|Router Security||Self-Updating Firmware||
Website by |
The general thinking is that a router that can update its own firmware is better than one that requires manual updating. This is true, but overly simplistic. There are many things that go wrong with a router that self-updates it firmware. The worst danger, of course, is that the update breaks something. In August 2017 this happened to the a smart lock, model LS-6i, made by Lockstate. The company sent the wrong firmware and bricked the $470 locks. See their apology note.
To plan for something like this, you would need to be able to schedule a pending update for a relatively safe time, and, be able to back out a bad update. For the most part, routers are not at that level of sophistication yet.Borrowing from the Security Checklist page, below is my list of things to look for in determining if a self-updating router is doing a good job of self-updating.
As for answering these questions, my experience with self-updating routers has been limited to eero and Google Wi-Fi. Someone from Linksys provided answers to these questions for their "Smart-Wifi" branded routers (model numbers starting with EA or WRT). The Linksys Velop mesh router system is something else, although, it too, can self-update. Google Wifi responses below came from Google. I slightly revised the "What to look for" questions in Feb. 2017. Both Linksys and Google answered the questions as they were in Jan. 2017.
A list of self-updating routers is on the Resources page.
|Table of Contents|
|What to look for||Google Wifi|
Q: Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
A: Google pushes all firmware updates from the cloud. We have dashboards so we can monitor progress of the firmware releases, which is done in carefully controlled phases.
My Translation: No. As of mid-April 2017 Google does not seem to have a single web page with a history of firmware releases. Each firmware update seems to get a new web page. I asked Google about this in mid-April 2017. They said that this page, Release Notes should have the full firmware history. I could not tell, immediately, if this was true or not. But, as of Aug. 15, 2017 it most definitely is not true.
May 8, 2017. I was right. Google updated the firmware on my Gwifi router May 3, 2017. There is no single web page with a release history. And the description of this update is shameful. The full description is "General stability & performance improvements". See a screen shot.
Q: Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is working correctly.
A: Cloud pushes notifications to the mobile app. Release notes accessed via the app state dates on which firmware was updated. Firmware revision can be noted per mesh node via the app.
Q: How often does the router check for updates? Can you control this?
A: Google pushes updates via the cloud roughly every six weeks.
Q: Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
A: Since the user does not need to manually intervene, no. Updates are done carefully in a phased rollout to ensure no regressions.
Q: If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
Q: Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
A: Reboots are auto-scheduled within 24 hours and when the systems are idle.
Q: Can you force the router to check for new firmware?
A: No. Firmware is pushed directly via the cloud.
Q: Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
A: N/A. Firmware pushed from the cloud.
Q: If you do nothing, how quickly will newly released firmware be installed? Eero promises to install new firmware "within a few weeks"
A: We release new firmware every six weeks. It is phased in a rollout over a few days.
Q: When the router phones home looking for updates does it do so securely with TLS?
A: N/A, but yes, all communication with the cloud is secure TLS
Q: When the router downloads new firmware does it so securely with TLS? Is newly downloaded firmware validated in any way, such as being digitally signed?
A: Yes, all code is signed by Google. A Trusted Platform Module (HW TPM) verifies signatures of the code.
Q: Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
A: Yes. Multiple partitions with fallback in case of a failed software update.
Q: Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
A: N/A generally, but yes, firmware can be downloaded and flashed via USB key in recovery mode.
Q: Does the vendor document the changes in each firmware update? If so, do they do it well?
Q: Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
A: Yes. Via mobile app.
Q: How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
A: Users can turn off updates by opting out of cloud services
Q: Can you backup the router settings to a file? Pretty much any router can do this, but with auto-updating I wonder if that feature still exists.
Q: In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
Q: In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?
A: It is a managed rollout where all nodes are updated during the same session.
Separately, Google Wifi security features says "All software updates are signed by Google. Google Wifi cant download or run any software that isnt signed and verified" and "All communication between Google Wifi and Google is secured by Transport Layer Security (TLS)".
As of early May 2017, I was able to answer some of these questions myself. I own a Google WiFi router and it self-updated. My observations are here 7 mistakes Google made updating my Google Wifi router.
In June 2017, a Google Wifi router had been powered off for a couple weeks. During that time, the firmware had been updated from version 9334.41.3 to 9460.40.5. Within a couple hours, the router self-updated to the new firmware. This is a huge contrast to the much slower rollout used by eero.
In August 2017, I setup three new Google Wifi hockey pucks. Each one self-updated its firmware immediately after being put online.
This thread at a Google tech support forum illustrates how poorly Google does firmware self-updating. People can't schedule updates, are not warned beforehand, not told afterwards and can't fall back to a previous version if the new version is a problem.
See more about Google Wifi routers.
NOTE: The information below was provided by someone who works for Linksys in February 2017. See also How to automatically update the firmware of the Linksys Smart Wi-Fi Routers.
According to Linksys, all of their "Smart-Wifi" branded routers can self-update. These devices usually have model numbers starting with EA or WRT. The information below applies to these routers and not to their Velop mesh router system, which can also self-update.
An "audit log" of sorts can be found on the manual firmware download page for each SKU under "release notes". The release notes contain a timestamp of the release, the firmware version, and some patch notes. See sample.
The router checks for updates by querying the Linksys Smart WiFi cloud. During setup, there's a checkbox that you can uncheck to prevent the router from automatically checking for and installing updates. This option is also togglable under the connectivity settings.
All cloud operations between the router and the cloud are over a TLS connection. This includes checking for and downloading firmware updates.
A change log is provided on the manual firmware download page under "release notes".
Current firmware version can be found under the connectivity settings.
There is currently no mechanism implemented for notification that an automatic firmware update has happened or is going to happen.
By default, the device checks for automatic updates during a 240 minute window starting at midnight local time. There is an API for setting the time and duration of that window, but I do not believe there is any UI supporting it.
There is a button under the connectivity settings that you can use to force a firmware update check. Otherwise, the device checks for new firmware daily.
Router can be forced to update to the latest firmware at any time. If a new firmware update is found after clicking the "check for updates" button, a new button is added to start download/installation.
On the connectivity settings page there's a section for uploading your own firmware images, or firmware images downloaded from the linksys support site.
The automating updating system only supports a single "update channel" that installs the newest possible firmware.
Router configuration can be backed up and restored under the Troubleshooting -> Diagnostics page.
The Linksys EA and WRT series routers are single devices and this section applies to them. Linksys just released a Velop mesh system, but the person I corresponded with was not familiar with how the Velop deals with updating three devices.
Firmware updates are downloaded over TLS. The majority of the EA series devices use signed firmware images that require signature verification before installation. None of the WRT devices have firmware signature restrictions. Technically this shouldn't matter - the TLS connection provides verification that the firmware image is coming from Linksys - firmware signing is just an added protection.
As far as I know, all EA and WRT series devices have two firmware partitions - the active partition and a fallback partition. The fallback partition is whatever firmware was previously installed on the router. That way if the main partition ever becomes unbootable, the bootloader can automatically switch to the backup partition to effectively unbrick the device. You can manually trigger a switch to the fallback partition by clicking "Restore previous firmware" under the Troubleshooting -> Diagnostics page.
According to this June 2017 review, Linksys Velop: Powerful But Erratic Mesh Router, "The firmware updates are encrypted during delivery, but the firmware doesn't self-authenticate during startup."
A history of eero firmware releases is here: eero Software Release Notes. Judge for yourself how well they document the changes in each firmware release.
If you do nothing, how quickly does eero install new firmware after it has been released? According to the above firmware history page: "eero software updates are released on a rolling basis, so your eero may not be updated immediately after a new version is released. New versions will be pushed to all customers' networks within a few weeks of public release." A few weeks, seems a bit slow, but this is a matter of opinion.
I asked Eero about the rollout of new firmware in April 2017 and the response was:
"We send out automatic updates every night in small numbers. Usually within approx 4 weeks of a new firmware release all eero networks should have gotten the automatic update push."
AUDITING EERO FIRMWARE UPDATES
The eero app does not indicate that a software update is available, front and center. The notification is buried in network settings. Eero does a very poor job at auditing and logging. For example, the app does not indicate when an automatic firmware update occurred. Google Wi-Fi does. Better still, it would be nice to have an audit trail of every time the firmware was updated. Google Wifi can do this too. The eero app also fails to log the speed tests. It seems to make a speed test every day but only reports the last one. In contrast, AmpliFi does keep a log of previous speed tests which makes it very easy to spot any trends.
Like Google WiFi, the eero app has no provision for saving the current settings. If something goes wrong, it will probably have to be re-configured from scratch.
After Linksys provided answers to these questions, I contacted some other router vendors asking them to explain the details of their firmware auto-updating system. Not one company did. Each company was contacted on Feb. 5, 2017 (13 days ago when I last reviewed this). The cowards are
I have very little information on the F-Secure Sense router, but according to this tweet it got the ability to schedule firmware updates in September 2017. The tweet also shows they do not keep a complete history of firmware changes.