Stupid question. How safe is third party firmware for routers ?

[ng4ever]

Any. Security wise I mean.

 

[thiggins]

Not a stupid question. But I have no idea. Merlin and others are in a better position to comment.

 

[Internet Man]

You should consider the risk/reward for each third-party firmware you're considering using.

You should trust the author and understand what benefits you would get from using the third-party firmware.

I choose to use FreshTomato for my routers because the manufacturer has abandoned them and FreshTomato incorporates the latest security and bug fixes. It is open source so I can worry a bit less about there being malicious code hidden inside. In my cause, I believe that continuing to use the stock firmware with known vulnerabilities is less safe than using a third-party firmware.

Some people refuse to use third-party firmware which does not have source code openly shared.

 

[Marica Calma]

I am not very familiar with your specific question, but there's an interesting article about it that can help you. https://krebsonsecurity.com/2014/02/time-to-harden-your-hardware/

 

[RMerlin]

There's no simple answer to that question. First of all, which third party firmware? A third party firmware that hasn't been maintained for years or comes from a shady source can be a major security risk. Which firmware are you replacing? Some manufacturers are absolutely abysmal in their security handling, some of them being well known for frequently including backdoors, years-old components with multiple known security issues, etc... Going with a third party firmware with more up-to-date components would be a major improvement for these.

This is a case-by-case scenario, really. You need to know which firmware you are replacing, and which third party firmware you are going to use to be able to answer that question. The answer will vary depending on these variables.

 

[st3v3n]

ngrever, These days, what you asked is far from a 'stupid' question, and not that easy to answer. This is written as one example and not the end-all, of what many think is a good, secure third-party FW for one brand only, Asus. RMerlin said it best.

In all the many years we've owned/installed Asus routers and systems, we've had the best success with Asus factory routers that are upgraded to Merlin's FW (not to leave out John's fork) and we've never had a security breach, at least never one we've been able to detect. Routing can but shouldn't be taken as plug and pray solution, it's a serious and ongoing battle against all known/unknown bugs and bad actors, that are always after the end-game, getting inside your system. Merlin, short for Asuswrt-Merlin meets and/or exceeds our requirements and expectations for security, performance and usability, and has always been superior to Asus's official factory FW. Otherwise, we wouldn't recommend it nor use it. Many like the added flexibility in using only the router's GUI, without learning complex protocols. If Asus FW gpes entirely to proprietary/closed source, then any third-party FW for Asus is in jeopardy. As only one example; how many 'official' Microsoft branded computers have you bought/owned recently where you could actually alter the parameters of the machine/OS to suit you? MS branded/manufactured hardware and systems aren't like most other brands of 'PC compatible hardware, and MS doesn't care to ceded control to 'unauthorized' users; you're encouraged to buy and use it, but don't try altering the product. Like other manufacturers, in the fine print no matter what you paid, somewhere it says you only have a license to 'use' the product, meaning if the manufacturer decided to hit the kill switch or give you an update you can't stand, you're out of luck. That OS in one form or another runs on hundreds of millions of x86-64 PCs and many of those owners/users have always chosen to change that OS (code) to suit them. In effect, changing that machine or code immediately makes it 'official' and unsupported third-party product. Other vendors license that OS for their third-party branded machines. Whether it's FW or OS code, it's only as secure as the owner-operator makes it. No corporation can make any user safe, and many of their mistakes cost users the loss of their systems. Yet we still use their products in some way, and manage to do a good job of securing our own systems in spite of all thier mistakes.

No code is meant to take the place of secure practices, so the reputation of the coders means everything. If you allow a manufacturer to control every aspect and feature on the machine, they'll snoop to their heart's desire through all your stuff, for their reasons. W7 Pro or Ultimate was the last of the line which users/owners could reasonably secure/control/tweak and enjoy. When it goes the way of XP in a few years, Linux will be the only secure OS average geeks can choose to secure and operate, without corporate domination. That's IMO-only, and an over-simplification,;not intended to inflame passions. Many third party secure code exists, so enjoy researching.

You can use scripts to customize Merlin which you isn't possible with the official FW. Asus is saying now, "you spoke, we listened," about time, that they'll endeavor to make Asus routers compatible with DDWRT. Who would've thunk it? Asus factory firmware was terribly insecure; it took the Feds slapping Asus with a huge fine to force them to begin securing their code FW, with an added 20-year audit. Hundreds of thousands of routers were compromised world-wide; that's what all manufacturers should do anyway. If the owners don't apply FW security updates or if they neglect their setting, then bad things will happen. When coders do their jobs well, code is relatively secure and then it's up to the user to administer their gear, if not the whole world will be inside in milliseconds. Merlin, Tomato, Advanced Tomato, DDWRT, OpenWRT etc all have their enthusiasts. Learn all you can and take care of your router. Enjoy and cheers

 

[sfx2000]

OpenWRT tends to be fairly safe, and they keep it up to date - not just with the kernel, but the tool chain and packages - challenge for any third party firmware is the closed source components that are board specific.