Chances Are Your Router’s Firmware Blows

Linksys WRT-54G RouterYou surely have a lock on your front door. Do you have such a lock on your network? Though you may think so, but it may well be wholly unlocked. Or at least, you may not be able to know for certain that it’s locked. If you use a commercial Wi-Fi router from your ISP, or one of the big names like Linksys, Belkin, DLink et al, your network may not be as secure as you think.

At the outset let me state that, as someone who reads hereabouts, you’re no dummy. You’ve taken steps to ensure that the router doesn’t still have  the default admin password. You’re using modern encryption on your Wi-Fi. You’re being responsible, but there are things beyond your grasp.

The simple fact is that the firmware the runs most retail, commercial routers is closed source. As such, you have no ready way to verify it’s behavior. Yet, the manufacturer, by virtue of necessity, uses various common software modules to create their firmware. They may even use some open source modules, but end up with an closed source binary in the end.

The upshot of this reality is that you have a very small team of developers responsible for maintaining the code. That means updates come along slowly, if at all for older devices. By extension, serious security issues get addressed slowly, if they ever get addressed at all.

In fact, the situation is so bad that someone recently released some malware called wifatch. This white-hat malware infects vulnerable routers not to exploit the devices, but to plug some of the obvious holes in insecure devices. It propagates like worm, spreading to, and infecting vulnerable routers automatically.

It doesn’t only lock down the device. According to Symantec, “Wifatch has a module that attempts to remediate other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.”

In truth, there’s little commercial incentive for the manufacturer of a $50-100 router that’s 2+ years old to update the firmware. It’s much better for them if you just buy a new router. Except that most people don’t. This is especially true when the device is rented from the ISP.

All of this is background with respect to VUC 563; The FCC vs Open Firmware. That session explores the FCC’s intention to order that the firmware in consumer Wi-Fi routers be locked down. Their concern is the fact that users can use third party firmware to gain control of the Wi-Fi radio, potentially dialing up operation beyond FCC-defined limits.

I am of the opinion that the FCC concern about Wi-Fi power level is trivial, even inconsequential, compared to the threat presented by forcing users to keep using what is unverified, potentially, hell…inevitably, flawed firmware. The ability to leverage third-party, open source firmware (OpenWRT, DD-WRT) allows the savvy user escape the manufacturers faulty firmware, taking greater control of their circumstance with just a little effort.

Some time ago a few manufacturers realized that the open source projects had reached a considerable level of sophistication and built a large following in the process. Asus, Buffalo and Netgear have released products built specifically for open source software. This makes perfect sense since it allows them to offer a better product while offloading a portion of their product development effort.

In my working life I’ve used Buffalo WZR Series Wi-Fi routers running DD-WRT for a project that involves fielding some small networks to demonstrate ZipDX Multilingual calling. These have proven to be robust, cost-effective and well-supported by the DD-WRT community.

Andy Abramson makes a good point, comparing a Wi-Fi router to to an all-in-one stereo from the old days. In the pre-iPod era Hi-Fi enthusiasts often found that “Receivers” offered the best value by combining the tuner, pre-amp and power amplifier in a single chassis, with a single power supply. As a kid I actually owned the Hitachi receiver pictured above left.

all-in-in-vs-components

Those who sought superior performance often purchased separate components. Setting budget aside, separates allowed the enthusiast to select the best-of-breed in each type of device. I lusted after the Pioneer Elite components shown above right. Sooooo shiny!

Network-all-in-in-vs-components

In the realm of modern day networking, and using my home office as an example, that means separates for; cable modem, wired router and wireless access point.

For over a decade we’ve used a single board computer running open source software (m0n0wall, Smallwall or pfsense) as our primary router/firewall. Our choice of AP, the Ubiquiti PowerAP N, is in fact a router, but we use it in bridged mode so that it serves as a simple access point. This trio definitely costs more than a single Wi-Fi router, but as with the stereo components, it delivers best-of-breed flexibility and control.

I’m not alone in this understanding. Ars Technica writer Lee Hutchinson recently wrote a review of the Ubiquiti UniFi Wi-Fi APs, noting “Ubiquiti UniFi made me realize how terrible consumer Wi-Fi gear is.” 

To be fair, third party software like DD-WRT on a common Wi-Fi router can deliver much of what is offered by separates. This is especially true for a residential setting. At least you can be certain that DD-WRT and the like are continually being updated, which bodes well for your ability to run a tight ship if you keep your router up-to-date.

I applaud Dave That for his effort to get the FCC back on track with respect to consumer routers.

P.S. – We don‘t actually use the ALIX SBC pictured anymore. It’s 500 MHz Geode CPU isn’t capable of handling our 50/10 Mbps Comcast service. The recycled device we presently use isn’t nearly as photogenic as the bright red ALIX.

P.P.S. – I’ll never understand why giant backlit VU meters are so appealing, but the appeal in undeniable.

  • After switching to an Ubiquiti EdgeRouter router and Xclaim APs I no longer need to fiddle with things to get it working. It all just works.

    • mjgraves

      XClaim looks interesting. Although, I’m wary of “cloud” managed solutions ever since I tried OpenMESH. I prefer something self-contained.