Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Home routers: Broken windows to the world

Taylor Armerding | May 20, 2014
Top security experts say the software in most home routers – even brand new ones – is so obsolete that it is an inviting attack surface for hackers. And changing your password will help a little, but not all that much

For most people, a home router is their window to the world -- the World Wide Web.

But it is a broken window, according to some top security experts, who say there is little that average consumers can do to protect themselves from skilled cyber attackers, even if they use rigorous passwords and encryption, because the software running the devices is obsolete and riddled with known vulnerabilities.

"The big issue is that the software being shipped on these devices is obsolete the day you buy it, and there is no update stream," said Jim Gettys, system software architecture researcher at Alcatel-Lucent Bell Labs.

"I did an inventory of the age of the packages inside a number of these devices and they are three to four years old on Day One," he said. "And without an update stream, you start with existing vulnerabilities, and it just gets worse from there."

Gettys pointed to a 2010 research paper titled "Familiarity Breeds Contempt," by several University of Pennsylvania professors, who found that the longer a piece or system of software is in use, the more likely it is for attackers to find vulnerabilities, because they become familiar with the code.

Michael Brown, writing recently in PCWorld, said vulnerable routers and other connected devices are leaving home networks, "wide open to attack," meaning hackers from anywhere in the world can, "access your files, slip malware into your network, or use your own security cameras to spy on you -- all without ever laying a finger on your hardware."

Security guru and author Bruce Schneier, CTO of Co3 Systems, wrote recently that, "the computers in our routers and modems are much more powerful than the PCs of the mid-1990s," and warned that if security vulnerabilities in them are not fixed soon, "we're in for a security disaster, as hackers figure out that it's easier to hack routers than computers. At a recent Def Con, a researcher looked at 30 home routers and broke into half of them -- including some of the most popular and common brands."

To cure the problem, he said, would require, "flushing the entire design space and pipeline inventory of every maker of home routers."

Not everyone is quite so pessimistic. There are any number of blog posts that offer advice on securing home routers -- at least to a better level than the default settings in place when the device is first taken out of the box. And those experts argue that a little security can matter a lot. Some of them say it is like the common story of two men with a bear chasing them. One says to the other, "I don't have to outrun the bear. I just have to outrun you."

 

1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.