Posted by Andrew Harrison 21 August 2014
Gateway to your kingdom: why everybody should check and update their broadband router
Update your router's firmware for faster speeds, and greater security.
In a recent test of wireless routers for the home, I followed usual best practices and updated all the devices with the latest available firmware from the manufacturer before putting each one through its paces. But whether you've just bought a new router, or are about to, or are using a model that's already a few years old, you should be doing the same right now. In fact, and as boring as it may sound, it's definitely in your interest to check and update any router you use. (See also: best routers of 2014.)
Update your router for faster speeds
For the sake of performance testing alone it can be essential to literally get up to speed with the latest firmware build. Many router manufacturers release their product halfbaked, it seems, with listed features missing, incomplete or unreliable.
In the case of a Linksys router on test, the WRT1900AC, it's listed as an 802.11ac device but a visit to the admin interface might lead you to think otherwise – there are no settings to adjust core parameters of the new higherspeed 11ac protocol. Typical tweaks like width of radio channel, and which legacy protocols to support are strangely incomplete. All we saw there was a choice of 20 or 40 MHz channels (draft 11ac is founded on 80 MHz channels) and a choice of 11a or 11n protocols; but no 11ac. A Linksys spokesman assured us the router does work with 11ac providing you don't touch any of these settings.
But whether you surf at home at 500 Mb/s or just 50 seems academic when the bigger issue is about the fundamental security of your router. You can run all the antivirus software and firewalls you like, but if your home router leaves the back door wide open, anyone and everyone can walk in.
Cisco is one company known to make routers that have included such problems, as documented by its advisory warning in January this year (advisory code ciscosa20140110sbd), which explained how the firmwaredesigners created what's been euphemistically termed an Undocumented Test Interface – a backdoor hidden only by obscurity on port 32764 whichallows an attacker to gain unauthenticated root access. In other words, theycan own the router and play god over all that it routes. Which is to say, everyPC, laptop, tablet and phone in your home.
For someone with the necessary intent, a fiddle with your DNS settings is allthat's required to divert your visit from https://www.natwest.online.banking.co.uk to a facsimile site that instead will happily accept your login credentials, for surreptitious use later.
Who makes your router?
Cisco is far from alone. In fact there's sometimes a theme of insecurity in numbers, especially when different router manufacturers rely on using the same kit or code from other vendors. It was January this year that enthusiast security researcher Eloi Venderbeken published findings that Cisco, Linksys (then a subbrand of Cisco), Netgear, TRENDnet, Belkin and other lesser known brands all suffered the same backdoor vulnerability.
Further research suggested the common thread was that all affected routers were in fact made by another company entirely, Sercomm of Taiwan/China, that builds these devices for the betterknown companies. Even if you trust a big brand name, be aware that it is possible they don't know exactly what's being sold in their name since are not required to test fully what they're reselling.
In July last year, Independent Security Evaluators (ISE) published a report which explored the issue of insecurity in SOHO (small office/home office) routers. In other words, just the kind of consumer- and enthusiast routers that we test and review over at PC Advisor. The researchers looked at 10 routers from familiar names such as Asus, Belkin, DLink, Netgear, TPLink and TRENDnet.
In what the researchers describe as a less-than-exhaustive study, they found 55 new, previously undisclosed vulnerabilities. Many of the routers shared the same vulnerabilities since they were based on the same common design again, despite sporting different company badges.
More recently – last week as I write this in midAugust 2014 – the results of a hacker competition at Defcon 22 were revealed. In a challenge entitled SOHOpelessly Broken presented by ISE and the EFF, the first stage revealed another 15 0day vulnerabilities in popular modern routers from Asus, Belkin, DLink, Linksys and Netgear.
Less frequently evaluated in penetration tests of domestic router is the security of unofficial firmware – the opensource alternatives to the commercial software already installed on every router. There are now several projects to port special builds of Linux to popular home and office routers, under names such as OpenWRT, DDWRT and Tomato. These areenthusiastled collaborative projects from technically skilled router users who are fed up with closedsource and leaky software on the gateway to their kingdoms. As opensource software, source code is available for any interested party (white hat or black) to scrutinise, there's potentially more scope for finding bugs – as well as exploiting them.
These are typically ongoing projects, with rolling updates that would paralyse a ‘normal' home user with their frequency. We wouldn't necessarily recommend an open sourcepatched router in a group test of home routers, which is why they were tested only with the installed firmware, even if manufacuters such as Netgear and Linksys add ‘opensource support' to theirproducts' features lists.
The example of opensource firmware in that last challenge did in factsurvive the hacking onslaught, the EFF's own Open Wireless Routerfirmware.
But good security advice remains to check your router's firmware and updatewhen patches as soon as patches become available. Who knows, maybeyour router maker has closed some of the gaping holes revealed in the past few disclosures? (See also: best routers of 2014.)