Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Home routers: Broken windows to the world

Taylor Armerding | May 20, 2014
Top security experts say the software in most home routers – even brand new ones – is so obsolete that it is an inviting attack surface for hackers. And changing your password will help a little, but not all that much

Gettys agrees with that much -- he described changing passwords as "basic hygiene," and said it offers some protection since many of today's attacks are "simple-minded. Since so many routers have their passwords left at known defaults, the default passwords are often used as a way in to be able to install malware," he said.

Still, there is general agreement that routers could, and should, be more secure. Dan Crowley, senior security consultant at Trustwave, said the use of threat intelligence and other research can, "help users and manufacturers incorporate best security practices moving forward. These include performing automated scanning and penetration testing on home routers during the development, production and active phases so manufacturers are continuously identifying and remediating vulnerabilities in their products."

He added that security should not be left to the user. "Security needs to be transparent to the user. We can't expect anyone except computer security experts to be computer security experts. Make the default option choices be the secure ones."

Stanislav said government pressure on router manufacturers might be required, since consumers tend to focus only on what will give them the fastest WiFi. "I think attention from the FTC could go a long way when vendors fail to handle basic information security best practices," he said.

Schneier believes the current situation is a disaster in the making. In his essay, he noted that the embedded systems manufacturing system is fragmented -- it includes the manufacturers of chips, system manufacturers and then brand-name companies that may add a user interface. None of them, he said, do much engineering.

So security patches are rarely applied. "No one has that job. Some of the components are so old that they're no longer being patched," he wrote.

Beyond that, he said many times that source code is not available, and some drivers and other components are "binary blobs," with no source code at all.

"No one can possibly patch code that's just binary," he wrote, adding that the result of all this is, "hundreds of millions of devices that have been sitting on the Internet, unpatched and insecure, for the last five to ten years. Hackers are starting to notice."

The problem with routers and modems is particularly severe, he said, because they are the interface between the user and the Internet, so turning them off is rarely feasible, and they are generally on all the time.

We have an incipient disaster in front of us," he wrote. "It's just a matter of when. We simply have to fix this."

Gettys said security of home routers could be improved significantly, within two to three years, but it would take a different mindset in the industry. "This is not a technology problem: this is primarily cultural and business problem," he said.


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.