Long ago and far away—in 2014, which is indeed long ago and far away in our cutting-edge world of information technology—security gurus like Dan Geer, Jim Gettys, and Bruce Schneier were issuing urgent warnings about the catastrophic insecurity of routers—those devices in our homes that give us access to the World Wide Web.
Geer, CISO at the venture capital firm In-Q-Tel, in a keynote at the Security of Things Forum in Cambridge, Massachusetts, said that even if users threw out their current routers and bought new ones, it wouldn’t help, because the new ones would be just as vulnerable.
To cure the problem, he said, would require “flushing the entire design space and pipeline inventory of every maker of home routers.”
Schneier, CTO at IBM Resilient, premier blogger, and author, warned at the time that if security vulnerabilities in routers were not fixed soon, “we’re in for a security disaster as hackers figure out that it’s easier to hack routers than computers. At a recent Def Con, a researcher looked at thirty home routers and broke into half of them—including some of the most popular and common brands.”
Gettys, system software architecture researcher at Alcatel-Lucent Bell Labs, said he examined a number of routers and found that the packages inside “are three to four years old on Day One. And without an update stream, you start with existing vulnerabilities, and it just gets worse from there.”
So you might think, given the explosive growth of technology, expertise, awareness, and participation in the cyber security industry (attendance at RSA Conference in San Francisco spiked from about 25,000 in 2014 to 45,000 this year), that router security would be much better now.
And you would mostly be wrong. As was the case then, your router today—your window to the online world—is most likely a broken window.
“The majority of hostile detections on the eSentire threat detection surface pertain to perimeter threats: Information Gathering, Intrusion Attempts, and Reputation Blocks,” the report said, adding, “eSentire Threat Intelligence assesses with medium confidence that these detections originate, largely, from automated scanning and exploitation attempts.”
None of those issuing the earlier warnings would be surprised. Gettys said in a more recent interview that little has changed in the commercial router market, although he did say one brand, EvenRoute, is taking security seriously. “Not only do they ship—and update automatically—a firmware that is up-to-date based on OpenWrt, but therefore also has all our bufferbloat work, including the recent Wi-Fi work that makes a tremendous improvement in latency when loaded,” he said. “Would that I could recommend other hardware/firmware.”
Indeed, the Telegraph reported in May that more than 400,000 U.K. customers of Hyperoptic, the country’s largest gigabit broadband provider, were vulnerable to hackers because of a flaw in routers made by China-based ZTE.
Hyperoptic told the newspaper that the flaw had been fixed and “all routers are secured.”
But that was five months after the company had been alerted to the flaw. And Christopher Littlejohns, manager, sales engineer, in Synopsys Software Integrity Group, said what had not been reported was that “the vulnerability detected is one of the most common and easily exploited issues in many internet devices: hard-coded credentials for privileged accounts.”
“In this case, it allowed root access—hence the ability to take over the device and use it for many nefarious purposes.”
Which sounds an awful lot like what Geer, Gettys, Schneier, and others were saying four years ago.
Today, given the number of smart devices in modern homes, a vulnerable router can allow attackers to spy on the residents, steal their financial information and identity, and perhaps even enter their houses without having to break in since they can remotely unlock the door—or simply conscript routers to become part of a botnet to be used for anything from cryptocurrency mining to launching DDoS attacks on others.
According to a survey of 2,205 people in the U.K. by Broadband Genie, some of the blame belongs to careless or clueless users. The survey asked whether users had performed “simple tasks like changing their Wi-Fi password, changing their router admin password or updating the router’s firmware.”
You will not be shocked to hear that 82% had never changed the admin password. Overall, 51% said they hadn’t done a single one of those “simple tasks,” 48% said they didn’t know why they needed to do them, and 34% said they didn’t know how.
Fortunately, Broadband Genie did not conclude from this that users are entirely to blame, but that “broadband ISPs should also be ensuring they offer help pitched at complete beginners, including explanations of why it is important to secure Wi-Fi routers.”
Uh, yeah. In what industry are consumers expected to be experts, or even savvy, about the hidden dangers of a product? The United States has an entire division of government devoted to consumer product safety, which pulls toys, appliances, and other things off the market if they endanger users. It requires prominent warning labels for the simplest risks—risks that are much easier to understand than how to change an admin password, and that are much less threatening than vulnerable routers.
Look at modern cars—besides the airbags, multiple warning sensors, and backup cameras, a gentle but insistent voice will harass you until you’ve buckled your seat belt. Yet you get no warnings from your router that it is an invitation to hackers.
Yes, there are plenty of websites out there with instructions on how to make the security of your router at least somewhat more rigorous.
But a big part of the reason for the continued rampant insecurity is that developers and manufacturers are still stuck in the mentality that features and speed are more important than security. And why not? They don’t suffer any consequences for thinking otherwise.
“Today, due to clickthrough/box licenses, manufacturers disclaim all responsibility, even for minimal ‘best practices’ and/or updates for the expected life of these devices—for a home router, that is seven years or so,” Gettys said.
“I see no solution short of legal liability at some significant level.”
Or as Littlejohns puts it, “These types of issues arise out of poor or absent requirements, secure software development policies, development practices, and verification approaches.”
More troubling is that there are well-established ways to improve security—it’s just that few people are using them. “It is usually quite simple to detect and fix this type of vulnerability during the development stage of the software, typically using human code reviews and automated solutions such as static analysis,” Littlejohns said.
In other words, we can fix this problem. It’s past time for the industry to set about doing it.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.