I think it is a mistake to use a consumer router. The big reason is that their security is not acceptable.
I say this fully aware that my opinion runs counter to every article you will ever read about buying a router. Consumer routers are marketed, and reviewed in the tech press, based on speed, features, speed, price, speed, appearance and speed. Security never factors into the equation. These are, to me, the wrong priorities.
The Small Net Builder website offers a recent example. The article, How To Buy A Wireless Router - 2018 Edition (by Tim Higgins Jan. 25, 2018) focuses on MIMO streams vs. Class, Single point vs. Multipoint routers, Device roaming, Tri-band extenders, 8 stream 11ac and 802.11ax. To me, the most important decision when buying a router is to get one with professionally written software.
Here, in detail, are my reasons for not using a consumer router. As for routers given to you by an ISP, they are even worse. Some business class vendors are listed on the Resources page. First a note on terminology: the software that is the operating system for a router is referred to as firmware.
- I have followed router software/firmware for a while now and the number of mistakes/bugs is stunning. The people who create router firmware are not very good at their job. Not only are there lots of bugs/flaws, but many are big glaring bugs. The types of bugs that happen when developers don't care. Or, are incompetent. Evidence of the plethora of bugs is on the bugs in routers page. The list is incomplete. If a router is sold at Best Buy, you don't want it (no offense to Best Buy).
- When you buy a consumer router you are buying the hardware. The software is provided as cheaply as possible. When you buy a business class router you are buying the software.
- Consumer router vendors do as little firmware maintenance as possible. Consider this example. In August 2014, at the DefCon conference, there was a contest to find bugs in routers. Contestants found 15 flaws in popular routers. Reporting on the results for PC World, Lucian Constantin wrote:
"One interesting aspect is that only four of the reported vulnerabilities were completely new. The other ones had been discovered and patched in the past in other router models from the same manufacturers, but the vendors did not fix them in the routers selected for this competition. This type of patching inconsistency happens frequently in the router world ... Vendors often fix vulnerabilities only in the models for which those flaws were reported by researchers and fail to test if their other products are also vulnerable. In some cases vendors never fix the reported vulnerabilities at all ..."
- The Misfortune Cookie flaw from December 2014 offers a very important lesson. The flaw was introduced to the RomPager server from AllegroSoft in 2002. The company fixed the flaw in 2005. Yet, NINE YEARS LATER, Check Point Software found 12 million routers
that were still using buggy RomPager software. Adding insult to injury, there is no defense against the flaw and no way for you tell if your router is
vulnerable. You have to ask the company that made the router. Good luck with that.
- Old software, with know flaws, is the rule rather than the exception with consumer routers. Even the latest firmware often contains disgracefully old versions of software.
- In January 2016, the Wall Street Journal did a big expose on this Rarely Patched Software
Bugs in Home Routers Cripple Security. For a more detailed analysis, see Firmware component versions which looks at the software used by the Asus RT-AC88U, D-Link DIR890L, Netgear R8500, Linksys E9200 and the TP-Link Archer C3200. Its all old.
- I ran across an example of this in my Nov. 2015 evaluation of the security of the D-Link DIR860L router. NMAP reported that dnsmasq was at version 2.45, which was released in July 2008. When I tested, the latest firmware was from March 2014. Had D-Link bothered to include an updated dnsmasq in that firmware it would have been version 2.68. By not updating dnsmasq in March 2014 they missed out on roughly 21 updates to the software. by Nov. 2015 when I looked into this, the DIR860L router was using a version of dsnsmasq that was 30 releases behind and contained known bugs.
- In December 2017, Insignary scanned the firmware of 32 Wi-Fi routers from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a known security vulnerability. No zero days needed. A majority of the examined firmware contained components with more than 10 "Severity High" vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities. See their Feb. 2018 Press Release.
- In June 2020, the Fraunhofer Institute released a Home router security report the results of a study of 127 consumer routers from Asus, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel. They looked at the latest available firmware as of March 27, 2020. Not one router was bug-free. Some had hundreds of known vulnerabilities. The average number of critical vulnerabilities per router was 53. The best routers had 21 vulnerabilities. A third of the routers use the 2.6.36 Linux kernel which was last updated nine years ago. When routers are updated many known vulnerabilities are not fixed. 50 routers had hard-coded credentials (userid/password) and 16 had well known or easy crackable credentials. Linux provides a number of exploit mitigation features and the routers rarely used them. As for rating the vendors on security, AVM was the best but they are not available in the US.
In September 2020 Daniel Aleksandersen blogged a follow-up to the above Fraunhofer study: Network routers are just computers. The study found one third of routers using a version of Linux from October 2010 with 233 known security vulnerabilities. The study did not look into whether software services on the router run in sandboxed and constrained environments, or whether they have full privileged access to the system. His experience with various router vendors has been that services have full access to the system (bad security). He writes that it is neither difficult nor time-consuming to set up this type of protection, yet no one does. He also replicated a small part of the study at a local electronics shop where he made note of every router that was for sale. He then checked and found that none them had received a software update in the last 14 months. Yoda might say: Abandoned, they are. Manufacturers of consumer routers are not incentivized to provide ongoing support and security updates for devices that provide no new revenue. He concludes that there is not one secure consumer router. For better software support, he says you need to make the switch to more involved, complicated, and expensive enterprise-grade network equipment. I agree and that is why I recommend Peplink routers.
- When new firmware is released, customers may not know about it.
- The process of learning about available updates varies with each router.
- Asus was dinged by the US Government, in part, because their routers often failed to notify owners about newly released firmware.
- In November 2017, Daniel Aleksandersen blogged about TP-Link firmware updates rolling out slowly to Europe. Firmware available in Europe typically lagged that available to US customers. And, when firmware is released, TP-Link does not contact their customers to tell them of the available update. But, the point in the article that should most warn you away from consumer routers, came in an email message from a TP-Link support technician that advised he not update the firmware if the device is working fine. Yikes.
- Even my favorite router, the PepWave Surf SOHO has fallen down here. It has a button in the web interface to check for new firmware that has
failed to report on available updates. Fortunately, the Peplink website makes it very easy to manually find updated firmware.
- Even when firmware is updated, it is often not installed.
- Router owners have to know this is a necessary thing, not all do.
- The firmware update process varies with each router and is never well documented.
- Upgrading firmware is risky. If anything goes wrong, your Internet connection can be ruined. This is NOT true with Peplink routers as they maintain
two copies of the firmware and can always fall back to the prior version.
- If it ain't broke don't fix it.
- Self-updating routers are no panacea. Up until the appearance of Eero routers in early 2016, hardly any router was able to self-update.
While it is easy to say that non-techies should seek out a router than does self-update (there is a list on the Resources page) most routers do a bad job of it. So far, they only routers that do a good job of self-updating are from Synology.
- New routers are released with firmware that is not ready for prime time.
Tim Higgins, Managing Editor of SmallNetBuilder.com, is an expert on routers. In July 2017,
this to say about consumer routers:
"Linksys is by no means alone in using its customers as beta testers ... Chip vendors race to get to market first, then push their customers (the router manufacturers) to get new technology (11ac, MU-MIMO, etc.) into their products ASAP. Router makers, in turn, push not-fully-baked products to market, bowing to pressure on one end from the chip makers and retailers (BestBuy, Amazon, etc.) on the other end, to get new stuff on the shelves with higher numbers on the boxes because that's what sells. Behavior will not change unless buyers break the cycle and leave stuff on the shelves. Unfortunately, with social media and YouTube 'stars' pumping the hype machine, and people still being sucked in by inflated speed numbers, things won't change anytime soon."
- Consumer router vendors have shown, time and again, that they do not care about security. Often, they ignore reports of problems. There are many examples of this on the bugs page, here are just a few.
- In July 2020, Martin Rakhmanov of Trustwave wrote about two bugs he found in the Asus RT-AC1900P router. The bugs themselves are not important but much about the process was (one bug was lazy programming, they were not checking the certificate of downloaded firmware when updating). For one thing, neither Asus nor Rakhmanov addressed the issue of other routers. Was this the only buggy Asus router or did other models share the same flaw? It is none of your business. Asus did not issue a security advisory preferring to sweep the bugs under the rug. It took Asus three months to fix the bugs and they never bothered to tell Rakhmanov. When he happened to notice the new firmware, he asked them if they fixed one or both bugs. They didn't know.
- In July 2020, ISE released a report on assorted bugs in a Tenda router. They had contacted Tenda in January 2020 and never heard anything back. In this article about the report, Sam Levin of ISE was not surprised by the lack of response from Tenda. He said "This isn't the first router that has the same sort of problems and it isn't going to be the last. And this isn't the first manufacturer that has stood us up for six months."
- In May 2019, Troy Mursch reported a bug to Linksys that affected 33 Linksys Smart Wi-Fi routers. The company decided not to fix the problem. Shortly thereafter, Ars Technica contacted Belkin (which owns Linksys) about the bug and got the cold shoulder, Belkin never responded.
- In 2013 a company called Independent Security Evaluators tested a group of consumer routers and found 55 bugs and reported them to the companies before going public. ISE later reported that TP-Link fixed all the vulnerabilities.
D-Link, however, never responded and Linksys chose not to repair many of the bugs.
- In early September 2015, security company KoreLogic found a bug in a Linksys router and reported it to the company. When they didn't hear
back, they reported the bug again in October. Eventually, in early December 2015, they published the details of the bug publicly. They never heard anything back from Linksys.
- Even contacting the hardware manufacturers is hard. Many router companies have no formal way for people to report vulnerabilities. The bugs page is full of examples of people who found bugs in router firmware but were unable to get anyone to listen.
- There have been times where bad guys have been able to corrupt the firmware update procedure and trick a router into using malicious firmware.
That implies that the firmware was not digitally signed and/or was not delivered over a secure TLS connection. The only way this happens is if the router
manufacturer does not care about security.
- The tech press always recommends that firmware be updated. But, this ignores a bigger issue - firmware abandonment. Many times, after a bug in router firmware has been identified, the company whose name is on the router does not fix the problem because the router is too old. End of Life is the soft sounding term companies use. In Feb. 2018, Brian Knopf, of Neustar said "Vendors rarely support and update routers after the first two years at most." In the same article he noted that router manufacturers spend very little money on security because it cuts into profits. The price you pay with a consumer router is having to replace it every few years, if for no other reason, than the vendor has stopped issuing bug fixes for the firmware.
- And, its not just the software that gets abandoned, so too does the documentation. Typically a User Guide will be released alongside a new router model and that's it. Mistakes in the manual are never corrected. As the router firmware changes over time, the manual is never updated. Plus, the manual probably stinks from the get-go. It is not unheard of for features offered by a router to go totally undocumented.
Here is an example. In July 2019, I heard about a couple new features in the AmpliFi mesh routers: a new type of Guest network just for Friends and the ability to back out a firmware update from the web interface. Interesting in learning more I found both a PDF and an HTML version of the User Guide. Since these features are fairly new, I went to see when the User Guide was last updated. It didn't say. It also didn't say what level of firmware it applied to which is important because Amplifi releases new firmware frequently. And, it said nothing about either feature. In fact, it didn't even mention that the router has a web interface. At the time I was in the market for a mesh router system and this convinced me to avoid AmpliFi.
- General suckiness.
- On January 2, 2021, I blogged about The Misery of a Linksys router which details the general suckiness of a Linksys EA8300. The blog was the result of my trying to configure the router starting from a factory fresh state.
- The one TP-LINK router that I have used, wiped out all the configuration settings when the firmware was upgraded. That pretty much knocks them off
my list right there. I have never seen a review of a TP-LINK router that mentioned this.
- In February 2017, Ars Technica had an article about dealing with a hacked Netgear 6400 router: Router assimilated into the Borg, sends 3TB in
24 hours. The article goes into the symptoms of the problem and the debugging steps that the author took. A factory reset did not fix the problem. Installing DD-WRT did not go well. In the end, the router was a paperweight.
- A Lifehacker article from July 2018, tells of an Acer Aspire laptop that crashes a TP-Link Archer C7 router when it connects via WiFi. The laptop does not crash other routers, just the Archer C7. Turns out, others have experienced similar issues with the TP-Link router.
- HNAP, the Home Network Administration Protocol, is found on some consumer routers. Assorted HNAP bugs have exposed routers to attacks. In April 2015 it was found to make some D-Link routers vulnerable and the first time D-Link tried to fix the bug, they
screwed it up. Other flaws in HNAP were exposed in 2014 and 2010. The real kicker here, is that, unlike other vulnerable protocols, such as WPS and UPnP, you can't disable HNAP. Plus, you have to know the secret handshake to even test if a router supports HNAP, it is never visible in the administrative interface.
- Technical support: A few years ago, I ran into a bug in a low end Netgear router. I was using DDNS to enable remote administration of a router whose IP address could change at any time. DDNS is supposed to phone home to the company offering the service whenever the IP address changes. This should be a low-volume thing, once a month perhaps. But the activity log from my DDNS provider showed that the router was phoning home every 10 minutes to say that the IP address had not changed. Eventually the DDNS provider would kick me off the service as a spammer. So, I tried to contact Netgear tech support - and got nowhere. Not even a response that showed an understanding of the problem. In contrast, the support forums at Peplink are populated by people that understand and intelligently respond to every question. Night and day.
In February 2019, I wrote about a problem with a Netgear router and another problem trying to report it to Netgear: Reporting a UPnP quirk in a Netgear router. The reporting process seemed like it was designed to prevent the reporting of bugs. It blocked me. The problem had to do with UPnP being somewhat functional after being turned off in the web interface of the router. In September 2020 someone emailed me that they had the same UPnP problem in two other routers, one from Huawei, the other from ZTE. He too had problems reporting it.
- Even if you don't care about security, there is also the issue of reliability. That there is a product, such as the MutiNet ResetPlug that automatically reboots your router, shows just how unreliable consumer routers can be. This article Maine wireless internet firm sues, saying bad routers are hampering service (May 11, 2017) starts off "Redzone Wireless CEO James McKenna has about 4,000 internet routers stored in a warehouse, just gathering dust. The company claims the discount Netgear routers are defective and wants to send them back ... Soon after launching, Redzone said it received 'numerous complaints' that the routers would frequently and randomly disconnect from the internet every day, requiring them to restart the routers." Redzone purchased the routers because of "attractive pricing" No doubt this is what motivates other ISPs too.
- Consumer routers may spy on you.
- In May 2017, I blogged about Asus router warnings on privacy and security. The research into Asus was done by Daniel Aleksandersen who found that some
Asus routers include software from Trend Micro that comes into play when using a number of router features that, at first glance, seem like good things. But, they may well send data passing through the router Trend Micro. For example, the router may send URLs and email messages to Trend Micro. To me, this makes the cure worse than the disease.
- Starting in April 2017 Netgear decided to spy on their routers by adding something they refer to as "router analytics" to the firmware of the Nighthawk R7000 and three Orbi routers (RBK40, RBR40, RBS40). Data collection is
on by default, but a router owner can login to the router, follow a long click trail and disable it. For their side of the story, see What router analytics data is collected and how is the data being used by NETGEAR? More links about this are on the bugs page, see July 2017. To me, this is reason enough to avoid Netgear altogether. There is no reason to assume they will stop with just these four routers. If you own a Netgear router consider installing DD-WRT on it.
- Much of this website is about configuring a router to be as secure as possible. That said, any router can only be as secure as its software allows.
The Security Features Checklist page is one way to judge how secure any particular router can get.
On the hardware side, I have only one suggestion: look at the Ethernet ports. Avoid any router that does not have two small LED lights as part of the Ethernet port. On the one hand, its a signal that the router was produced as cheaply as possible. On the other hand, the lights are useful. They can indicate the speed of the Ethernet connection, the flowing of data and, at the physical level, they indicate that connection is working. If, for example, an Ethernet cable was bad, that would be immediately obvious from both the LED lights being off.