|Router Security||Router Firmware Updates||
Website by |
Updating the firmware on a router is a major pain the neck. While every article about routers says to regularly update the firmware, none talk about the problems. Here is my list of "issues" with firmware updates:
For an example of an Asus router update process that confused me (no documentation on what to expect) see A router firmware update goes bad. Not to pick on Asus, but in an August 2014 review of the Asus RT-AC68U router in PC Magazine Samara Lynn wrote "I was able to manually upgrade the newer router without a hitch ... This is an improvement over the quirky behavior I experienced when trying to upgrade the RT-AC66U's software." Quirky?
OK, maybe I will pick on Asus. This page How to update the firmware on an ASUS networking product says "After updating the firmware, we recommend that you restore the factory default settings by pressing the reset button of the device for 5 seconds." This is horrible, it means that you lose all the customizations you made to the router. Last verified May 8, 2017.
Still worse, was this observation of the Luma mesh networking system by Tim Higgins in September 2016: "Luma provides neither a way to see [the current] firmware version nor a way to check for updates."
It's always nice to know where you stand. For that, you need a a history of firmware updates. Some router vendors offer a single web page with the history, others do not. Google Wifi does not. Below are the good vendors, that I am aware of, and links to their firmware histories.
There are a number of ways that the owner of a router can learn about the availability of new firmware.
In November 2017, Daniel Aleksandersen blogged about TP-Link firmware updates rolling out slowly to Europe. He noted that none the 9 TP-Link devices he investigated self-updated. Worse, TP-Link does not contact their customers to tell them of newly released firmware; no emailing lists, no syndication feeds, nothing. While investigating, he was told by a support technician not to update the firmware if the device is working fine. Yikes.
I have seen two different approaches for manually updating router firmware.
The worst approach requires you to download a file to your computer, and then upload it to the router. I call this is the worst approach because it requires the most work. I have also seen instances where the downloaded file was compressed and needed to be uncompressed, a fact not explained by the vendor. I have also seen the download include multiple files, only one of which was supposed to be uploaded to the router. Needless to say, this wasn't explained either.
A far better approach is where the router completely handles the update. The router owner says to upgrade from version x to version y and the router does so without the need for files to be manually downloaded to your computing device and then uploaded. Click a button and let it go.
As routers are evolving, more and more can self-update. The owner of the router can remain blissfully ignorant of the need to update the firmware or even that firmware exists. But, self-updating can be done well or poorly. For one, the router may not backup the current settings before upgrading the firmware. Then too, you have scheduling issues. It can be quite inconvenient for the router to reboot itself whenever it feels like it. And, if something all of a sudden goes wrong, you may not realize that the router just recently upgraded the firmware which may explain the new problem.
There is a list of self-updating routers on the Resources page. The Security Checklist page has details on what separates the men from the boys when it comes to self-updating firmware. Finally, the Firmware Self-Updating page has details on how some vendors respond to this checklist.
The VPNFilter malware/botnet, which we first became aware of in May 2018, raised a new question. The first solution for removing the malware was to reset the router to factory state. But, how or why this works was never explained. Certainly the best way to remove hacked firmware is to install new firmware. If a router is running old firmware, fine. But what if a router is running the latest release of the firmware? Does it allow you to re-install the same firmware on top of itself? Until May 2018, there was no reason to ask this question.
Looking ahead, malicious firmware may eventually prevent the detection of newer firmware, so we may have to download the new firmware using a different router. Thus, it is safer to use a router that can accept new firmware from a file on your computer. At least until the bad guys prevent that too.
On a new router, I would do the firmware upgrade pretty much first thing to minimize the danger. See the New Router page for more.
For an existing router:
When it comes to firmware updates, Peplink is the Rolls Royce of routers. You get the first taste of this, when you update the firmware. Before it does anything it reminds you that its a good idea to save the current configuration. I have seen this on their Balance line and the Surf SOHO. Their travel router however, does not have this automated reminder.
What really separates the men from the boys however, is that Peplink/Pepwave routers maintain two copies of the firmware. The screen shot above illustrates that my preferred router, the Pepwave Surf SOHO can be rebooted to run either firmware version 6.2.1 or 6.2.0. I have also seen that their Balance line (high end) and their travel router (bottom of the line) also keep two copies of the firmware.
This eliminates almost all the risk involved in firmware upgrades. It's great Defensive Computing. If new firmware causes a problem, just re-boot to fall back to the prior release. The only downside is that when you download new firmware, the router reboots into it immediately. If you don't want to use the new firmware, however, just reboot back to the tried and true older version.
I have seen a Linksys Smart WiFi router (the EA6200) that also offered to reboot into the prior firmware. It didn't say what the prior version was, but still, it's a nice option to have. I have also been told that the Linksys WRT1900ACS supports two installed copies of the firmware, but that it is not documented. The secret handshake for the WRT1900ACS to switch firmwares is to turn it on and off three times. Or, if you can get into terminal, the fw_setenv command can switch the boot firmware. I can't confirm this.
In April 2017 John Hagensieker wrote about the Linksys WRT3200ACM and its two onboard firmwares: " ... router comes with Linksys firmware and if you upgrade to DD-WRT Firmware that in reality BOTH FIRMWARES RESIDE ON YOUR SYSTEM. So let's say you muck up DDWRT real good or even you think you might have bricked the router you can turn it off on the switch on back, then turn it on three times until the lights come on, then turn off again. I think on the 4th boot it will revert to the other boot partition ... One thing you don't want to do is update DDWRT from DDWRT because then it resides on both partitions. ONLY INSTALL OR UPDATE DDWRT FROM THE LINKSYS FIRMWARE." He also discussed switching boot partitions with some Telnet commands.
If you know of other routers that maintain two copies of the firmware, please let me know.
The process of updating firmware is often poorly documented. So, here is what to expect when updating the Surf SOHO.
The process starts from System -> Firmware -> Check for Firmware button. There are two sections below documenting the process when it finds new firmware and when it does not. In the former case, the process is pretty simple. In the latter case, you have to first download the firmware from the Peplink website to your computer, then, during the process that firmware file is uploaded to the router. Sadly, Peplink's automatic detection of new firmware has been poor for years.
A great Peplink feature is that before firmware is installed it always reminds you to backup the current state of the router, as shown below. When you click the OK button, it downloads a .conf file to your computer.
ROUTER DETECTS NEW FIRMWAREIf it finds newly available firmware, it asks if you want to install it. After saying yes, the system asks if you want to backup all the current settings (shown above).
These screen shots are from June 2017, when a Surf SOHO was updated from firmware 6.3.3 to 7.0.1.
Next, shown below, it tells you it is upgrading to 7.0.1. Note that it also provides a link to the Release Notes; nice touch. This lets you determine if you really want or need to upgrade the firmware.
Then, a boring screen warning that this might take up to 6 minutes.
Then, in red, it says that the router is rebooting.
And, eventually, you are back at the logon screen.
MANUAL FIRMWARE UPDATES
As noted above, when manually updating the firmware, you have to first download the firmware from the Peplink website. Current firmware is available at Peplink.com from Support -> Firmware and Manual Downloads. Or just bookmark https://www.peplink.com/support/downloads/. As you can see below, the firmware, release notes and full user manual are all available. The firmware downloads as a .bin file. This does require you to know the hardware version of your router. The first version of the Surf SOHO is HW1, the second is HW2 and the third is MK3. In the router web interface, these stupid abbreviations are not used, it simply uses 1, 2 and 3. Older firmware releases, are available in the Firmware Archive.
A manual update is required when the check for new firmware button says "No update available" (see below). Next, click the Choose File button and navigate to the downloaded firmware.
Then, click the Manual Upgrade button and the firmware uploads from your computer to the router as shown below.
Then, it validates the uploaded firmware.
It then shows the same boring Firmware Upgrade screen with the orange progress bar, as shown above in the ROUTER DETECTS NEW FIRMWARE section, that this might take up to 6 minutes. Eventually, it reboots to the logon page.