auto-update firmware or email notifications?

[nasville]

Hi,
I never used the official Asus firmwares.. do they offer an auto-update feature?
I probably feel more comfortable/secure with Merlin releases but I think such a feature would bring so much peace of mind. Or at least it would be nice if the router or a newsletter would give me an heads up when a new version of the firmware is released (rather than loggin into the UI all the time for checking).
What do you think?

Cheers

 

[skeal]

To update your router is a serious security consideration. The updates should never be automated as there are plenty of things to consider in a network update.

 

[thelonelycoder]

Or at least it would be nice if the router or a newsletter would give me an heads up when a new version of the firmware is released (rather than loggin into the UI all the time for checking).

Several scripts were posted for a firmware update notification email.
One is this here by @jtp10181 : https://www.snbforums.com/threads/contribution-update-notification-script.38361/
My ad-blocker AB-Solution also includes a setting to enable such a notification.

 

[Adamm]

Its also possible todo auto-updates if you have a linux server (VPS or something). I used to build the firmware daily and generate a sha512 hash. Then with a cronjon on the router I'd compare the sha512 hash of the most recent installed firmware to the "current" one on the VPS. If it didn't match I'd download the firmware file to the routers USB, then flash it & reboot via shell commands.

With that being said, a email based notification is probably more suitable for most users

 

[thelonelycoder]

With that being said, a email based notification is probably more suitable for most users

Probably true...
RMerlin mentioned somewhere that Asus is working on a built in email messaging system for 382.x based firmware.
This is also the reason why it's not built into Asuswrt-Merlin yet. Better wait for someone else to code it, then fix the bugs and make it even better

 

[o-l-a-v]

For Merlins firmwares, you can use https://github.com/RMerl/asuswrt-merlin/releases as a RSS source. I use it with Feedly and IFTTT. With IFTTT you could do emails when new firmwares, but I prefer a notification on my smartphone.

 

[RMerlin]

Sourceforge also features RSS feeds.

There's a countless numbers of ways already to be notified.

 

[Volfi]

To update your router is a serious security consideration. The updates should never be automated as there are plenty of things to consider in a network update.

For regular users it is much bigger threat not to update router firmware.
When there are security issues, there should be option to install them automatically.

I do update my firmware manually, but my parents? They don't. Have no idea how to do it.

And I'm not always there.. They don't care if connection would drop for 3 minutes once every two months. But they do care being hacked via obsolete router firmware, and their info stolen. There should be option to auto-update. Like Windows Update..

 

[Jack Yaz]

For regular users it is much bigger threat not to update router firmware.
When there are security issues, there should be option to install them automatically.

I do update my firmware manually, but my parents? They don't. Have no idea how to do it.

And I'm not always there.. They don't care if connection would drop for 3 minutes once every two months. But they do care being hacked via obsolete router firmware, and their info stolen. There should be option to auto-update. Like Windows Update..

And if the update goes wrong and their router is down for over a week until you can get there to solve it?

 

[umarmung]

And if the update goes wrong and their router is down for over a week until you can get there to solve it?

For ordinary consumers, a router being down but otherwise undamaged is part of security.

You could easily argue the least harmful preference is not just for an auto-update but having it enabled by default, and with the ability to make it manual or disabled.

Since consumer router and embedded security is so backwards and originated from industrial/business/enterprise offerings, the industry has yet to catch up to other common consumer practices, growing attack sophistication and attack surfaces. In this case, you're arguing against just the availability of an auto-update facility.

Imagine you had to manage updates for 30+ separate IoT devices individually - as we all may have to in the near future as IoT spreads to even the most basic home devices - in the same way you manage a single, typical, standalone consumer router right now ...

Downtime, or effects of downtime, can also be improved or even eliminated with good implementations.

This industry has a long way to go and likely will have to do it very quickly.

 

[skeal]

I'm with Jack, the fact that these are security based updates says to a person; flash update with considerations made for a secure way of doing so. The very idea of having a process update for you, reminds me of the screw ups that windows went through. By the way no one is as experienced at auto updates than Microsoft and it took them years and all the while with security being the upmost concern. So to think; that Asus is going to somehow manage to come up with some super reliable way of updating, is ridiculous at best. Security is best left up to you, and this goes for grandmas router too. Take control of your security. @RMerlin has always developed with security first, features next. Regards.

 

[Latzz]

The very idea of having a process update for you, reminds me of the screw ups that windows went through. By the way no one is as experienced at auto updates than Microsoft and it took them years and all the while with security being the upmost concern. So to think; that Asus is going to somehow manage to come up with some super reliable way of updating, is ridiculous at best. Security is best left up to you

Well spoken. The fact that routers run 24x7 just amplifies the risks. The possibility of pushing out a 'wrong' development version of a firmware onto the release server, or malicious firmware due to lapse in release server security, is not a risk that should even to considered over expediency.

 

[Volfi]

And if the update goes wrong and their router is down for over a week until you can get there to solve it?

Would you recommend NOT installing Windows Updates, because something can go wrong?
I wouldn't ..
Better down than not secure.

 

[FreshJR]

Would you recommend NOT installing Windows Updates, because something can go wrong?
I wouldn't ..
Better down than not secure.

I defer non-critical windows updates, since there has been multiple times an update is glitched, messes stuff up, a rollback update is performed, etc.

 

[Latzz]

Would you recommend NOT installing Windows Updates, because something can go wrong?
I wouldn't ..
Better down than not secure.

Critical updates only and that is usually a couple of days after its released. There is, as an example, a reason for Windows 10 Pro to be updated as part of the enterprise IT policy and not immediately following Microsoft releases.

Bad updates had happened before and its a lot less messy to roll back computer system patches than a router running 24x7 which will take the update immediately. For routers, if its not a critical update, no need to rush. Plus if you have a recent firmware, its pretty safe.

 

[RMerlin]

Would you recommend NOT installing Windows Updates, because something can go wrong?

On a server? Yes. Keep auto-updates off, and manually apply critical updates after about a week, once any bad update has been found out by the community. At least once a year Microsoft pushes an update that breaks things, and requires either being pulled, or replaced.

 

[Tim near Seattle]

Another option is to use a utility, browser extension or program that sends out emails when a web page changes.

I just set this up recently using a (so far) free extension called distill.io and it worked perfectly. I installed it then brought up the web page for the current firmware. I clicked the extension icon and identify the section of the page that lists the firmware version. This required I setup a userid and password so it can save my information.

I'm sure there are other ways to do this but this seemed to work since it sent me an email as soon as the firmware changed on the web page.

 

[AndreiV]

Simply use the Source Forge RSS feeds for Merlin's firmware.

 

[james2947]

I concur with the inquiry of this thread: Patch Management is a critical part of proper security modeling in a modern workforce. Systems should be designed with multiple administrative options in regards to System Software Updates, both regular and critical. System Admins should have a variety of patching options to elect, commonly in the following two forms:

1. Download and Install
   
2. Download only

I concede to the concerns of our denizens suggesting that auto-update installations can be a risk. The risk model however is predicated on the environment. "Best Practice" commonly involves intentional and comprehended patch installations, however to say that is always the case is limited. For this reason alone Installation Options are provided for the admin's advantage. There are times when Option 1 is desired, and times when Option 2 is desired.

As an Asus 'prosumer' I request Asus provide us the availability to make more comprehensive, educated and automated decisions on Patch Management for a device that is immutably becoming one of the most important components of SOHO network.