Router Security Consumer Routers Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
Also see my Defensive Computing Checklist website
 

I think it is a mistake to use a consumer router. The big reason is that their security is not acceptable.

I say this fully aware that my opinion runs counter to every article you will ever read about buying a router. Consumer routers are marketed, and reviewed in the tech press, based on speed, features, speed, price, speed, appearance and speed. Security never factors into the equation. These are, to me, the wrong priorities.

The Small Net Builder website offers a recent example. The article, How To Buy A Wireless Router - 2018 Edition (by Tim Higgins Jan. 25, 2018) focuses on MIMO streams vs. Class, Single point vs. Multipoint routers, Device roaming, Tri-band extenders, 8 stream 11ac and 802.11ax. To me, the most important decision when buying a router is to get one with professionally written software.

Here, in detail, are my reasons for not using a consumer router. As for routers given to you by an ISP, they are even worse. Some business class vendors are listed on the Resources page. First a note on terminology: the software that is the operating system for a router is referred to as firmware.

  1. I have followed router software/firmware for a while now and the number of mistakes/bugs is stunning. The people who create router firmware are not very good at their job. Not only are there lots of bugs/flaws, but many are big glaring bugs. The types of bugs that happen when developers don't care. Or, are incompetent. Evidence of the plethora of bugs is on the bugs in routers page. The list is incomplete. If a router is sold at Best Buy, you don't want it (no offense to Best Buy).

  2. When you buy a consumer router you are buying the hardware. The software is provided as cheaply as possible. When you buy a business class router you are buying the software.

  3. Consumer router vendors do as little firmware maintenance as possible.

    • In August 2014, at the DefCon conference, there was a contest to find bugs in routers. Contestants found 15 flaws in popular routers. Reporting on the results for PC World, Lucian Constantin wrote:
      "One interesting aspect is that only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition. This type of patching inconsistency happens frequently in the router world ... Vendors often fix vulnerabilities only in the models for which those flaws were reported by researchers and fail to test if their other products are also vulnerable. In some cases vendors never fix the reported vulnerabilities at all ..."

    • In May 2021, Chris Bellows of Atredis Partners found three bugs in the Asus GT-AC2900 router that allow someone access to the router without knowing the password. Asus fixed the flaws, as if that was the end of the story. It is not. For one thing, Asus never issued a Security Advisory even though one of the flaws was clearly a back door. Most importantly, Asus never said anything about their other routers (of which there are many). It is very likely other Asus routers share the same password flaws. But, its none of our business.

  4. The Misfortune Cookie flaw from December 2014 offers a very important lesson. The flaw was introduced to the RomPager server from AllegroSoft in 2002. The company fixed the flaw in 2005. Yet, NINE YEARS LATER, Check Point Software found 12 million routers that were still using buggy RomPager software. Adding insult to injury, there is no defense against the flaw and no way for you tell if your router is vulnerable. You have to ask the company that made the router. Good luck with that.

  5. Old software, with know flaws, is the rule rather than the exception with consumer routers. Even the latest firmware often contains disgracefully old versions of software.
    • In January 2016, the Wall Street Journal did a big expose on this Rarely Patched Software Bugs in Home Routers Cripple Security. For a more detailed analysis, see Firmware component versions which looks at the software used by the Asus RT-AC88U, D-Link DIR890L, Netgear R8500, Linksys E9200 and the TP-Link Archer C3200. Its all old.

    • I ran across an example of this in my Nov. 2015 evaluation of the security of the D-Link DIR860L router. NMAP reported that dnsmasq was at version 2.45, which was released in July 2008. When I tested, the latest firmware was from March 2014. Had D-Link bothered to include an updated dnsmasq in that firmware it would have been version 2.68. By not updating dnsmasq in March 2014 they missed out on roughly 21 updates to the software. by Nov. 2015 when I looked into this, the DIR860L router was using a version of dsnsmasq that was 30 releases behind and contained known bugs.

    • In December 2017, Insignary scanned the firmware of 32 Wi-Fi routers from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a known security vulnerability. No zero days needed. A majority of the examined firmware contained components with more than 10 "Severity High" vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities. See their Feb. 2018 Press Release.

    • In June 2020, the Fraunhofer Institute released a Home router security report the results of a study of 127 consumer routers from Asus, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel. They looked at the latest available firmware as of March 27, 2020. Not one router was bug-free. Some had hundreds of known vulnerabilities. The average number of critical vulnerabilities per router was 53. The best routers had 21 vulnerabilities. A third of the routers use the 2.6.36 Linux kernel which was last updated nine years ago. When routers are updated many known vulnerabilities are not fixed. 50 routers had hard-coded credentials (userid/password) and 16 had well known or easy crackable credentials. Linux provides a number of exploit mitigation features and the routers rarely used them. As for rating the vendors on security, AVM was the best but they are not available in the US.

    • In September 2020, Daniel Aleksandersen blogged a follow-up to the above Fraunhofer study: Network routers are just computers. The study found one third of routers using a version of Linux from October 2010 with 233 known security vulnerabilities. The study did not look into whether software services on the router run in sandboxed and constrained environments, or whether they have full privileged access to the system. His experience with various router vendors has been that services have full access to the system (bad security). He writes that it is neither difficult nor time-consuming to set up this type of protection, yet no one does. He also replicated a small part of the study at a local electronics shop where he made note of every router that was for sale. He then checked and found that none them had received a software update in the last 14 months. Yoda might say: Abandoned, they are. Manufacturers of consumer routers are not incentivized to provide ongoing support and security updates for devices that provide no new revenue. He concludes that there is not one secure consumer router. For better software support, he says you need to make the switch to more involved, complicated, and expensive enterprise-grade network equipment. I agree and that is why I recommend Peplink routers.

    • In February 2021, Bruce Schneier also blogged about this report. His comment: "We know the reasons for this. Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable. The way to update your home router is to throw it away and buy a new one."

  6. When new firmware is released, customers may not know about it.
    • The process of learning about available updates varies with each router.
    • Asus was dinged by the US Government, in part, because their routers often failed to notify owners about newly released firmware.
    • In November 2017, Daniel Aleksandersen blogged about TP-Link firmware updates rolling out slowly to Europe. Firmware available in Europe typically lagged that available to US customers. And, when firmware is released, TP-Link does not contact their customers to tell them of the available update. But, the point in the article that should most warn you away from consumer routers, came in an email message from a TP-Link support technician that advised he not update the firmware if the device is working fine. Yikes.
    • Even my favorite router, the PepWave Surf SOHO has fallen down here. It has a button in the web interface to check for new firmware that has failed to report on available updates. Fortunately, the Peplink website makes it very easy to manually find updated firmware.

  7. Even when firmware is updated, it is often not installed.
    • Router owners have to know this is a necessary thing, not all do.
    • The firmware update process varies with each router and is never well documented.
    • Upgrading firmware is risky. If anything goes wrong, your Internet connection can be ruined. This is NOT true with Peplink routers as they maintain two copies of the firmware and can always fall back to the prior version.
    • If it ain't broke don't fix it.

  8. Self-updating routers are no panacea. Up until the appearance of Eero routers in early 2016, hardly any router was able to self-update. While it is easy to say that non-techies should seek out a router than does self-update (there is a list on the Resources page) most routers do a bad job of it. So far, they only routers that do a good job of self-updating are from Synology.

  9. New routers are released with firmware that is not ready for prime time.
    Tim Higgins, Managing Editor of SmallNetBuilder.com, is an expert on routers. In July 2017, he had this to say about consumer routers:
    "Linksys is by no means alone in using its customers as beta testers ... Chip vendors race to get to market first, then push their customers (the router manufacturers) to get new technology (11ac, MU-MIMO, etc.) into their products ASAP. Router makers, in turn, push not-fully-baked products to market, bowing to pressure on one end from the chip makers and retailers (BestBuy, Amazon, etc.) on the other end, to get new stuff on the shelves with higher numbers on the boxes because that's what sells. Behavior will not change unless buyers break the cycle and leave stuff on the shelves. Unfortunately, with social media and YouTube 'stars' pumping the hype machine, and people still being sucked in by inflated speed numbers, things won't change anytime soon."

  10. Consumer router vendors have shown, time and again, that they do not care about security. Often, they ignore reports of problems. There are many examples of this on the bugs page, here are just a few.

    • In May 2021, a British consumer organization warned about millions of old routers not getting updates. The worst offender was the TalkTalk HG533 made by Huawei and released in 2013. Huawei was warned in 2013 of a vulnerability involving UPnP. They claimed it was fixed in 2014, but they never actually fixed it. The same vulnerability was re-discovered in 2017 by a different group of researchers. The latest evaluation found that the HG533 has weak passwords and is not being updated at all. Then too, there was the reaction of British ISP, Virgin Media to the report. They "seemingly told Which? to stuff off when its researchers came wagging their fingers disapprovingly...." Stuff off? Virgin Media decided not to "recognise or accept" the research findings. Head in the sand.

    • In July 2020, Martin Rakhmanov of Trustwave wrote about two bugs he found in the Asus RT-AC1900P router. The bugs themselves are not important but much about the process was (one bug was lazy programming, they were not checking the certificate of downloaded firmware when updating). For one thing, neither Asus nor Rakhmanov addressed the issue of other routers. Was this the only buggy Asus router or did other models share the same flaw? It is none of your business. Asus did not issue a security advisory preferring to sweep the bugs under the rug. It took Asus three months to fix the bugs and they never bothered to tell Rakhmanov. When he happened to notice the new firmware, he asked them if they fixed one or both bugs. They didn't know.

    • In July 2020, ISE released a report on assorted bugs in a Tenda router. They had contacted Tenda in January 2020 and never heard anything back. In this article about the report, Sam Levin of ISE was not surprised by the lack of response from Tenda. He said "This isn't the first router that has the same sort of problems and it isn't going to be the last. And this isn't the first manufacturer that has stood us up for six months."

    • In May 2019, Troy Mursch reported a bug to Linksys that affected 33 Linksys Smart Wi-Fi routers. The company decided not to fix the problem. Shortly thereafter, Ars Technica contacted Belkin (which owns Linksys) about the bug and got the cold shoulder, Belkin never responded.

    • In 2013 a company called Independent Security Evaluators tested a group of consumer routers and found 55 bugs and reported them to the companies before going public. ISE later reported that TP-Link fixed all the vulnerabilities. D-Link, however, never responded and Linksys chose not to repair many of the bugs.

    • In early September 2015, security company KoreLogic found a bug in a Linksys router and reported it to the company. When they didn't hear back, they reported the bug again in October. Eventually, in early December 2015, they published the details of the bug publicly. They never heard anything back from Linksys.

    • Even contacting the hardware manufacturers is harder than it should be. Many router companies have no formal way for people to report vulnerabilities. The bugs page is full of examples of people who found bugs in router firmware but were unable to get anyone to listen.

    • There have been times where bad guys have been able to corrupt the firmware update procedure and trick a router into using malicious firmware. That implies that the firmware was not digitally signed and/or was not delivered over a secure TLS connection. The only way this happens is if the router manufacturer does not care about security.


  11. The tech press always recommends that firmware be updated. But, this ignores a bigger issue - firmware abandonment. Many times, after a bug in router firmware has been identified, the company whose name is on the router does not fix the problem because the router is too old. End of Life is the soft sounding term companies use. In Feb. 2018, Brian Knopf, of Neustar said "Vendors rarely support and update routers after the first two years at most." In the same article he noted that router manufacturers spend very little money on security because it cuts into profits. The price you pay with a consumer router is having to replace it every few years, if for no other reason, than the vendor has stopped issuing bug fixes for the firmware.

  12. And, its not just the software that gets abandoned, so too does the documentation. Typically a User Guide will be released alongside a new router model and that's it. Mistakes in the manual are never corrected. As the router firmware changes over time, the manual is never updated. Plus, the manual probably stinks from the get-go. It is not unheard of for features offered by a router to go totally undocumented.

    Here is an example. In July 2019, I heard about a couple new features in the AmpliFi mesh routers: a new type of Guest network just for Friends and the ability to back out a firmware update from the web interface. Interesting in learning more I found both a PDF and an HTML version of the User Guide. Since these features are fairly new, I went to see when the User Guide was last updated. It didn't say. It also didn't say what level of firmware it applied to which is important because Amplifi releases new firmware frequently. And, it said nothing about either feature. In fact, it didn't even mention that the router has a web interface. At the time I was in the market for a mesh router system and this convinced me to avoid AmpliFi.

  13. General suckiness.

    • May 2023: I stumble on a review of the Asus ROG Rapture GT6 mesh router that includes a screen shot of some security options. Of course, the review does not discuss security, but I wanted to see what Asus had to say about this, so, I go to find the manual for the router. It should be here but it is not. There is no User Guide, just a 2 page Quick Start Guide. No manual at all.

    • September 2022: TP-Link band-steers 2.4 to 5 GHz Wi-Fi even when the radio is off by Daniel Aleksandersen. The article is about an access point rather than a router, but it does illustrate poor programming by TP-Link. His TP-Link EAP653 access point is configured to power down the 5 GHz radio at night to reduce power consumption. Clients should, obviously, fall back to the 2.4 GHz network and remain connected throughout the night. But, no. TP-Link has a proprietary band steering feature that is not aware of the radio scheduling feature. The result: frustrated client devices that do not understand why they can not connect to the 2.4 GHz network. Quoting: "It’s incredibly lazy programming to blindly trigger the band steering logic on the 2.4 GHz band without first verifying that a suitable 5 GHz band is there to receive the client."

    • In August 2022, Brett Glass, who owns a wireless ISP, tweeted "As an ISP, I'm amazed and disappointed by consumers' choice of buggy, insecure, poorly supported Internet routers. They believe every claim on the box without knowing what's bogus… especially speed claims".

    • In December 2021, Dong Ngo griped at Netgear: Quietly, Netgear Kills Web-based Remote Management, Pushing Mobile Apps. He noted that Netgear has been quietly killing off useful features. Features such as QoS, Parental Controls and VPN have been moved to a subscription service. Recent firmware updates have removed the web-based Remote Management feature. Worse, Netgear was not honest about the feature removal in their description of the firmware update. You can use their web interface without having a Netgear account, this is not true of the mobile app where they are moving things. Quoting: "Most disappointingly, Netgear seems to have started embarking on a new path, in which it values the bottom line more than the experience of its loyal users. This type of 'bait and switch' practice, and the lack of transparency in going about it, make it hard for me to trust Netgear, once one of my favorite home networking brands, going forward. It’s sad."

    • A November 2021 posting on Reddit pointed out that Netgear only offers 90 days of technical support on their routers. That was my experience with one of their modems too. The posting was a gripe about a year-old Nighthawk MR60 router that reboots itself. The comments are filled with other Netgear horror stories. No one had anything nice to say about the company.

    • From this review of a Netgear router: Tom's Hardware: RAXE500 Tri-Band WiFi Router Review: Fast but Flawed (Oct 2021). "Setup of this router could certainly have gone smoother ... the router informed us on initial setup of a firmware update and began downloading it. We were then informed that the upgrade was complete after waiting a few minutes on the setup screen. However, when we went back into the router software, the firmware was in fact on the same version number as when we started. We had to trigger it manually and wait all over again for the upgrade process. This would be really easy to miss if you were a novice, or just not paying close attention."

    • Netgear, Stop trying to upsell me from Reddit (June 2021). A miserable out of the box experience with a Netgear router. Mobile app is required. Having a Netgear account is required. Initial auto config took over 20 minutes. No simple option to get to web interface. Mobile app tries to sell customer a warranty and paid technical support. Then, when trying to configure the DNS servers, there is an alert about security scans on all devices from a 30 day free trial of a security service. Close that, re-launch the app and then get nagged to subscribe to a parental control service.

    • On April 9, 2021, Rick Broida reviewed T-Mobile's new $60 Home Internet service for CNET. The service includes a wireless gateway (router+modem) made by Nokia. Quoting: "After the initial setup, everything seemed to be working ... my next stop was my Asus laptop. Curiously, the T-Mobile gateway didn't appear in the list of available networks ... In the Home Internet app, there's a Support tab with a link to a T-Mobile FAQ page - but that just took me to T-Mobile's home page, which added to my frustration. A link to the T-Mobile Community Forum stonewalled me as well, because I didn't have a working T-Mobile sign-in ... Then I tried restarting the gateway, which proved a huge mistake: It seemed to lose all my previous setup settings, as though I'd done a hard reset ... The app forced me to repeat the entire setup process, including choosing passwords. When I tried using the same ones as the first time, it wouldn't accept them. When I tweaked them slightly, I got a cryptic "installation failed" message."

    • On January 2, 2021, I blogged about The Misery of a Linksys router which details the general suckiness of a Linksys EA8300. The blog was the result of my trying to configure the router starting from a factory fresh state.

    • The one TP-LINK router that I have used, wiped out all the configuration settings when the firmware was upgraded. That pretty much knocks them off my list right there. I have never seen a review of a TP-LINK router that mentioned this.

    • In February 2017, Ars Technica had an article about dealing with a hacked Netgear 6400 router: Router assimilated into the Borg, sends 3TB in 24 hours. The article goes into the symptoms of the problem and the debugging steps that the author took. A factory reset did not fix the problem. Installing DD-WRT did not go well. In the end, the router was a paperweight.

    • A Lifehacker article from July 2018, tells of an Acer Aspire laptop that crashes a TP-Link Archer C7 router when it connects via WiFi. The laptop does not crash other routers, just the Archer C7. Turns out, others have experienced similar issues with the TP-Link router.

  14. Technical support: Needless to say, there is no useful assistance from consumer router companies.
    • In August 2023, I purchased an Asus mesh Wi-Fi system and sent a few questions to their tech support via email. The responses were little more than randomly generated words. The responses did not relate to the question in any way. So much so, that I could not tell which question the word salad was supposed to answer. And, of course, they do not repeat the question in their response. Asus tech support is a total scam.
    • A few years ago, I ran into a bug in a low end Netgear router. I was using DDNS to enable remote administration of a router whose IP address could change at any time. DDNS is supposed to phone home to the company offering the service whenever the IP address changes. This should be a low-volume thing, once a month perhaps. But the activity log from my DDNS provider showed that the router was phoning home every 10 minutes to say that the IP address had not changed. Eventually the DDNS provider would kick me off the service as a spammer. So, I tried to contact Netgear tech support - and got nowhere. Not even a response that showed an understanding of the problem. In contrast, the support forums at Peplink are populated by people that understand and intelligently respond to every question. Night and day.
    • In February 2019, I wrote about a problem with a Netgear router and another problem trying to report it to Netgear: Reporting a UPnP quirk in a Netgear router. The reporting process seemed like it was designed to prevent the reporting of bugs. It blocked me. The problem had to do with UPnP being somewhat functional after being turned off in the web interface of the router. In September 2020 someone emailed me that they had the same UPnP problem in two other routers, one from Huawei, the other from ZTE. He too had problems reporting it.


  15. Reliability: Even if you don't care about security, there is also the issue of reliability. That there is a product, such as the MutiNet ResetPlug that automatically reboots your router, shows just how unreliable consumer routers can be. This article Maine wireless internet firm sues, saying bad routers are hampering service (May 11, 2017) starts off "Redzone Wireless CEO James McKenna has about 4,000 internet routers stored in a warehouse, just gathering dust. The company claims the discount Netgear routers are defective and wants to send them back ... Soon after launching, Redzone said it received 'numerous complaints' that the routers would frequently and randomly disconnect from the internet every day, requiring them to restart the routers." Redzone purchased the routers because of "attractive pricing" No doubt this is what motivates other ISPs too.

  16. HNAP, the Home Network Administration Protocol, is found on some consumer routers. Assorted HNAP bugs have exposed routers to attacks. In April 2015 it was found to make some D-Link routers vulnerable and the first time D-Link tried to fix the bug, they screwed it up. Other flaws in HNAP were exposed in 2014 and 2010. The real kicker here, is that, unlike other vulnerable protocols, such as WPS and UPnP, you can't disable HNAP. Plus, you have to know the secret handshake to even test if a router supports HNAP, it is never visible in the administrative interface.

  17. Consumer routers (Asus, Linksys, D-Link, TP-Link) have Guest Wi-Fi networks that use the same DNS servers as the main LAN/network. Higher end business/professional routers (Peplink, Ubiquti UniFi, Cisco, Draytek) do not have dedicated Guest Wi-Fi networks. Instead, each SSID can be assigned to a VLAN and thus each SSID can use different DNS servers.

  18. Consumer routers may spy on you.

    • Your Router Is Collecting Your Data. Here's What to Know, and What You Can Do About It by Ry Crist of CNET (Feb. 2022). Crist reviewed the privacy policies for D-Link, Netgear, Asus, TP-Link, Eero, Google Nest and Arris (really CommScope). He found that every company collected personal data for the purpose of marketing. All the companies also acknowledged that they share user data with third parties for marketing purposes. D-Link refused to answer questions about privacy. D-Link and TP-Link do not offer any direct means of opting out. Eero said that the only way to stop their router from gathering data is to not use them. This article was re-published in October 2022: Your Router Is Collecting Data. Here's What to Know, and How to Protect Your Privacy. They do not say if anything changed in the second version of the article.

    • In May 2017, I blogged about Asus router warnings on privacy and security. The research into Asus was done by Daniel Aleksandersen who found that some Asus routers include software from Trend Micro that comes into play when using a number of router features that, at first glance, seem like good things. But, they may well send data passing through the router to Trend Micro. For example, the router may send URLs and email messages to Trend Micro. To me, this makes the cure worse than the disease.

    • Starting in April 2017 Netgear decided to spy on their routers by adding something they refer to as "router analytics" to the firmware of the Nighthawk R7000 and three Orbi routers (RBK40, RBR40, RBS40). Data collection is on by default, but a router owner can login to the router, follow a long click trail and disable it. For their side of the story, see What router analytics data is collected and how is the data being used by NETGEAR? More links about this are on the bugs page, see July 2017. To me, this is reason enough to avoid Netgear altogether. There is no reason to assume they will stop with just these four routers. If you own a Netgear router consider installing DD-WRT on it.

  19. Much of this website is about configuring a router to be as secure as possible. That said, any router can only be as secure as its software allows. The Security Features Checklist page is one way to judge how secure any particular router can get.

On the hardware side, I have only one suggestion: look at the Ethernet ports. Avoid any router that does not have two small LED lights as part of the Ethernet port. On the one hand, its a signal that the router was produced as cheaply as possible. On the other hand, the lights are useful. They can indicate the speed of the Ethernet connection, the flowing of data and, at the physical level, they indicate that connection is working. If, for example, an Ethernet cable was bad, that would be immediately obvious from both the LED lights being off.

March 17, 2021: This page was mentioned on Hacker News (Avoid Consumer Routers) and there were 190 comments made. Lots of comments on OpenWRT. I recommend reading the comment by Chris_Newton. There was also a vote for Fritzbox routers because they are stable, easy to use and offer updates for a long time My favorite comment was from "yetihehe" who said: "I have a rule of thumb, which didn't fail me yet - don't buy fancy looking networking gear. Buy the ones which look like ugly military tech (not fancy military tech) or something you could see in a factory. I have two failed fancy wifi routers, two failed good-looking switches, but one wrt54-gl still working... " Kind of makes sense. The Surf SOHO qualifies as ugly. One comment I got was that this page is all negative and makes no positive suggestions about purchasing a router. My opinions on buying a router are on the Secure Routers page.



Top 
Page Created: June 4, 2015      
 Last Updated: August 25, 2023 5PM CT
Viewed 140,468 times
 (43/day over 3,242 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2024