Router Security Consumer Routers Website by     
Michael Horowitz 
Home | Site Index | Router Bugs | Security Checklist | Tests | Resources | Stats | About | Search |
I will be speaking about Router Security at the O'Reilly Security Conference in New York City at the midtown Hilton Hotel (Sixth Ave and 53rd Street). The conference runs from Oct. 30 to Nov. 1, 2017. I am slated for Nov 1st at 3:50pm in the Sutton South room on the second floor.

 

Consumer routers

When you buy a consumer router you are buying the hardware. The software is provided as cheaply as possible. When you buy a business class router you are buying the software.

That said, do not use a consumer router.

I say this fully aware that my opinion runs counter to every article you will ever read about buying a router. That's because my focus is on Defensive Computing. Consumer routers are marketed, and reviewed in the tech press, based on speed, features, speed, price and speed. Security never factors into the equation. These are the wrong priorities.

If you have to have the fastest router on your block for bragging purposes, stop reading this website now. I am not interested, here, in WiFi N vs. AC. Nor am I concerned with Gigabit Ethernet vs. the older fast Ethernet. Hardware has nothing to do with security, it's a software and configuration thing.

Much of this website is about configuring a router to be as secure as possible. That said, any router can only be as secure as its software allows. By the way, when it comes to routers, techies don't use the term software. The operating system that runs a router is referred to as firmware. But, its software.

The Security Features Checklist page is one way to judge how secure any particular router can get. Although the list is long, the included features do not tell the full story.

I have followed router software/firmware for a while now and the number of mistakes is stunning. The people who create router firmware are not very good at their job. They make lots of mistakes. As evidence of this, see my list of bugs in routers. It is incomplete, but illustrates my point: avoid all consumer routers. D-Link, Netgear, Asus, Belkin, Linksys, TP-LINK, etc. etc. etc. If a router is sold at Best Buy, you don't want it (no offense to Best Buy). The most important decision when buying a router is to get one with more professionally done software/firmware.

Consider this example. In August 2014, at the DefCon conference, there was a contest to find bugs in routers. Contestants found 15 flaws in popular routers. Reporting on the results for PC World, Lucian Constantin wrote:

"One interesting aspect is that only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition. This type of patching inconsistency happens frequently in the router world ... Vendors often fix vulnerabilities only in the models for which those flaws were reported by researchers and fail to test if their other products are also vulnerable. In some cases vendors never fix the reported vulnerabilities at all ..."

The Misfortune Cookie flaw from December 2014 offers another lesson. The flaw was introduced to the RomPager server from AllegroSoft in 2002. The company fixed it n 2005. Yet, nine years later, Check Point Software found 12 million routers that were still using buggy RomPager software. Adding insult to injury, there is no defense for the problem and no way for you tell if your router is vulnerable. You have to ask the company that made the router. Good luck there.

The Misfortune Cookie flaw points up an industry wide problem with consumer routers: old software. That firmware is often not updated by router owners, is only a small part of the problem. The bigger issue is that even the latest firmware contains disgracefully old versions of software. In January 2016, the Wall Street Journal did a big expose on this Rarely Patched Software Bugs in Home Routers Cripple Security. For a more detailed analysis, see Firmware component versions which looks at the software used by the Asus RT-AC88U, D-Link DIR890L, Netgear R8500, Linksys E9200 and the TP-Link Archer C3200. Its all old. I ran across an example of this in my Nov. 2015 evaluation of the security of the D-Link DIR860L router. NMAP reported that dnsmasq was at version 2.45, which was released in July 2008. When I tested, the latest firmware was from March 2014. Had D-Link bothered to include an updated dnsmasq in that firmware it would have been version 2.68. By not updating dnsmasq in March 2014 they missed out on roughly 21 updates to the software. by Nov. 2015 when I looked into this, the DIR860L router was using a version of dsnsmasq that was 30 releases behind and contained known bugs.

In early September 2015, security company KoreLogic found a bug in a Linksys router and reported it to the company. When they didn't hear back, they reported the bug again in October. Eventually, in early December 2015, they published the details of the bug publicly. They never heard anything back from Linksys which tells us, very clearly, how much Linksys cares about the security of their routers.

Then too, there is HNAP, the Home Network Administration Protocol, that is found on some consumer routers. Assorted HNAP bugs have exposed routers to attacks. In April 2015 it was found to make some D-Link routers vulnerable and the first time D-Link tried to fix the bug, they screwed it up. Other flaws in HNAP were exposed in 2014 and 2010. The real kicker here, is that, unlike other vulnerable protocols, such as WPS and UPnP, you can't disable HNAP. Plus, you have to know the secret handshake to even test if a router supports HNAP, it is never visible in the administrative interface.

Another issue with consumer routers is abandonment. All software needs ongoing maintenance. Many times, after a bug in router firmware has been identified, the company whose name is on the router does not fix the problem because the router is too old. End of Life is the soft sounding term companies use. The price you pay with a consumer router is having to replace it every few years, if for no other reason than the vendor has stopped issuing bug fixes for the firmware.

And, its not just the software that gets abandoned, so too does the documentation. Typically a User Guide will be released alongside a new router model and that's it. Mistakes in the manual are never corrected. As the router firmware changes over time, the manual is never updated. Plus, the manual probably stinks from the get-go. It is not unheard of for features offered by a router to go totally undocumented.

Then too, some companies making routers just don't care. In 2013 a company called Independent Security Evaluators tested a group of consumer routers and found 55 bugs and reported them to the companies before going public. ISE later reported that TP-Link fixed all the vulnerabilities. D-Link, however, never responded and Linksys chose not to repair many of the bugs.

Even contacting the hardware manufacturers is hard. Many times people who found bugs in router firmware were unable to break through the bureaucracy to get anyone to listen. Many router companies have no formal way for people to report vulnerabilities.

Also, the process of updating the firmware in routers stinks. For one thing, it varies with each router and is never well explained. Then too, the owner of the router has to manually seek out and find new firmware updates. In the best case, after logging in to the router, something will indicate the availability of an update (again, no standard). Just as likely, the router owner has to search the vendor website manually. There is nothing akin to the automatic updating found on Windows, OS X and Android. Plus, many router owners don't even know that the firmware needs to be updated.

There have been times where bad guys have been able to corrupt the firmware update procedure and trick a router into using malicious firmware. That implies that the firmware was not digitally signed and/or was not delivered over a secure TLS connection. The only way this happens is if the company does not care.

If your router gets infected with malware, or re-configured in a malicious way, most people would never know. There is no Norton AntiVirus for routers.

A PC World review of the TP-Link Archer C8 AC1750 router from Feb 2, 2015 illustrates how mis-guided the technical press is when it comes to routers. The article discusses price, antennas, printer sharing, the CPU, WiFi performance and even points out that the case is susceptible to scratches but doesn't collect fingerprints. Nothing about security. It even discusses WPS without a mention to security. To me, this is malpractice.

The one TP-LINK router that I tested, wiped out all the configuration settings when the firmware was upgraded. That pretty much knocks them off my list right there. But, its good to know the Archer C8 doesn't show fingerprints.

In February 2017, Ars Technica had an article about dealing with a hacked Netgear 6400 router: Router assimilated into the Borg, sends 3TB in 24 hours. The article goes into the symptoms of the problem and the debugging steps that the author took. A factory reset did not fix the problem. Installing DD-WRT did not go well. In the end, the router was a paperweight.

"Securing home routers is not an easy task and may require some technical knowledge. A good start is properly selecting a home router - this means avoiding free routers included in internet plans... " from Securing Your Home Routers by Trend Micro sometime in 2017.

And, if the bugs don't convince you, perhaps technical support will.

A few years ago, I ran into a bug in a low end Netgear router. I was using DDNS to enable remote administration of a router whose IP address could change at any time. DDNS is supposed to phone home to a company offering the service whenever the IP address changes. This should be a low-volume thing, once a month perhaps. But the activity log from my DDNS provider showed that the router was phoning home every 10 minutes to say that the IP address had not changed. Eventually the DDNS provider would kick me off the service as a spammer. So, I tried to contact Netgear tech support - and got nowhere. Not even a response that showed an understanding of the problem. In contrast, the support forums at Peplink are populated by people that understand and intelligently respond to every question. Night and day.

Consumer routers are a software cesspool. Again, see my list of router bugs for confirmation.

On June 3, 2015 PC Magazine published their Business Choice Awards 2015: Routers where magazine readers rated the vendors who make their routers. Asus came in first place. But, Asus is not a business class router. Neither is Apple, which came in second place. Some business class vendors listed on the Resources page.

And, even if you don't care about security, there is also the issue of reliability. That there is a product, such as the MutiNet ResetPlug that automatically reboots your router, shows just how unreliable consumer routers can be.

In Australia in October 2016 an ISP gave out routers with default userid/passwords and "remarkably similar SSIDs." The article argues that: "It isn't terribly difficult to load up factory firmware that generates a random password, assigns it to a device, then prints a label with that information to go into the box with the gadget. It's more work than just slapping a default username and password into the software - but not much. And the cost, amortised against tens of thousands of units, can't be more than a penny or two."

This article Maine wireless internet firm sues, saying bad routers are hampering service (May 11, 2017) starts off "Redzone Wireless CEO James McKenna has about 4,000 internet routers stored in a warehouse, just gathering dust. The company claims the discount Netgear routers are defective and wants to send them back ... Soon after launching, Redzone said it received 'numerous complaints' that the routers would frequently and randomly disconnect from the internet every day, requiring them to restart the routers." Redzone purchased the routers because of "attractive pricing" No doubt this is what motivates other ISPs too.

In May 2017, I blogged about Asus router warnings on privacy and security. The research into Asus was done by Daniel Aleksandersen who found that some Asus routers include software from Trend Micro that comes into play when using a number of router features that, at first glance, seem like good things. But, they may well send data passing through the router Trend Micro. For example, the router may send URLs and email messages to Trend Micro. To me, this makes the cure worse than the disease.

Starting in April 2017 Netgear decided to spy on their routers by adding something they refer to as "router analytics" to the firmware of the Nighthawk R7000 and three Orbi routers (RBK40, RBR40, RBS40). Data collection is on by default, but a router owner can login to the router, follow a long click trail and disable it. For their side of the story, see What router analytics data is collected and how is the data being used by NETGEAR? More links about this are on the bugs page, see July 2017. To me, this is reason enough to avoid Netgear altogether. There is no reason to assume they will stop with just these four routers. If you own a Netgear router consider installing DD-WRT on it.

Tim Higgins, Managing Editor of SmallNetBuilder.com, is an expert on routers. In July 2017, he had this to say about consumer routers:
"Linksys is by no means alone in using its customers as beta testers ... Chip vendors race to get to market first, then push their customers (the router manufacturers) to get new technology (11ac, MU-MIMO, etc.) into their products ASAP. Router makers, in turn, push not-fully-baked products to market, bowing to pressure on one end from the chip makers and retailers (BestBuy, Amazon, etc.) on the other end, to get new stuff on the shelves with higher numbers on the boxes because that's what sells. Behavior will not change unless buyers break the cycle and leave stuff on the shelves. Unfortunately, with social media and YouTube 'stars' pumping the hype machine, and people still being sucked in by inflated speed numbers, things won't change anytime soon."

- - - - - - -

On the hardware side, I have only one suggestion: look at the Ethernet ports. Avoid any router that does not have two small LED lights as part of the Ethernet port. On the one hand, its a signal that the router was produced as cheaply as possible. On the other hand, these lights can come in handy when things go wrong.



Top 
This page was last updated: August 10, 2017 11AM CT     
Created: June 4, 2015
Viewed 20,293 times since June 4, 2015
(23/day over 872 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2017