Router Security Suggested secure routers Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
See my new website: DefensiveComputingChecklist.com
 

What makes a router secure?

  1. The lack of software bugs or, more importantly, the lack of big huge security flaws
  2. The prompt fixing of bugs
  3. Securely configured (as seen on the home page of this site)
  4. Privacy

By "privacy" I am referring to a router not spying on you. In the old days, no routers spied on the network they governed. Now, this is getting harder and harder to find. It is now the rule, rather than the exception, that customers must have an account with the router manufacturer. If the router is in contact with a cloud service from the manufacturer, there is always the chance the someone from the manufacturer can get into the router.

Then too there is passive spying; many routers phone home with data about the activity on the LAN they control. The last router that I took a serious look at, the Synology RT2600ac was disgraceful in this respect. It phoned home to Synology all the time, there is no way to stop it and Synology can not be bothered documenting what data is being transferred or why. For details, in my Synology review see the section Spying On The Router.

Cisco is perhaps the poster boy for Point 1, it seems as if new critical security flaws are found in Cisco router software every month. So many that I have given up even including them in the News page. And these are huge flaws, the type that let remote attackers take full control over vulnerable devices.

- - - - - - - - - - -

Ubiquiti has many fans and, like Peplink, is a step up from consumer routers. However, sometime in October 2019 they started spying on their customers, did not tell anyone about it and offered no way to opt out. So, even if their software is secure (not saying it is) the company itself is not.

I first noticed this November 3, 2019, in this Twitter thread by Royce Williams. It links to a Reddit discussion: Ubiquiti adds phone-home to the access point firmware and an official response from the company. Quoting it: "We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch ... The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61."

In other words, they screwed up the AP phoning home and created a memory leak that crashed their devices. Even if their intentions are not bad, their software quality seems poor. The Access Points phone home to trace.svc.ui.com which Ubiquiti says you can block in the router. However, it keep re-trying which is where the memory leak came from. That bug has been fixed.

More official response on Nov. 3, 2019: Update: UniFi Phone Home/Performance Data Collection. They gave in and will let customers opt out of this. This time.

Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it? by Shaun Nichols of The Register Nov 7, 2019. The article adds nothing but there are 107 comments as I write this.

As for other aspects of security, I am told that UniFi devices do not require vendor cloud services or cloud accounts. Both are available, but are optional.

- - - - - - - - - - -

Peplink does not offer a mesh Wi-Fi system (at least not as of Oct. 2019) so if you use a Peplink router that does not do Wi-Fi the question is what to pair it with. Although I have not used them, one excellent (and relatively expensive) option is Ruckus. Ruckus specializes in Wi-Fi and their Access Points are universally praised. They can also function in Mesh mode, where one AP talks to another wirelessly.

An issue with all Access Points is the software to control and manage them. The Ruckus"unleashed" line of Access Points have their controller software built into the APs. Ubiquiti will sell you a $70 gizmo to run the controller software for their APs. Peplink Balance routers include AP controller software so if you just need Access Points (no mesh) then buying Peplink APs means not having to deal with controller software from a different company. The cheapest Ruckus AP is the R310. Higher end models are the R510 and the R610. For home use the R310 is probably fine. The 9U1 models are "unleashed," other variations require separate controller software.

As a high end company, Ruckus does not sell directly to consumers, you have to buy through an authorized reseller. Do not buy their hardware on Amazon.com, they will not support it. I do not know the rules for tech support or for ongoing firmware updates to the Access Points. Ruckus APs are designed to be powered from the Ethernet cable. If you don't already have a switch that offers electricity via Ethernet, you will need to buy either a power-over-Ethernet adapter or an AC adapter to power each Ruckus AP.

- - - - - - - - - - -

It is hard to tell how much a router vendor really cares about security - until you submit a bug to them and see how the deal with it. On the October 19, 2019 episode of the Cyberwire podcast (Hoping for SOHO security) someone from ISE was interviewed about their recent report SOHOpelessly Broken 2.0 that found multiple flaws in routers and NAS devices. When it came to dealing with the problems that ISE reported, Asus and Netgear were drastically different. Simply put: Asus good, Netgear bad.

Quoting ISE: "Netgear exhibited severe communication issues, resulting in our finding being patched long before our reports were even confirmed. This was the longest and most arduous disclosure of this research project. Nearly 5 months were spent waiting for Netgear to respond to the BugCrowd reports, and an additional 3 months were spent attempting to get CVEs from Netgear, and then MITRE. After contacting MITRE, Netgear was removed from the official CVE numbering authority list." In contrast, they said "Asus promptly responded to our vulnerability submission. They worked closely with us to ensure they were mitigating the reported vulnerabilities appropriately.".

Below are the bugs that ISE found. Both companies have been making routers for a very long time. This seems like quite a lot of bugs for software that should be mature at this point.

ASUS RT-AC3200
CVE-2018-14710 – Reflected Cross-Site Scripting via appGet.cgi
CVE-2018-14711 – Missing Cross-Site Request Forgery Protection on appGet.cgi
CVE-2018-14714 – Command Injection via load_script Hook in appGet.cgi
CVE-2018-14713 – Uncontrolled Format String via nvram_match Family in appGet.cgi
CVE-2018-14712 – Stack Buffer Overflow via delete_sharedfolder() in appGet.cgi

Netgear Nighthawk X10-R9000
CVE-2019-12510 – Authentication bypass via X-Forwarded-For header
CVE-2019-12511 – System command injection via SOAP API
CVE-2019-12512 – Cross-site scripting via X-Forwarded-For header
CVE-2019-12513 – Cross-site scripting in logs via malicious DHCP request

- - - - - - - -

An experience of mine points out how much tech support cares. If they don't care, then it is impossible to consider the router secure. Peplink cares, AmpliFi does not.

In October 2019 I had a problem that I don't understand: TCP port 53 appeared to be open on the WAN side of an AmpliFi router and on three Peplink routers. The problem itself is not relevant here, just how each company dealt with it.

AmpliFi ignored my first email for a week. A second email was responded to and they said it was needed and pointed me to an irrelevant article about a Linux system needing port 53 open on the LAN side. A couple back/forths made it obvious that the person I was in contact with either didn't know or care. I had given them the public IP address of the AmpliFi router and the nmap output. They did not try to replicate the nmap result. In contrast, Peplink did try to replicate the nmap scan. The first and obvious step from a company that cares.

In addition, AmpliFi has a poor record with WPS. You can appear to disable WPS in the mobile app, but it is not fully disabled. Network scanning software shows that WPS is still enabled. Their tech support told me not to worry about it. But, I do. And, it is not clear to me at all how remote control of an AmpliFi works. So, I can't tell if it's secure. Their remote control system is unlike others I have seen, it requires you to use a Google account.

- - - - - - - -

When it comes to Router Security and/or Privacy, Consumer Reports is as wrong as wrong gets. I am referring to this August 2019 article: Many Wireless Routers Lack Basic Security Protections, Consumer Reports' Testing Finds which says:

CR's router testing includes the companies' privacy policies, because so much sensitive data flows through the devices. Our privacy experts analyzed every router manufacturer’s documentation. We gave better scores to routers—including some models from Eero, Google, and Netgear—that spell out what information their manufacturers might collect from users, such as network speeds, the name of the internet service provider, and how much data you're transmitting to the web.

This is as wrong as wrong gets. For one thing, it assumes all router vendors spy on you, which is NOT true. There are routers that can be used without the router company knowing a damn thing about your network. And, without having to create an account with the router manufacturer. My favorite router company, Peplink/Pepwave is one such company. So too is Ubiquiti which makes the AmpliFi. Each can be used with total privacy.

That said, to use AmpliFi privately means giving up remote access to the system. AmpliFi only allows remote control using a Gmail or Facebook account. Peplink offers two systems for remote access to their routers, one system goes through them (InControl2), the other does not. Specifically, thet still offer remote access via an open port. The port can be anything, access can be limited to HTTPS and you get to change the userid too, so it is as secure as this type of system can be.

In contrast, there is no opting out of Eero/Amazon or Google with their routers. Each requires you to have an account. But worse, they are the last two router companies anyone concerned with privacy should use. Yet, Consumer Reports gives them high marks for privacy. Lunacy. Both companies want to spy on you and a router is a perfect place for this spying.

Another indication that Consumer Reports is clueless, comes from the last few words in the quote above. A router offers access to much more than just "the web".

My final indication of their incompetence comes from their approach - reading privacy policies. If a router is phoning home, this can be detected. But, that requires technical competence.

- - - - - - - -

This page is still being worked on ....

Top 
This page was last updated: November 9, 2019 8PM CT     
Created: January 20, 2019
Viewed 2,793 times since February 27, 2019
(11/day over 258 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2019