Avoid Consumer Routers

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

torstein

Regular Contributor
UPDATE: Most of the statements linked below are false or have been fixed. I should have done a more thorough search before posting. My apologies to the community.


TL;DR: All popular consumer routers have outdated software, kernels and services. They have hundreds of knows security flaws, that the manufacturers don't fix. The only safe option is enterprise grade routers. Of all the consumer routers, Asus with @RMerlin is the best option if you don't want enterprise routers.

I stumbled upon this blog post from routersecurity.org warning against consumer grade routers. Even @thiggins is quoted in the article. It got me worried, and I wanted to hear my community fellows opinion on it, if it's still relevant or if it's overblown scare tactics. Some quotes:

  1. In 2017, up to 32 Wi-Fi routers from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link had a known security vulnerability. No zero days needed. A majority had more than 10 "Severity High" vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities.

  2. In 2016 Asus had to settle with the FTC due to many critical security flaws in their Home Network Routers and cloud services that caused 12,900 customers' private files being available on the internet unsecured. The punishment was to be audited for the next 20 years for security improvements.

  3. Fraunhofers Home Router Security report 2020 is really depressing reading. They looked at the latest available firmware as of March 27, 2020. Some routers had hundreds of known vulnerabilities. The average number of critical vulnerabilities per router was 53. A third of routers used a version of Linux 2.6.36 from October 2010 with 233 known security vulnerabilities.

  4. Our @thiggins is quoted warning: "Linksys is by no means alone in using its customers as beta testers ... Chip vendors race to get to market first, then push their customers (the router manufacturers) to get new technology (11ac, MU-MIMO, etc.) into their products ASAP. Router makers, in turn, push not-fully-baked products to market, bowing to pressure on one end from the chip makers and retailers (BestBuy, Amazon, etc.) on the other end, to get new stuff on the shelves with higher numbers on the boxes because that's what sells. Behavior will not change unless buyers break the cycle and leave stuff on the shelves. Unfortunately, with social media and YouTube 'stars' pumping the hype machine, and people still being sucked in by inflated speed numbers, things won't change anytime soon."

  5. In September 2020, Daniel Aleksandersen blogged that Network Routers are just computers. Manufacturers of consumer routers are not incentivized to provide ongoing support and security updates for devices that provide no new revenue. He concludes that there is not one secure consumer router. For better software support, he says you need to make the switch to more involved, complicated, and expensive enterprise-grade network equipment.

  6. In February 2021, Bruce Schneier wrote: "Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable."

  7. In July 2020, Martin Rakhmanov of Trustwave wrote about two bugs he found in the Asus RT-AC1900P router. One bug was lazy programming, Asus was not checking the certificate of downloaded firmware when updating. Asus did not issue a security advisory preferring to sweep the bugs under the rug. It took Asus three months to fix the bugs and they never bothered to tell Rakhmanov. When he happened to notice the new firmware, he asked them if they fixed one or both bugs. They didn't know.

  8. In May 2019, Troy Mursch reported a bug to Linksys that affected 33 Linksys Smart Wi-Fi routers. The company decided not to fix the problem. Shortly thereafter, Ars Technica contacted Belkin (which owns Linksys) about the bug and got the cold shoulder, Belkin never responded.

He does end on a somewhat more positive note saying:

My distaste for consumer routers means avoiding TP-Link, Netgear, D-Link, Belkin, Buffalo, Linksys and the like. That said, the best of the lot is probably Asus running Merlin firmware.

  • What do you think? Is the state of consumer home networking routers this bad?
  • Are the engineers really as "lazy" and incompetent as stated?
  • Why doesn't the manufacturers upgrade to a newer linux kernel and software etc?
  • Is my home network not safe, and should I be worried even on latest firmware?
  • What are your thoughts on the above snippets?
 
Last edited:

ColinTaylor

Part of the Furniture
This is all old news. Some of it very old, obsolete or factually incorrect (although that's not to say the rest isn't correct). Why are you bringing it up now? I think all of the points above have already been discussed at length in these forums.
 

torstein

Regular Contributor
I tried searching for them, and could't find anything relevant. I was worried, and wanted to know if it's old news and not anything to worry about, or if it still holds true. Arstechnica apparently linked to his article.

If it is just incorrect and scare tactics, then I can rest assured. I'll try to find more posts in the forum, but maybe you have something on hand you can link to for me to educate myself on?

EDIT:
I did a more thorough search, and found what you wrote @ColinTaylor. My apologies, I should have done my homework better before asking the forum. I updated my original post.
 
Last edited:

BreakingDad

Senior Member
I tried searching for them, and could't find anything relevant. I was worried, and wanted to know if it's old news and not anything to worry about, or if it still holds true. Arstechnica apparently linked to his article.

If it is just incorrect and scare tactics, then I can rest assured. I'll try to find more posts in the forum, but maybe you have something on hand you can link to for me to educate myself on?
You're safe with your AX86U and Merlin, fear not. There are bigger fish in the pond than us mortals.
 

torstein

Regular Contributor
Thanks @BreakingDad, that gives comfort reading hehe :) I also made a more thorough search and found out most of the things I read over at routersecurity.com is false or have already been fixed. I should have done my homework better before posting and asking. My apologies for this rookie mistake.
 

BreakingDad

Senior Member
Thanks @BreakingDad, that gives comfort reading hehe :) I also made a more thorough search and found out most of the things I read over at routersecurity.com is false or have already been fixed. I should have done my homework better before posting and asking. My apologies for this rookie mistake.
Nothing to apologise for. Cyber security is a serious issue, better to check than be sorry. We all get these concerns when getting new equipment. Merlin has patched most holes out, even on the latest update he killed the frag attack issue. Just make sure your devices are all up to date with windows defender minimum (and malwarebytes) and you should have no issues. Trend Micro protection is another layer you could use, and skynet firewall is available on your router also, you can even block whole countries with it. There is also a full advert blocker tool you can use called diversion. Enjoy your new router, I've had mine 6 months and its performance is sublime.
 

coxhaus

Part of the Furniture
My guess is the Cisco small business routers are patched faster and more complete than any consumer router. It does not mean problems don't crop up. I mean it overall.

This is for actively supported routers not old versions which have reached end of life. Cisco publishes life cycles for their hardware.
 

Tech9

Very Senior Member
Thanks @BreakingDad, that gives comfort reading hehe :)

If this is going to make you even more comfortable - home routers are secure enough for home use. I'm assuming you don't run a law office, stocks trading or patent registration company at home. If you don't help the bad guys with configuration or use mistakes, no one will bother you (too much). If home routers were so bad, we would read horror stories every day. If you need maximum security and the stakes are very high, prepare thousands of dollars for enterprise gear and support/subscription services. For $290 you've got a router, switch and good access point. Used so called kernel proxy firewall running on Solaris server may cost you $50K. You understand the difference. If you need one, it's available.
 

coxhaus

Part of the Furniture
I would expect better security for multi-thousands of dollars for enterprise gear. The difference is some of these consumer routers cost as much as small business equipment.
 

Tech9

Very Senior Member
The difference is some of these consumer routers cost as much as small business equipment.

The difference is in looks. Business equipment is boxy and ugly. More antennas, bigger antennas, red/gold accents, RGB lights, "gaming" in the name - this is what most home users pay for. You're too old-school tech to understand (and me too). This is much better than any enterprise gear:

ASUS_spider.jpg


Do you feel the POWER now? :)
 

torstein

Regular Contributor
@Tech9 Oh yes, the more antennas the more secure the router, right? Thank God for all those antennas, I can't imagine malware dares coming close to my network once it sees those red accents! Should even scare away a trojan too, I reckon :D Silly enterprise gear hasn't figured this out yet.
 

BreakingDad

Senior Member
@Tech9 Oh yes, the more antennas the more secure the router, right? Thank God for all those antennas, I can't imagine malware dares coming close to my network once it sees those red accents! Should even scare away a trojan too, I reckon :D Silly enterprise gear hasn't figured this out yet.
3 antenna provides the best security, everyone knows that. Anything over that is just receiving bad stuff you don't want in your network. Also a red accent indicates it is ultra secure. I think you know which router I am refering to.
 

RMerlin

Asuswrt-Merlin dev
For a while, a frequent advice was "If you want security, avoid home routers, and go with prosumer products". Then these products like Mikrotik also started showing serious security flaws, so the same helpful people said: "Well, if you REALLY want security, go with business class products". In addition to these being generally over budget for home users, we started seeing products from companies like Juniper also reveal to contain major security flaws and/or hardcoded credentials...

The bottom line is: modern software has grown too complex. Meanwhile, the human brain that is still responsible for writing 99% of that software hasn't increased in capacity or quality. So, expect security issues to increasingly become prevalent in software as they keep increasing in complexity, adding tons of new features which result in more lines of code. More code = more chances of bugs being introduced. It also means more different engineers working on the product, which also increases the chances of introducing exploitable flaws.

Yes, that may sound cynical. But reality is, writing perfect code is getting increasingly difficult. While best practices have improved a lot over the years, software is still written by flawed human beings. And the attack methods are becoming increasing advanced themselves. The past year has shown that the latest trend in terms of security issues is now related to supply chains.

Regardless of whether you go with a 50$ home router or a 1000$ business class product, you won't be risk-free. You can greatly reduce the chances of getting compromised by locking down your device to only expose secure services to the Internet. That means using a VPN for any kind of remote access.

And also all brands aren't equal. Research their past track record, but also their timeliness in providing security updates in case of security flaws being reported. You can't just lop them into one large pile simply based on the fact that they are classified "home router" versus "prosummer router" versus "business-class router".

Ultimately, you have to decide what is "good enough" for your specific usage scenario. Your home network will need to get protected against large-scale mass attacks. Your multi-billion-dollar company will needs to get protected against more sophisticated, targeted attacks. Can't expect everyone to pay 10X more for a business-class router, plus the annual cost of a maintenance contract required to receive future security updates.

In security, there is never any guarantee that you will be safe. Security flaws can be discovered in any piece of software. Look at iOS for example. Every time a new jailbreak is found, what it means is someone found a security flaw that they can exploit, that even a multi-billion dollars company like Apple that takes security very seriously hasn't been able to find ahead of release.
 

torstein

Regular Contributor
Thanks for chiming in @RMerlin. I agree, you shouldn't judge all routers the same. Asus seems to be the more serious consumer-product contender with frequent updates, and of course with your merlin-wrt I think, consumer-wise, Asus-routers is as safe as one can get when on a normal consumer budget, and not business class budget.

I feel a lot safer now, and content with my choice in home router :) Thanks to all who responded to this thread, especially @Centrifuge, I'll make sure to get one or two AC86U to heat my home in the winter ;)
 

Centrifuge

Regular Contributor
Thanks for chiming in @RMerlin. I agree, you shouldn't judge all routers the same. Asus seems to be the more serious consumer-product contender with frequent updates, and of course with your merlin-wrt I think, consumer-wise, Asus-routers is as safe as one can get when on a normal consumer budget, and not business class budget.

I feel a lot safer now, and content with my choice in home router :) Thanks to all who responded to this thread, especially @Centrifuge, I'll make sure to get one or two AC86U to heat my home in the winter ;)
Thanks Torstein, I see you're a Hario man, I am a Kalita Wave fan. ;)

I think Merlin has a great point, if you are connected you are probably vulnerable and must assume so. I feel comfortable with the philosophy I'm following. For a bit more (ok I splurged) than a AX86U I have a dedicated opensource firewall appliance and consumer router access points behind it, but I don't assume that I'm totally secure. It's been boring reliable. I do miss getting in the weeds with all the scripts and add/ons, but I can find learning opportunities this way too.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top