first version of tap to pay in the USA often have this bug when activated by a card from this first version of tap to pay.
Similar to airplane phone in the late 90's using a calling card. While the asked for a calling card number, the system didn't actually confirm that there was any money on the card itself and just connected to the person you were calling.
That actually makes sense, the logic there would be that the on-plane system just captured the card number and an on-the-ground system was responsible for checking and billing.
Given that 747s (IIRC) are still using floppy disks (https://google.com/search?q=747+floppy+disks) the chances are the billing was probably done by some equally byzantine process.
Yes, I'm saying that, despite the fact that
"capture calling card number for later using on-plane PBX, establish satellite call directly to dialed number"
and
"establish satellite call directly to on-ground PBX, which asks for calling card number and forwards call"
both ultimately return TRUE for "but users can trigger our satellite uplink to initiate connections just by picking up the phone!!1"... but the latter approach actually blocks illegitimate use and is thus measurably better, and skips the need for an on-plane PBX too.
I can't help but wonder if there was some sort of "capture the number first before initiating the call" initiative early on (which totally makes sense), only for the calling-card billing integration to fall through at some point rendering the whole approach moot.
Naturally I'm making a lot of assumptions here, the biggest being that the plane isn't just making a direct-to-ground connection the moment you pick up the phone, with an on-ground system accepting then forgetting the calling card number. That would be even more stupefying but I do doubt that's what was happening.
Most of the stores where I live allow you to scan other stores rewards cards. You don't get points on your account but you still get whatever sale prices that are reserved for reward card holders. Wonder if in your case the store supported this function but there was a null or something similar in the record for that card type.
Most retailers use the same ranges for their rewards cards, UPC-A barcodes starting with 4. So even if not intentional, if their system is configured to allow an unregistered card to receive discounts, doesn't validate registration at all, or the number collides with a legitimate rewards card, you'll receive the sale pricing. Similarly, if you simply use a common phone number like xxx-867-5309, 800-555-1212, the store's phone number, etc., you'll probably get discounts too.
At the store I worked at 15 years ago, any 4xxxxxxxxxx code would give you the loyalty program. No reason to authenticate, they'll give you the "discount" (hint its not really a discount) even if you just ask.
Sounds like a pretty easy way to do a denial-of-service attack against a grocery store if you can just shut down a bunch of terminals with a barcode. I guess you'll stand out a fair bit if you move from PoS to PoS, scanning a barcode.
and this video https://www.youtube.com/watch?v=cIcbAMO6sxo where all the gates at a parking garage are rendered inoperable because someone scanned a QR code that encoded EICAR
The barcode register attack was explored in a episode of The X-Files titled Duane Barry (2x05; 14 Oct 1994), when Special Agent Dana Scully scans a chip (that had been found implanted in her neck and subsequently removed) at a grocery store checkout scanner, and iirc all the registers went berserk. So this is definitely a thing.
CNX does have a lot of good embedded news, and this fits the bill perfectly.
It's interesting how can we make this easier to secure, as embedded developer perhaps there should be an security by default, making it harder to circumvent that and making installs like this.
"Embedded news" is an interesting term for blogspam. If they find interesting news they should post a blurb and link to it instead of copying its content without adding anything new.
Press the buttons along the right hand side from top to bottom in sequence. It usually works. Only failed me once at a station who was clearly intent on wild amenities and overkill experience.
I’ve done it, sometimes I buy coffee, use the bathroom, check email- and then I’m on the road again.
But that’s actually kind of a fun idea, watch a show or movie in bursts. Thanks! Maybe you look forward to the next charging stop, to find out what happens after the cliffhanger!
Yes, sometimes a really annoying ad will play on the video screen once you start pumping. Other times, they will show you a funny clip from a talk show -- it's still an ad but at least it's entertaining.
Most of the pumps I've interacted with have blank buttons near the display. In my region, the mute button is second down from the top right. Mash the unlabeled buttons though, and you'll probably find mute.
Would be funny if someone figured out a way to remotely set all gas pumps in the country to "release mode" simultaneously: I'm sure this would make for a memorable experience.
I'm guessing most gas station attendants would either hit the emergency stop button (which is big and red and physically cuts power), or put up signs asking people to record start and stop gallons and pay inside.
It would be entertaining. But it wouldn't hurt the O&G companies.
The gas is already paid for by the gas stations at X price. Arbitrarily lowering it to $0.01/gal does not do anything but hurt the local gas station owner or piss off minimum wage worker(s) dealing with the fallout.
Short term, for the consumer that sounds entertaining. Long term, I can think of no good outcomes. Stations go bankrupt, government bailouts with money from where? Etc
Going bankrupt is a bit extreme in my opinion. A gas line company was infiltrated and held for ransom last year (Colonial Pipeline), yet they are still up and running. In the end, gas went up a couple of cents nationwide if I recall correctly (might have been limited to the east coast?). Company is still in business. The only people that were really hurt was the Main Street.
Exactly. You have to drive up with plates that identify where the car is from. You ain’t stealing shit, unless you already stole the car in which case steal the guys wallet too.
yea; card skimmers are more appealing because stealing gas requires physical presence of a heavy and hazardous substance. CC skimmers require a 10-second installation then they just send CCs via cell networks for a week or until they're discovered. Do it right and they're basically untraceable, and the stolen CCs can be charged for thousands per skimmer.
I'd imagine the scammers would just pay some homeless guy or illegal immigrant to actually steal the gas rather than doing it themselves. Same as money mules.
Gas stations are probably considered 'Critical Infrastructure' by the US government as they are part of 'Transportation Systems' infrastructure. Tampering with their computer systems (even just out of curiosity) is probably a bad idea.
The way the legal system works, the safe option is to not do anything with systems that you don't own or have authorization to use.
Like public facing websites that advertise they are meant to have users are pretty safe, but after that, explicit authorization is a good idea vs deciding for yourself whether it might be critical infrastructure.
The point is, if they want someone poking around these systems, they'll contract with them to do that. You should not tamper with them just out of curiosity. Convicted felons have a hard time finding jobs.
Which is nonsense, what was the purpose of punitive action (jail) when a person will be punished for the rest if their life via stigma and ineligibility for jobs. How is that “correcting” a persons behavior?
The punishment isn’t only a punishment for the individual. It’s a deterrent to keep the next person from doing whatever it was that was illegal. You can argue if that’s right or wrong, but that’s one of the points of many sentences — to send a “message” to others who might commit a crime.
“Don’t do crime, but if you do, I guess keep doing crimes forever because we’re going to make it hard for you to get a real job” isn’t really a compelling strategy.
Let’s be clear where the blame sits. The “prison industrial complex” isn’t creating this. Private enterprise is set up to profit from incarceration rates and thus recidivism, but the reason that people can’t get jobs after they finish their sentence is the fault of all of us. Every company that refuses to hire somebody with a record is contributing to the problem, as is every person who looks down on somebody for having been incarcerated.
This is pretty intensely reductive of the actual state of the world. It only works if all people are competing for all jobs, which they are not.
To pick a boring example, see the multitude of companies complaining about labor shortages and also the number of felons who are struggling to find jobs.
We could also argue whether it is effective or ineffective. I understand the incentive being introduced, to tip the scales in a rational decision-making process against a criminal act. However, that assumes that criminal acts are the result of a rational decision-making process, and that the possibility of punishment is high enough to enter into that process. Given the recidivism rate of the US, I don't think it is effective.
You can argue whether a punitive system that effectively provides a deterrent is right or wrong, but a punitive system that isn't effective as a deterrent cannot make the same argument.
Once a customer of the penal system, always a customer. They've worked hard to get their retention / repeat business numbers up this high. Why take that away from them?
Okay, I call bullshit. That which can be claimed without evidence can also be refuted without evidence.
That said, if you’re feeling like finding out do heed caution because I’m sure the Man will love to make an example of the first person we figures out how to pump their gas at $0.01 per gallon.
> Okay, I call bullshit. That which can be claimed without evidence can also be refuted without evidence.
Aside from the extreme rudeness, what evidence are you looking for? Do you want GP to attach sensitive or classified pen tests results here in public forum?
Pen tests are a requirement for any vendor doing business with the gov. Check out NIST 800-53 and the FedRAMP security process. It's much more intensive than SOC2 which is the standard in the commercial world. I think your information is about 10 to 20 years out of date.
Yikes, I don’t want to live in a world where calling bullshit is “obviously rude” but I’ll bite.
> Pen tests are a requirement for any vendor doing business with the gov.
What does this prove? Solar Winds, Colonial Pipeline (maybe more relevant here), etc.
Your search link doesn’t include anything about extensive penetration tests ensuring the security of these devices. That’s the claim. Where is the evidence?
Also calling someone’s knowledge “out of date” is a, dare I say rude assumption. But judging by your assuring in the security of government contractors I’d say your opinions are quite naive :)
> Yikes, I don’t want to live in a world where calling bullshit is “obviously rude” but I’ll bite.
Sadly, this is an is/ought problem. I don't want to live in a world with poverty and war either, but that doesn't make it fact.
> What does this prove? Solar Winds, Colonial Pipeline (maybe more relevant here), etc.
The point of pen tests is not to guarantee perfection. There are also ways to sweep things under the rug if those in charge are so inclined. But the existence of those things doesn't mean pen tests aren't done, or that nobody cares about security.
> Your search link doesn’t include anything about extensive penetration tests ensuring the security of these devices. That’s the claim. Where is the evidence?
Did you look at either of the first two hits? The first four indeed are evidence that the government does pen tests. The first hit is a government department that solely exists to do penetration tests[1]. The second one called "PENETRATION TEST GUIDANCE" is all the rules regarding how penetration tests must be done[2].
Ok your turn for evidence. What evidence do you have that all of those things are fake? Or that none of the compliance officers actually check it?
> Also calling someone’s knowledge “out of date” is a, dare I say rude assumption.
You're right, I apologize for doing that. I actually thought that was more charitable than the other possibilities, but it doesn't add anything to the discussion so should have been left out.
I don’t need to do research because I’m not the one who made the original assertion. You can’t throw around unsubstantiated claims but require proof from those who try to refute them; that’s not how it works.
“You can’t throw around unsubstantiated claims but require proof from those who try to refute them”
I am claiming relevant experience as my insider knowledge. What experience or proof do you have to back your refutation?
That’s how this works. When somebody gives you a peek behind the curtain while chatting, you don’t go and demand proof. You can ask for it nicely of course. That is the socially acceptable thing to do.
Your behavior is out of line given the casual and pleasant discourse before you showed up.
"When somebody gives you a peek behind the curtain while chatting, you don’t go and demand proof."
It is up to you as a communicator to establish your credebility so that people can trust your words and take your seriously. It's not a favour to the audience.
As far as I can tell, this gentleman has categorised you as a random dude at the bar making things up.
Let’s apply that here.
Guy at the bar is telling war stories, you aren’t sure He is telling the truth, sounds like a tall tale…
You never served in the army so you’re not sure… But your gut is telling you He is a liar.
What do you do?
Nothing. Because you are not in a position to know better. It’s your unsubstantiated guess against a possible lie.
If you are coming to the conversation in good faith, you don’t start with an accusation of lying. You share your doubts and ask politely for more information.
We’ll have to agree to disagree. Personally I think the key is to not use the word “bullshit” unless you’re already on good terms with someone. But you can call BS without using that word, if you’re certain your audience is easily offended.
Not caring if you offend someone? That’s also quite rude!
> I think the key is to not use the word “bullshit” unless you’re already on good terms with someone.
Yes, agree 100%. When you're busting balls with your friends it's perfectly fine, but when it's a stranger online who doesn't know you at all and is likely from a very different culture, it's not a good idea to respond that way, unless you want to offend.
'The point is, if they want someone poking around these systems, they'll contract with them to do that'
You plebs have no business poking around and find out what people in power are doing or find out if they've done their job properly. If they wanted someone holding them to account, they'd contract them to do thay'
I don’t think the Russians are going to care about a felony conviction. The major security holes in embedded devices that are part of our critical infrastructure are national security threats.
Despite Putin’s bluster about nuclear weapons, cyberattacks are the easiest way for Russia to inflict pain on the US and Western Europe in response to economic sanctions and our support for Ukrain militarily. And those could do a lot of damage, both in terms of our economies and even civilian American/European lives.
> Tampering with their computer systems (even just out of curiosity) is probably a bad idea.
I don't think the kind of people who are robbing gas really care about weather this is a bad idea. That's why sometimes the right answer is to focus on preventing the crime because...
> You could end up with a felony conviction.
The crooks really don't care. It's all about not getting caught.
The crooks often already have a felony conviction, and are already living with the permanent consequences of that. The only remaining disincentive to crime for them is additional jail time, which can start to be seen as just a cost of doing business - X years for Y dollars.
In not sure the trade is that simple. Everyone I've known that has served time did the crime for one of two reasons:
Most of the people who did financial crimes: Got away with it multiple times and just assumed they wouldn't get caught.
The rest: totally irrational and fueled by mental health problems. Addictions, depression, relationship problems...
I wish we were as good at helping people as we are at isolating and punishing. If punishment was a good deterrent, we wouldn't have roughly .7% of the adult population in jail.
They mostly have their own network available, and easily enough crackable. If you're really determined you can pay some kids to break the cameras and wait for the tech to arrive to fix it over the next days and then capture all her network traffic..
Then find out you can control the cost/litre at the pumps via some awful soap api.. That's talking over the internet anyway..
I think this is actually done at least on ATMs. I have read it's a good way to get the pin number for a card, as you might be able to see someone typing it in. Some of the skimmers I want to say even had a camera aimed at the keypad?
Unfortunately EV stations make a point to know their customer, extensively. Is it even possible to pay cash and not have your car identified by the charger in a significant number of stations?
> Is it even possible to pay cash and not have your car identified by the charger in a significant number of stations?
The majority of the charging you do will be at your home, where you already pay for electricity. Unlike gas stations, which you go to every few weeks, you'll "fill up" away from home only infrequently, only when traveling multiple hundreds of miles away.
When you are away from home, it's sometimes possible to charge anonymously like you describe. RV campgrounds/RV parking often has a dumb electric outlet (which you'll need an adapter for) that can charge you quicker than a regular household outlet. Any place that has regular electric outlets can "trickle charge" you.
That said, you're right that EV charging when you're on a trip is more tech heavy and less anonymous than filling up at a gas station.
If your threat model doesn't allow for certain private companies to know your rough whereabouts when you're on road trips, then yeah, don't get an EV, don't use credit cards, don't use a phone, etc etc.
Most people's threat models are perfectly fine with this though.
> The majority of the charging you do will be at your home
I'm worried someone will stumble upon the 50 meters of charging cable I have to hang from the third floor, along the pedestrian way, towards the car - in case I'm lucky to get a parking space just in front of the condo.
I don't think they meant stumble upon as in discover it for their own use. I read it more as physically tripping over the cable hanging from their 3rd story condo. A bit of a tounge-in-check story noting the diffculty of charging at home if you don't live in a single-family structure.
Depending on your POV, the main "gas" station in your garage for an EV has either extensive knowledge of you, or ~zero knowledge of you. Outside gas stations are for use only for road trips.
I spent more time in 2021 waiting on gas pumping in my ICE than I did on my EV charging. Easily more than an hour of time going out of my way to go to fuel stations, potentially waiting for a pump, pumping gas, then getting back on my way versus 0 minutes on my EV just plugging in immediately when I pull into my garage.
I'm already at >30min on waiting for gas pumping on my ICE for 2022. I'm still at 0 minutes on my EV.
If I go on a road trip and spend an hour waiting to charge, I will still have spent less time waiting on refueling on my EV than my ICE.
Oh yea, its also almost 1/10th the energy cost driving the EV than the ICE.
There should be an open source gas station firmware framework written in Rust.
The information security industry must expand to secure this piece of national security infrastructure.
I’d prefer go. Rust just has a bad name for infrastructure. Who wants rusty infrastructure? Can you imagine the news articles about rusted gas stations? Go on the other hand has a great name for vehicle infrastructure. Swift could work too.
Meanwhile, I'll sit here with the elixir of life (which, isn't hydrocarbon based, but works on the kinda logic where one cucumber and tuna sandwich enables you to cycle about 80km ;)
Gas pump UX is some of the worst of any computer system I have to deal with on a regular basis (ATMs are about as bad). From awful keypads that miss numbers and obscure non-secret things like your ZIP code, to tap card readers that only work with debit cards (but the magstrip works with CCs?!?), to slow ass multi-step questions, misplaced buttons, "decline car wash", "no I don't want to play the lotto today", pumps that shut down at certain times of the day, and general slowness of every single step of the process...
And the cherry on top: loud video ads that you must stand there and watch while enduring all of this. THOSE have good screens and seem capable of playing back video well enough. If only they could dedicate a fraction of that compute power to making the purchase process less awful.
100% not surprised that these were programmed probably by a junior right out of college back in the 80s then never updated.
The TVs are mildly annoying but the worst part is the stupid questions many now ask before you can pump any gas.
When it's freezing cold outside, 1) no, I don't want a fucking car wash and 2) I really resent having to spend the couple extra seconds out in the cold to answer that question.
They're assuming your complaint about spending a few extra seconds activating the pump implies you're then climbing back into the vehicle after starting the pump, as a few seconds on a several minute encounter with the pump really isn't that much time.
Also, FWIW its not that crazy about asking about a car wash when its freezing outside especially if you're in an area where they salt the roads a lot. From what I understand a lot of people will do a lot of undercarriage washes when things get salty. I don't live in those areas so I'm not the best to offer advice in that, but I do know briny water and metal aren't good for things you want to not have rust to nothing in a few years.
A few seconds is plenty of time when it's being rudely wasted and I'm freezing my ass off.
I agree, it's important to wash the undercarriage when there's salt on the road. However, I would never get a car wash at any old gas station, the risk of swirling or scratching my paint is too high. On top of that, who knows if these bottom-barrel gas station washes even clean the undercarriage effectively, or even at all.
Oh and of course there's the risk of accidentally pressing the wrong button, being charged for the car wash, and having to waste more time getting refunded.
Yup. I'll leave it as a 1-star Google review (not that many people read reviews before choosing a gas station), and then going elsewhere. My second-closest station has these TVs. I forgot once or twice and returned by accident, but now I never forget.
Gas is a commodity, so boycotts don't work, also that puts the oneous on the consumer for being annoyed and not the corporations for literally pumping ads into a mandatory part of our society (where I live, I can't function without a car)
Also who tf reviews gas stations. It's a minor annoyance, that's why they do it, I'd just rather have a state level solution that banned having ads shoved in my face all the time
https://evadoption.com/are-evs-charged-mostly-by-coal-power-... while it looks like now, the majority of energy for EVs comes from renewables or natural gas (not that natural gas is actually "green"), a lot still does come from coal, so while maybe not purchasing gasoline directly, driving an EV still uses fossil fuel somewhere.
I do believe the 'typical' home router is insecure, but mine is rather typical and has had great security updates for 4 years now.[0] It's definitely nothing special, just a $100USD unit. Asus also has an autoupdate feature so their owners don't even have to do anything. I haven't used another brand in years, I had a Buffalo router before this, but I've been following the release notes on this one and security seems top notch for a low-end home router. I do run a 3rd party firmware on this, but its downstream from Asus's.
I have first hand knowledge of this, it's been while but I remember logging into into a Ruby/Sapphire backdoor with default credentials and unmasking the credit card data if there was an issue and a credit transaction wasn't processed. This was for a large regional chain.
It's really an industry problem, everyone who works in the c-store side of things is old as dirt and doesn't understand or care about security.
"Researchers also found that many of the systems had “default credentials,” which means they might have similar access codes unless an employee took the time to change them."
That should be considered gross negligence. Criminal negligence for anything shipped with default credentials since ransomware became a thing.
I used to work for a company that made VPN routers for one of the largest pump producers. I wasn't aware of any vulnerabilities in our part of the solution. Which doesn't mean there weren't any of course.
Still there is a lot more there than a VPN router. Lots of software and likely plenty of bugs.
Hard-coded passwords are a very relevant problem in real-world security. Most of those apartment building entry systems are left with the factory password, so you can let yourself right in.
If that doesn't work, you should be able to find a factory reset button. Look for a hole you can stick a paper clip in, and power cycle with the button depressed.
Once you do that, call your ISP and ask for the default password.
Luckily, every other hop you traverse across the internet is untrustworthy too, so having a bad router shouldn’t worry you. Treat your home wifi like you treat Starbucks wifi.
There's some terminology confusion about internet routers. The devices that sit in a telco rack and have lots of fibers running in and out of them and decide what pipe to send your IP packets down to are the more routery kinds of routers. The wifi ap + nat box + cable modem thing you have in your house is doing mostly other things than routing and is called your CPE or Customer Premises Equipment. (Also NAT is not routing, the router requirements RFC forbids touching the address fields).
The term "transparent routing" is used throughout the document to
identify the routing functionality that a NAT device provides. This
is different from the routing functionality provided by a traditional
router device in that a traditional router routes packets within a
single address realm.
Transparent routing refers to routing a datagram between disparate
address realms, by modifying address contents in the IP header to be
valid in the address realm into which the datagram is routed.
Section 3.2 has a detailed description of transparent routing.
That's an "informational" rfc by an individual that doesn't represent the IETF position. Whereas the router requirements is a standards track document.
(And the reason it's a informational RFC is that IETF didn't want to encourage NAT)
Router is a device that routes packets between two or more networks. CPE routes packets between the customers lan and the isps network, and as such is a router.
Sure, it is technically a trivial one along with other functions. But it doesn't feel sensible to call it a router because that's not its defining charcteristic. And the business of nontrivial routing that goes on in the devices whose full-time job is to be routers is different, involving routing protocols and stuff.
I understand it's a little bit dumb that many people think of a router as a device that does Wi-Fi and maybe has a modem built-in, just because that's the only kind of router most people ever encounter. But for all that it's annoying and technically not quite precise, that is the colloquial use of the term.
> The term "CPE" seems to be more about device ownership than technical function.
Not ownership, location. CPE can be owned by the network provider or by the customer.
But it indeed doesn't have a clearly defined technical function. CPE can be just a modem, a consumer all-in-one device, or a "proper" enterprise-y router from Cisco/Juniper/...
[0] https://apma4u.org/wp-content/uploads/2012/06/Crompco-Update...