Router Security | Apple Routers |
Website by Michael Horowitz |
October 23, 2017: In response to the KRACK flaws in WPA2, Apple said nothing. They really hate their customers.
November 21, 2016: No more Apple routers. This has yet to be confirmed by Apple.
Apple
Abandons Development of Wireless Routers by Mark Gurman. November 21, 2016.
NOTE: all the text below was written in 2015.
I have no first hand experience with Apple routers. However, in May 2015, Glenn Fleishman, while discussing the state of consumer routers, had this to say about them: "Apple has a much better track record at patching Wi-Fi routers dating way, way back. Apple's chain of firmware updates (including a few stinkers later fixed) for its 802.11n routers allow every Extreme and Time Capsule model it made between 2007 and 2013 to be upgraded. The introduction of 802.11ac in mid-2013 started a new chain, but I still expect firmware updates if security flaws are discovered in the older devices ... By default, AirPort Utility on every computer on which it's installed will alert you to new firmware and other potential security issues on Apple base stations..."
There is a flip-side to this however.
For one, Apple routers do not have a web interface, forcing you to use the AirPort utility for configuration and
management. According to Fleishman, the AirPort utility for Windows has not been updated for several years (as of May 2015) which makes an Apple
router only appropriate for a location with iOS or OS X devices. According to Apple, AirPort Utility 5.6.1 for Windows is only supported on Windows 7.
Does it work on Windows 8? Windows 10? Who knows?
October 24, 2015: I have read that the fifth generation Airport Extreme router works fine with the Windows based AirPort utility. However, the sixth generation
devices only partially work with it.
Also, be aware that the low end AirPort Express has only a single LAN side Ethernet port, while the more expensive AirPort Extreme has only three. Most routers have 4 LAN side Ethernet ports. Note too, that there are many one-star reviews of the AirPort Express at apple.com. And, the AirPort routers do not support OpenVPN type VPNs.
Then too, there is issue of trust. Apple never says anything about the security flaws in their products. And, they often delay fixing security problems. In my opinion, this corporate behavior makes Apple untrustworthy.
Many companies learn about bugs in their software from outsiders. Well run companies, pay for bug reports. Apple does not offer a bug bounty. Thus, they don't get bug reports they could otherwise be informed of.
There is an inadvertent upside to using an Apple router - they are relatively unpopular. Thus, bad buys may pay less attention to them because few people use them. On the other hand, there are few poor people with iPads and MacBooks, so compromising a location with Apple hardware may well yield upper income victims.
Can you lock down access to an Apple router? I don't know, so I went in search of the manuals.
It turns out Apple does not publish detailed User Guides for their AirPort routers, just short Setup Guides. Strike one.
Strike two was that the manuals had not been updated in years. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012.
Strike three is that Apple fails to put a date or a version number in their Setup Guides. As an example, see the AirPort Extreme Setup Guide. Thus, the firmware may well have been updated with changes or new features that are not reflected in the manual.
The Setup Guides say nothing about securing access to an Apple router. Just some passing references to a password. I take this as a bad sign.
You can find the latest router firmware at support.apple.com/en_US/downloads/airport. As of late January 3, 2016 the latest AirPort Express firmware (7.6.4) was released in August of 2013, 2.5 years ago. The latest AirPort Extreme firmware (7.7.3) was released in April 2014, 20 months ago. This is especially troubling because Apple uses OpenSSL in their routers and OpenSSL has fixed a ton of bugs since Apple's last firmware release. See all the bugs in OpenSSL from 2015 and from 2014. Is the long time between software updates because the router firmware has no bugs and includes every feature anyone could want? Or, is it because Apple doesn't really care about their routers?
Apple provides very little information about the changes in their firmware updates.
As for WPS, Apple routers support it, but only partially.
For one thing, they seem to only support it for adding WPS enabled printers to the LAN. The AirPort Extreme Setup Gide says nothing about using WPS to connect anything other than a printer to the network. How the router can tell a printer from another type of wireless device is unclear to me. Since WPS is a standard published protocol, any type of device should be able to communicate using the protocol. In fact, I have read that in older versions of the AirPort utility, the feature was called 'Add Wireless Clients'.
In addition, Apple does not seem to support all the various WPS modes of operation. According to the AirPort Extreme setup guide, it supports a mode where you enter a number from the assumed printer into the router. This mode was never a security risk. It also supports another mode that Apple calls "First attempt" for, again, connecting a WPS printer to the network. The Setup Guide does not explain this mode at all. But, while Apple does not seem to update the Setup Guide, the do update their website. The document, Connect an AirPrint printer to a Wi-Fi network (last updated June 1, 2015) says "If you selected 'First attempt,' push the WPS button on the printer. When the printer's MAC Address appears in AirPort Utility, click Done." Outside of Apple, this is called the WPS push button method. It too, has never been a security issue.
November 10, 2015: Feature Request: A Magic AirPort Extreme with smart downloads, better debugging + prioritized devices by Jeremy Horwitz. A devoted Apple person wishes their Apple router had some more features. To me, the most interesting point in this article is that Apple has not refreshed the firmware in the AirPort Extreme for nearly a year. One feature he wants, is for Apple routers to be smarter about streaming video and audio. Horwitz says "Adults don't have an easy way to determine, for instance, whether their kids video streams or downloads are clogging the network". If he was using my favorite router, the Pepwave Surf SOHO, he could tell this easily. He also gripes that Apple router owners can't "set streaming priority for certain devices or applications (say, Mom's Office Mac or Apple TV wins out over Junior's iPod touch)". He also wants better diagnostic tools in iOS and OS X to identify problem devices and streams. He concludes: "now that the Apple TV has launched as an independent platform, helping users control the media streaming in their homes is going to become more important than ever before".
December 22, 2015: An excellent article by Glenn Fleishman, Alternatives to Apples Wi-Fi Base Stations, covers the pros and cons of Apple routers. As for cons, he writes that Apple routers are long-in-the-tooth and overpriced for what they deliver. He suggests that if you don't need specific AirPort-only features there are good alternatives that cost substantially less and offer capabilities that Apple does not. As for the AirPort Express, he writes that it was last updated in 2012, does not support AC WiFi, uses slow 10/100 Mbps Ethernet and has only one Ethernet LAN port. On the other hand, it has an audio output that enables AirPlay streaming. As for pros, he offers six reasons to use an apple router. Fleishman also describes his experience adding a TP-LINK router to an all-Apple network.
December 25, 2015: Two more articles were published today by Glenn Fleishman: Is blocking device necessary on Wi-Fi with a password set? discusses MAC address filtering on Apple routers. The title of the other is self-explanatory: Use Timed Access Control to restrict when devices can connect to your Apple base station Wi-Fi.