I am not alone in pointing out the sad state of consumer router software/firmware.
- In May 2018, when we first learned of the VPNFilter router malware, a few articles looked at the big picture.
- In Wired, Andy Greenberg wrote: "home routers are notoriously prone to vulnerabilities that can allow remote hackers to take them over, and rarely receive software updates".
- The same article quoted Michael Daniel, the head of the Cyber Threat Alliance, a security industry group, saying "This is a set of devices that's getting targeted more and more over the years ... They sit outside firewalls, they don't have native antivirus, they're hard to patch".
Another article quoted Brian Honan, of cybersecurity consulting firm BH Consulting in Dublin, saying: "The key issue here is that for many products aimed at consumers, the costs of building effective security features, such as the ability to patch and update, are currently too high for manufacturers to include ... Until we can compel vendors and manufacturers to bake security into their products, similar to safety standards for physical devices, the issue of vulnerable consumer type devices connected to the internet will not go away..."
- In May 2018, the US Government released a report by the Departments of Commerce and Homeland Security called Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. It said "Market incentives do not currently appear to align with the goal of dramatically reducing threats perpetrated by automated and distributed attacks. Product developers, manufacturers, and vendors are motivated to minimize cost and time to market, rather than to build in security or offer efficient security updates."
- In April 2018, Tim Carrington of Fidus Information Security disclosed a bug in the TP-Link TLWR740n router that was identical to an earlier bug in another TP-Link router. His comments included this: "Code reuse is a huge problem within the IoT industry. In most cases, what we generally see is a company who sells devices with poor security to vendors who then brand them and sell them on. Tracking the original manufacturer can be quite difficult and, in our experience, getting such vulnerabilities patched is even harder. A good example of this kind of code reuse was discovered in 2017 by Pierre Kim, who found roughly 185,000 devices which all shared the same vulnerabilities."
- In writing about a router hacking incident in March 2018, Andy Greenberg of Wired wrote "Routers, both the big corporate kind and the small one gathering dust in the corner of your home, have long made an attractive target for hackers. They're always on and connected, often full of unpatched security vulnerabilities, and offer a convenient chokepoint for eavesdropping on all the data you pipe out to the internet. Now security researchers have found a ... hacking operation that goes a step further, using hacked routers as a foothold to drop highly sophisticated spyware even deeper inside a network, onto the computers that connect to those compromised internet access points."
- Writing aobut the same incident for Dark Reading, Kelly Jackson Higgins wrote "Router hacking is a relatively rare attack vector, but it's an effective one for hackers. Malicious code can sit on these perimeter devices unnoticed because few security tools can detect it. "We think the developers of the malware decided to infect the victims from routers because they wanted to stay undetected," said Alexey Shulmin, lead malware analyst, Kaspersky Lab, in an interview. "A compromised router can be very hard to detect … During the past years, we have seen several high-profile cases where router malware was involved." Shulmin said router security is typically a "blind spot" for organizations. "We are probably only seeing the tip of the iceberg" in router compromises, he said."
- In October 2017, Noam Rathaus, founder and CTO of Beyond Security said that router vendors have, for years, put little effort into security, testing and hardening of their products. His firm has reported 60 similar authentication bugs this year alone. Quoting
"Today using sites such as Shodan you can locate hundreds to hundreds-of-thousands of devices all vulnerable to serious bugs that allow compromising of the device without requiring any authentication or any information beside the IP address of the device ... Every once in a while something unique (a new type of vulnerability) shows up, but in numerous cases it’s the same type of vulnerabilities over and over again ... Vendors are not spending enough time tracking down these bugs before the product becomes public."
- In September 2017, Robert K. Knake of the Council on Foreign Relations blogged that After Kaspersky, Retailers Should Drop a Whole Lot of Other Products. This was just after Best Buy stopped selling Kaspersky products and he argued that retailers should, at the least, warn customers about insecure products, if not stop selling them altogether. His rant was sparked by a D-Link DIR-842 router that he purchased from Amazon. When he started to configure it, he ran into this: "By default, your new D-Link device does not have a password configured for administrator access to the web-based configuration utility" which got his attention. Then, he learned that the longest password the router could handle was only 15 characters. So, he researched the security of D-Link routers and wrote "D-Link products include so many security flaws that the general advice from security experts who have looked at them is not to buy them ... Reports I found on other D-Link models (newer, more up to date ones) are terrifying." He returned the router. Quoting again: "Critics will argue that Amazon is the 'Everything Store'; they sell thousands of models of routers ... But very few consumers need or want an insecure router. For those that do, Amazon should treat them the same way Google treats a suspect website advising most consumers against the purchase ('back to safety') but allowing the purchase to go through ('proceed with caution') ... the problem with insecure routers is that poor security isn't a choice consumers make for themselves, it is a choice that vendors make for all of us ... By selling devices that are not secure out of the box, Amazon is making us all less safe online."
- In June 2017, Kirill Shipulin of Positive Technologies wrote Practical ways to misuse a router that detailed a large number of router flaws. Here are bits of the article: " ... passwords for approximately 15 out of 100 devices have never been changed from their default values. And just the five most popular user name/password pairs are enough to get admin access to 1 out of every 10 devices ... The diversity and simplicity of vulnerabilities (not to mention number of bug reports) existing in router software is clear sign that device functionality is rarely subjected to rigorous testing, and that developers do not have the know-how to create secure software."
- The Security Problem with Most Home Wi-Fi Routers (July 18, 2017 ) is a self-serving article from F-Secure plugging their SENSE router. Still, it makes some valid points. Quoting:
"There are many reasons why most home routers are unsecure ... One key issue is one that plagues all the most popular routers, including models that top Amazon lists or ones that are issued by ISPs. Criminals put a lot of effort in researching for security vulnerabilities in them, as there will be a higher pool of possible victims. Routers like this are also often made cost-efficiently, at least when it comes to their security. The real Achilles heel of traditional routers, however, is the often antiquated firmware inside them ... The average consumer has probably never even considered updating their firmware, and even if they had, the user interfaces on many routers seem more like cruel jokes than anything else."
However, the article does not say how their user interface is better. They also note that the SENSE router self-updates, but this is a process that can be done well or poorly. See the Firmware Self-Updating page here for more on this. Finally, the article warns about routers that are abandoned by manufacturers such that they don't get bug fixes. A valid point, but F-Secure says nothing about how long they will issue bug fixes for the SENSE router.
- May 5, 2017: John Hagensieker tells it like it is: "You go to Walmart and buy the cheapest thing that says 'REALLY REALLY FAST' on the box ... look at the router box real close. See any discussion about security on it? Nope. You won't. Why? Because they aren't secure because the real goal is that the dumbest person who opens the box be able to connect to the internet without them paying a tech support person for an hour to help you on the phone."
- Oft-forgotten, why the humble router remains one of the most insecure devices in your home by Matthew Braga, CBC News March 9, 2017. Quoting " ... for intelligence agencies and criminals alike, routers - plentiful and often insecure - are ever-increasing targets for attack. Documents released by WikiLeaks this week ... detail the breadth of CIA hacking tools underscore just how valuable that access is ... The WikiLeaks archive ... [has] many pages devoted to finding and exploiting the numerous security holes in networking devices - common models of home and office routers ... The CIA's Network Devices Branch appears to have spent considerable time and effort cataloging exploits for a range of routers and network switches from popular manufacturers such as Apple, Cisco, Asus, HP and ZTE, which are used worldwide."
- Writing about a DDoS
attack on Brian Krebs (Ars Technica Sept. 23, 2016), Dan Goodin said "...the attacks against KrebsOnSecurity harness so-called Internet-of-things devices - think home routers, webcams, digital video recorders, and other everyday appliances that have Internet capabilities built into them. Manufacturers design these devices to be as inexpensive and easy-to-use as possible. Consumers often have little technical skill. As a result, the devices frequently come with bug-ridden firmware that never gets updated and easy-to-guess login credentials that never get changed. Their lax security and always-connected status makes the devices easy to remotely commandeer by people who turn them into digital cannons that spray the Internet with shrapnel."
- In September 2016, F-Secure disclosed a flaw in some Inteno router. Commenting on their experience with Inteno, Janne Kauhanen, cyber security expert at F-Secure said "It's ridiculous how insecure the devices we're sold are ... We and other security companies are finding vulnerabilities in these devices all the time. The firmware used in routers and Internet of Things devices is neglected by manufacturers and their customers - by everyone except hackers, who use the vulnerabilities to hijack Internet traffic, steal information, and spread malware."
- In June 2016, Peter Thornycroft, an engineer with the CTO group at Aruba, contrasted the new mesh networking offered by Eero and Luma with older routers. In describing the router industry he said: "The main selling features of a home router have for years been lower cost and higher headline speeds. This resulted in standard reference hardware implementations, packaged unimaginatively; the physical design and user-interface were contracted out to the lowest bidders, and we got what we paid for."
- In June 2016, Linux systems admin, Jim Salter, wrote Why I built my own homebrew Linux router where he said "Heightened security is actually the entire reason why I built my own personal bare linux router ... Proprietary router firmware often goes months or years between upgrades - and when it does upgrade, it's more frequently to add some shiny to the UI - more than likely introducing more bugs - than to fix security problems. Open source firmware isn't really in much better territory. DD-WRT is one of the most popular, and while it has a new (and incredibly bug-ridden) beta release every few weeks, the project hasn't had a stable release in eight years. Eight years!"
- The FTC went after ASUS for poor router security in February 2016. Lesley Fair writes that "In many recent cases, the FTC has noted that companies didn't address credible alerts about potential product vulnerabilities." As for ASUS in particular: "... security researchers had contacted ASUS to sound warnings, but it often took months - and sometimes over a year - for ASUS to respond ... it was only after a plea from a large European retailer that ASUS started to pay attention to that problem ... when ASUS developed security patches, it didn't notify consumers. The router's admin console had a tool that was supposed to let people check if their router was using the latest available firmware ... But as researchers warned ASUS, the upgrade tool wasn't working ... more than a year went by and consumers were still getting the message that their 'router's current firmware is the latest version' when newer firmware with critical security updates was available."
- In January 2016, Shahar Tal, formerly of Check Point Software, and someone involved in the Misfortune Cookie flaw said: "Router makers are cutting corners by
not checking the security of their products and failing to make efforts to keep customers informed of updates. They aren't paying the price for bad security. They're trying to
cut prices by a dollar and win that contract from service provider X. Security isn't on their mind."
- A January 2016 report on routers in the Wall Street Journal said: "Home routers are an easy target
because manufacturers compete largely on price, for devices that typically sell for less than $100 ... Once routers are sold, manufacturers have little incentive to update them
to improve security. Routers can remain in use for years after what manufacturers term their 'end of life,' meaning they no longer issue updates ... As security improves on
personal computers, hackers seek other ways into networks. Routers make an inviting target."
- In December 2015, Patryk Szewczyk and Nikolai Hampton of Edith Cowan University wrote Your broadband router is not as secure as you think it is. They
"extracted the firmware from 37 currently available broadband routers ... then reverse engineered the firmware to analyse components such as the operating system, system libraries and executable files ... We found that 90% of the components analysed were more than six years old. In every firmware we found obsolete software with known security issues, regardless of the manufacturer or release date ... critical security vulnerabilities identified a decade ago are still present.". They also griped that "the core components of most router firmware are built on open source software released up to a decade ago, and (on many occasions) maintained by part-time enthusiasts rather than professionals ... [and] ... manufacturers have little incentive to improve their firmware development practices ..."
- In December 2015, Jack Wallen, writing in
Tech Republic, said: The need for security is at an all time high. Businesses get that. Consumers, on the other hand, do not. The average consumer ... assume that low-end router their ISP handed them two years ago is up to the task of keeping their network and data safe. Chances are, it's not ... the idea that some generic router is up capable of handling modern-day network security is laughable.
- In November 2015, James Morris of PC Gamer reviewed gaming routers and suggested not
buying any new router. He said:
"While old PC motherboards and CPUs quickly leave the scene when new ones come along, the router market is different. Routers tend to have long lifespans, and most developers regard firmware as works in progress. This makes the break-in period for new routers unusually long for the world of high technology. Many products don't reach full maturation for up to a year post release, after they have been supplanted in the product line-up by the latest and greatest flagship.
Leisurely firmware development cycles also mean treading carefully when fresh models are released. If stability is what you're after, the best place to start is with a popular older router rather than a newly designed one packed with what amounts to beta code. Support boards are filled with lost souls consigned to new-router purgatory for months at a time, waiting for firmware updates to fix critical features. Seriously, this happens a lot."
- In October 2015, Lyon Yang of security company Vantage Point found a bunch of flaws in ZHONE routers used by a major telco in
Singapore. In a story about this he was quoted saying "When the ISP ships the router, it comes with a shitload of vulnerabilities". In addition, he added
that the state of SOHO security more broadly is lousy.
- In August 2015, Jeff Atwood wrote Welcome to The Internet of
Compromised Things where he said:
"Its becoming more and more common to see malware installed not at the server, desktop, laptop, or smartphone level, but at the router level ... I write about this because it recently happened to two people I know ... This is way more evil genius than infecting a mere computer. If you can manage to systematically infect common home and business routers, you can potentially compromise every computer connected to them ... this is scary stuff ... Router malware is the ultimate man-in-the-middle attack..."
One of the people using an infected router was victimized by extra ads being inserted into all unencrypted web traffic. A non-techie would never figure out where these ads are
coming from. Heck, Jeff writes, they may assume that's the way things are supposed to be.
- In August 2015, Taylor Armerding, writing for CSO Online wrote Your router: Gateway for hackers
which started off with:
"It is generally accepted in IT that the weakest link in the security chain is the fallible and frequently careless
human. But a close second, many experts say, is the router - the device that connects people to the Web, sometimes called "the backbone of the
Internet" - which is dangerously vulnerable to skilled hackers. Those experts have been issuing alarms for some time, but they say that, so far,
things have not changed much."
- In May 2015, the SEC Consult Vulnerability Lab discovered a bug
in NetUSB software written by a small Taiwanese company called KCodes. Their software is used throughout the router industry and KCodes was not
helpful when presented proof of the bug. In their commentary on the big picture, SEC Consult writes "
In the past, we've seen a few cases where vulnerabilities in code, which is shared by many embedded devices, have a huge security impact. Some of the vulnerabilities were based on protocol design issues ... however, the (consumer) embedded systems industry is always keen on keeping development costs
as low as possible and is therefore using vulnerability-ridden code provided by chipset manufacturers ... or outdated versions of included open-source
software ... in their products." You don't want to use software that was brought to market as cheaply as possible.
- After writing about the NetUSB flaw for
Macworld, Glenn Fleishman took a step back, observing that "The NetUSB case is all too common. Networked hardware, including set-top boxes, Wi-Fi routers and broadband modems provided by telephone, cable, and other television-service companies, is rarely updated to fix security flaws. If a company or its software module provider create updates, most hardware doesn't notify you of fixes. I've been writing stories for years about these risks ...
Most mainstream hardware churns so quickly through product options and technical specs that any model you buy is simply dropped from a support path
not long after it's made ... It's a sad problem for consumers who are the victims of these practices... "
- In May 2015, Gavin Millard, technical director at Tenable Network Security was quoted saying: "Blame too
many device manufacturers rushing products to market, skimping on secure development practices, failing to audit the third-party code they use, or
neglecting to take bug reports seriously."
- In June 2015, Richard Chirgwin of The Regsister said
"The Register is increasingly sceptical that home broadband router vendors know or care enough to ship secure devices. It's time for the
carriers to take responsibility for their customers, and wield their market muscle to give customers more secure connections".
- In March 2015, Darren Pauli of The Register warned that "Home and small
business router security is terrible. Exploits emerge with depressing regularity, exposing millions of users to criminal activities. Many of the holes are so
simple as to be embarrassing."
- Craig Young of Tripwire says:
"SOHO router security is a problem of enormous proportions with the potential to wreak havoc on the Internet as we know it ... Our research has
revealed that four out of five top-selling home routers are vulnerable to attack ... 25-30 percent of US households use routers vulnerable to known/published
exploits - far more households are using routers with easily discovered flaws. The cumulative bandwidth of all these vulnerable devices could be harnessed to create a devastating DDoS attack ..."
- On the March 3, 2015 episode of his Security Now podcast, Steve Gibson said, after discussing the router flaw with userid/password of super/super hard coded in to the firmware, "
...what we're seeing is that router firmware is too much on the frontline to leave it up to the manufacturers. I'm here to say now in 2015, given that there is well-documented, well-scrutinized, third-party, open source replacement firmware, that's what you should be using. The Tomato firmware and the DD-WRT firmware ... we're seeing too many examples of both deliberate and inadvertent exploitation of the trust that we put in the firmware. It's time to revoke that trust... ". He and host Leo Laporte feel that since routers are "commodity hardware" the manufacturers are not putting any effort into the software.
- Stephen Bono, president of Independent Security Evaluators, has said,
"In general SOHO routers are not designed with security in mind because manufacturers operate on small profit margins and rush to get products to market as fast as possible rather than invest in secure development lifecycles and security audits."
- A Computerworld article by Lucian Constantin in April of 2014 discussed this and led with "Home routers and other consumer embedded devices are plagued by basic vulnerabilities and can't be easily secured by non-technical users, which means they'll likely continue to be targeted in what has already become an increasing trend of mass attacks ... routers, modems, wireless access points and other plug-and-forget devices have lagged behind as their makers lacked strong incentives to secure them."
A year later, Constantin chimed in
again, this time after writing about a study that found dozens of new router flaws: "While some people could have
claimed in the past that routers are not a target for attackers, that's no longer the case. There have been numerous large-scale attacks over the past
several years that specifically targeted routers and other embedded devices: It's time for users to view their routers as more than magical boxes that
give them Internet access".
- In Decrypt This: Why is router security so full of holes?
(April 17, 2015) Chris Stobing writes: "... it's becoming apparent that a change in how we protect home networks should be at the top of everyone's
to-do list. Router makers need to step up their game if the wireless hardware of today is to protect us from whatever threats might show up tomorrow ...
upwards of 75% of all routers provided by ISPs contain software or firmware that can be easily exploited by hackers. Even amateurs are discovering how
easy it can be to plow straight past a router's internal defenses without issue ... The idea that most standard home internet routers are incapable of
protecting users from a truly determined hacker shouldn't be a secret to anyone by this point"
- Darren Kitchen, founder of the Hak5 show and a maker of Wi-Fi penetration-testing devices, said in April 2013 that he wasn't surprised by an ISE study that showed bugs in every tested
router. Routers are "low-powered devices ... rushed out the door. There's not a consumer demand for security; it is not a feature that will sell it."
Two years later, this again proved true. The opening show of The Screen Savers on May 2, 2015
featured a question about the speed of WiFi G routers. Upgrades to WiFi N and AC were debated but the subject of router security never came up.
Even techies on a tech show don't care about, or are not aware of, router security (on the audio, the question is 15 minutes in).
- A number of issues are raised by Sericon Technology in Why Are Routers So
Vulnerable? such as, your router's firmware is probably based on old software, firmware is complex to use, vendors don't always fix their problems,
there are backdoors in firmware and the inevitable password problems.
- An October 2013 article about Project Sonar from Rapid7 included this quote from Robert Graham,
CEO at Errata Security: "My message to
home users is this: That device you bought to connect you to the Internet? I give it a 70 percent chance I can hack it -- easily. Sure, some are secure,
it's just that most aren't. And more expensive or 'feature-rich' or 'secure' devices from more 'reputable' vendors are no different in this respect than
any other vendor/device."
- A November 2013 paper Owning Your Home Network: Router Security
Revisited (PDF) by Marcus Niemietz and Jorg Schwenk of the Horst Gortz Institute for IT-Security at Ruhr-University in Germany leads with:
"In this paper we investigate the Web interfaces of several DSL home routers that can be used to manage their settings via a Web browser. Our goal is to change
these settings by using primary XSS and UI redressing attacks. This study evaluates routers from 10 different manufacturers (TP-Link, Netgear, Huawei, D-Link, Linksys,
LogiLink, Belkin, Buffalo, Fritz!Box and Asus). We were able to circumvent the security of all of them..."
- In January 2014, Bruce Schneier discussed how we got to this point. Quoting from his essay The Internet of Things Is Wildly Insecure - And Often Unpatchable
"The computers in our routers and modems are much more powerful than the PCs of the mid-1990s, and the Internet of Things will put computers into all sorts of consumer devices. The industries producing these devices are even less capable of fixing the problem than the PC and software industries were. If we don't solve this soon, we're in for a security disaster as hackers figure out that it's easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them - including some of the most popular and common brands. To understand the problem, you need to understand the embedded systems market.
Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim.... [Manufacturers] do as little engineering as possible before shipping, and there's little incentive to update their "board support package" until absolutely necessary.
The system manufacturers - usually original device manufacturers (ODMs) who often don't get their brand name on the finished product - choose a chip based on price and features, and then build a router, server, or whatever. They don't do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they're done, too.
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it's shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn't a priority.
And the software is old, even when the device is new. For example, one survey of common home routers found that the software components were four to five years older than the device."
- Then, in October 2016, Schneier wrote about a DDoS attack carried out by assorted IoT devices and argued that security will not improve without government regulation:
"Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers ... the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own ... Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem ... This isn't true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure ... The market can't fix this because neither the buyer nor the seller cares ... The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features ... When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers... They could impose liabilities on manufacturers ... these would raise the cost of insecurity and give companies incentives to spend money making their devices secure."
Finally, consider what Craig Young of Tripwire said in April 2015 regarding consumer routers.
"Many of the vendors in this space have a difficult time justifying additional engineering time to fix security flaws ... our research did not reveal any strong correlation between the selling price of a router and its relative security ... paying more for a router does not mean the vendor will be any more responsive to vulnerability reports ... If you want to pay for a more secure experience, ideally you want to skip the SOHO market entirely and jump right into enterprise gear. Vendors selling real enterprise products generally have well resourced security teams to evaluate and respond to threats. In the enterprise space there is far more concern placed on having a reputation for good security since the risks are typically much higher for business users. Ironically with the increase of feature sets on home routers, the price difference between enterprise and SOHO is eroding."
October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to mine, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers. Sadly, the article says that "Routers that advise users of an available firmware update on login to the web admin interface are winners". So, having a router company email their customers when there is new firmware is something we can't even hope for?