The security of Internet-connected devices relies, at least at this point, on the dedicated vigilance of their manufacturers. This proves especially true when it comes to routers managing web connectivity within most households and businesses—routers that include firmware that must be updated regularly to address newly discovered vulnerabilities and disallow exploits from attackers. An ongoing cat and mouse game exists with hackers for the vendors selling these devices.
A 2018 study from Insignary finds that most WiFi router vendors aren’t holding up their end when it comes to ensuring that the firmware they provide effectively protects their devices from well-known security threats. In many cases, the risks to these routers involve solved issues. Where OEM router firmware utilizes open-source code supported by communities that actively maintain and address such issues, fixes to known problems were made available years ago. And yet the current firmware still leaves devices inexcusably vulnerable.
Vendors have a responsibility to continue protecting the devices they sell to keep customers and the Internet itself safe. Sensitive personal or business data that travels through a compromised router can and does end up falling into the wrong hands. Compromised devices are also progressively enlisted in massive botnets, where they have their bandwidth exploited as fodder in distributed denial of services (DDoS) attacks. These attacks, which target sites or Internet infrastructure to interrupt their functionality, are becoming more powerful and dangerous threats as device security concerns go unaddressed. At the same time, vulnerable routers can lead consumers or businesses to have their IP addresses added to lists of known botnet traffic.
In reality, the path to securing routers is multi-staged, and requires active participation and knowhow from all parties involved. First, the manufacturer must address firmware vulnerabilities. Then, it’s up to end users to download and install that firmware onto their devices. Unfortunately, though, this process is challenging and unlikely; it requires users to know about the importance of updates, where to find them, and how to upload them. Realistically, that isn’t going to happen in most cases. It also becomes impossible where vendors are no longer supporting their devices with new firmware releases, which is often the case.
Standardized security measures would go a long way toward alleviating these issues. With a standardized security framework, manufacturers gain the advantage of mutual community support for technological advancements and best practices. However, there are currently no commonly adopted standards for the security provided by WiFi router firmware.
In the meantime, end users ready to take on firmware security issues on their router devices do have some methods for addressing these needs themselves. Free, open-source firmware, such as DDWRT and OpenWRT, can be entered into a router’s flash memory to add security and simplify updates. While these options won’t be perfectly issue-free, they do come with the power of a dedicated community behind them, providing enhanced security where OEMs can’t or don’t.
As the ranks of malicious botnets continue to swell with compromised routers, and as the consequences of ineffective firmware security become more dire, the moment when the industry will be forced to address its practices draws near. Expect consumers and businesses troubled by unsecure products to take matters into their own hands, either by implementing security by another means, or by making security features a critical component to their purchasing decisions.
Louis Creager is IoT Security Analyst at zvelo, a provider of cybersecurity solutions for web content, traffic and devices.