|Router Security||Self-Updating Firmware||
Website by |
The general thinking is that a router that can update its own firmware is better than one that requires manual updating. This is true, but overly simplistic. There are many things that go wrong with a router that self-updates it firmware. Borrowing from the Security Checklist page, below is my list of things to look for in determining if a self-updating router is doing a good job or not.
As for answering these questions, my experience with self-updating routers has been limited to eero and Google Wi-Fi. Someone from Linksys provided answers to these questions for their "Smart-Wifi" branded routers (model numbers starting with EA or WRT). The Linksys Velop mesh router system is something else, although, it too, can self-update. Google Wifi responses below came from Google. I slightly revised the "What to look for" questions in Feb. 2017. Both Linksys and Google answered the questions as they were in Jan. 2017.
A list of self-updating routers is on the Resources page.
|Table of Contents|
|What to look for||Google Wifi|
Q: Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
A: Google pushes all firmware updates from the cloud. We have dashboards so we can monitor progress of the firmware releases, which is done in carefully controlled phases.
My Translation: No. As of mid-April 2017 Google does not seem to have a single web page with a history of firmware releases. Each firmware update seems to get a new web page. I asked Google about this in mid-April 2017. They said that this page, Release Notes should have the full firmware history. Time will tell if this is true.
May 8, 2017. I was right. Google updated the firmware on my Gwifi router May 3, 2017. There is no single web page with a release history. And the description of this update is shameful. The full description is "General stability & performance improvements". See a screen shot.
Q: Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is working correctly.
A: Cloud pushes notifications to the mobile app. Release notes accessed via the app state dates on which firmware was updated. Firmware revision can be noted per mesh node via the app.
Q: How often does the router check for updates? Can you control this?
A: Google pushes updates via the cloud roughly every six weeks.
Q: Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
A: Since the user does not need to manually intervene, no. Updates are done carefully in a phased rollout to ensure no regressions.
Q: If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
Q: Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
A: Reboots are auto-scheduled within 24 hours and when the systems are idle.
Q: Can you force the router to check for new firmware?
A: No. Firmware is pushed directly via the cloud.
Q: Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
A: N/A. Firmware pushed from the cloud.
Q: If you do nothing, how quickly will newly released firmware be installed? Eero promises to install new firmware "within a few weeks"
A: We release new firmware every six weeks. It is phased in a rollout over a few days.
Q: When the router phones home looking for updates does it do so securely with TLS?
A: N/A, but yes, all communication with the cloud is secure TLS
Q: When the router downloads new firmware does it so securely with TLS? Is newly downloaded firmware validated in any way, such as being digitally signed?
A: Yes, all code is signed by Google. A Trusted Platform Module (HW TPM) verifies signatures of the code.
Q: Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
A: Yes. Multiple partitions with fallback in case of a failed software update.
Q: Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
A: N/A generally, but yes, firmware can be downloaded and flashed via USB key in recovery mode.
Q: Does the vendor document the changes in each firmware update? If so, do they do it well?
Q: Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
A: Yes. Via mobile app.
Q: How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
A: Users can turn off updates by opting out of cloud services
Q: Can you backup the router settings to a file? Pretty much any router can do this, but with auto-updating I wonder if that feature still exists.
Q: In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
Q: In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?
A: It is a managed rollout where all nodes are updated during the same session.
Separately, Google Wifi security features says "All software updates are signed by Google. Google Wifi cant download or run any software that isnt signed and verified" and "All communication between Google Wifi and Google is secured by Transport Layer Security (TLS)".
As of early May 2017, I was able to answer some of these questions myself. I own a Google WiFi router and it self-updated. My observations are here 7 mistakes Google made updating my Google Wifi router.
In June 2017, a Google Wifi router had been powered off for a couple weeks. During that time, the firmware had been updated from version 9334.41.3 to 9460.40.5. Within a couple hours, the router self-updated to the new firmware. This is a huge contrast to the much slower rollout used by eero.
See more about Google Wifi routers.
NOTE: The information below was provided by someone who works for Linksys in February 2017. See also How to automatically update the firmware of the Linksys Smart Wi-Fi Routers.
According to Linksys, all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT. The information below applies to these routers and not to their Velop mesh router system, which can also self-update.
An "audit log" of sorts can be found on the manual firmware download page for each SKU under "release notes". The release notes contain a timestamp of the release, the firmware version, and some patch notes. See sample.
The router checks for updates by querying the Linksys Smart WiFi cloud. During setup, there's a checkbox that you can uncheck to prevent the router from automatically checking for and installing updates. This option is also togglable under the connectivity settings.
All cloud operations between the router and the cloud are over a TLS connection. This includes checking for and downloading firmware updates.
A change log is provided on the manual firmware download page under "release notes".
Current firmware version can be found under the connectivity settings.
There is currently no mechanism implemented for notification that an automatic firmware update has happened or is going to happen.
By default, the device checks for automatic updates during a 240 minute window starting at midnight local time. There is an API for setting the time and duration of that window, but I do not believe there is any UI supporting it.
There is a button under the connectivity settings that you can use to force a firmware update check. Otherwise, the device checks for new firmware daily.
Router can be forced to update to the latest firmware at any time. If a new firmware update is found after clicking the "check for updates" button, a new button is added to start download/installation.
On the connectivity settings page there's a section for uploading your own firmware images, or firmware images downloaded from the linksys support site.
The automating updating system only supports a single "update channel" that installs the newest possible firmware.
Router configuration can be backed up and restored under the Troubleshooting -> Diagnostics page.
The Linksys EA and WRT series routers are single devices and this section applies to them. Linksys just released a Velop mesh system, but the person I corresponded with was not familiar with how the Velop deals with updating three devices.
Firmware updates are downloaded over TLS. The majority of the EA series devices use signed firmware images that require signature verification before installation. None of the WRT devices have firmware signature restrictions. Technically this shouldn't matter - the TLS connection provides verification that the firmware image is coming from Linksys - firmware signing is just an added protection.
As far as I know, all EA and WRT series devices have two firmware partitions - the active partition and a fallback partition. The fallback partition is whatever firmware was previously installed on the router. That way if the main partition ever becomes unbootable, the bootloader can automatically switch to the backup partition to effectively unbrick the device. You can manually trigger a switch to the fallback partition by clicking "Restore previous firmware" under the Troubleshooting -> Diagnostics page.
According to this June 2017 review, Linksys Velop: Powerful But Erratic Mesh Router, "The firmware updates are encrypted during delivery, but the firmware doesn't self-authenticate during startup."
A history of eero firmware releases is here: eero Software Release Notes. Judge for yourself how well they document the changes in each firmware release.
If you do nothing, how quickly does eero install new firmware after it has been released? According to the above firmware history page: "eero software updates are released on a rolling basis, so your eero may not be updated immediately after a new version is released. New versions will be pushed to all customers' networks within a few weeks of public release." A few weeks, seems a bit slow, but this is a matter of opinion.
The one Eero system that I can access was running firmware version 2.1.0, which was released Dec. 15, 2016. The next version, 2.2.0-2478, was released Feb. 7, 2017. The system auto-updated itself to the new version sometime between Feb 21st and the 24th. In other words, it took from 14 to 17 days. While waiting, the eero app did mention that an update was available.
Version eeroOS-v2.3.0-91 was released March 28, 2017. I first noticed that it had self updated on April 21, 2017. I may well have updated a few days earlier, I was checking roughly every other day. Certainly by April 16th, it had not updated.
I asked Eero about the rollout of new firmware in April 2017 and the response was:
"We send out automatic updates every night in small numbers. Usually within approx 4 weeks of a new firmware release all eero networks should have gotten the automatic update push."
Eero does a miserable job at auditing. The app did not indicate when the automatic firmware update occurred. It would be nice to have an audit trail of every time the firmware was updated. It also does not log the speed tests. It seems to make a speed test every day but only reports the last one. In contrast the AmpliFi from Ubiquiti did keep a log of previous speed tests which makes it very easy to see any trends.
Like Google WiFi, the eero app has no provision for saving the current settings. If something goes wrong, it will probably have to be re-configured from scratch.
After Linksys provided answers to these questions, I contacted some other router vendors asking them to explain the details of their firmware auto-updating system. Not one company did. Each company was contacted on Feb. 5, 2017 (13 days ago when I last reviewed this). The cowards are