🅭

Network routers are just computers

I want to clear up a common misconception about the network router in your home. It’s neither an appliance nor magic. It’s a small computer running software that handles local network management and routing between your devices and the internet. More specifically, it’s most often a miniature Linux server. But wait, aren’t servers hugely complicated devices that require ongoing maintenance and security patching? Who’s responsible for that for the server in your home?

Consumers don’t think of network routers as servers or even as computers. They’re sold as maintenance-free appliances that you set up and forget. A consumer-grade network router promises that it auto-configures itself, manages the household’s network, and stays out of sight. We’ve all learned to accept that we occasionally may need to turn it off and back on again when the network stops working. That is also the extent of the “maintenance” most routers receive.

Consumers aren’t expected to know how to manage and maintain a Linux server, however. Tech-savvy consumers who realize they’ve brought a server into their homes assume the manufacturer will maintain it.

Researchers are constantly finding security vulnerabilities in routers. The issues vary from bugs in the underlying operating system and software to misconfiguration and outright negligence from the manufacturer.

A recent study of 127 new home routers had some very worrying findings. One-third ship with Linux kernel version 2.6.36 was released in . You can walk into a store today and buy a brand new router powered by software that’s almost 10 years out of date! This outdated version of the Linux kernel has 233 known security vulnerabilities registered in the Common Vulnerability and Exposures (CVE) database. The average router contains 26 critically-rated security vulnerabilities, according to the study.

The same study also evaluated the use of more proactive security measures to help limit the impact of security exploits. Nearly all vendors deployed one exploit mitigation technique. The study didn’t look into whether different software services on the router run in sandboxed and constrained environments, or whether they have full privileged access to the system.

In my own experiences with router firmware from various vendors, I’ve only encountered the latter. It’s not difficult or time-consuming to set up these types of protections, but network equipment manufacturers tend not to bother with it. The ancient and outdated versions of the Linux kernel and other software are partly to blame. However, shipping outdated software also falls squarely on the manufacturers’ shoulders.

I replicated a small part of this study in September at a local electronics shop. I noted every router they had for sale, and looked up when each one had last received a security update on the manufacturer’s website. Not a single model had received a software update in the last 14 months.

Like all computer operating systems, the one in your router requires constant updates to address security vulnerabilities as they’re discovered. Manufacturers are not incentivized to provide ongoing support and security updates for their devices. It’s expensive to employ staff that supports old products and don’t generate new revenue for the company.

However, you don’t purchase a support contract when you’re buying a consumer-grade router. You don’t get any guarantees about the ongoing availability of security updates. Starting in 2021, computer displays and smart TVs sold in the EEA are required to be transparent about how long they’ll receive firmware updates. For computers, networking equipment, and other internet-connected devices, there’s no best-before date on the packaging. There is no way for consumers to know how long a router will last before it needs replacing.

The only time network equipment vendors seem to modestly care is in response to specific vulnerabilities that get a lot of media attention. Such as the much-publicized Key Reinstallation Attacks (KRACK) from that managed to bypass Wi-Fi authentication. It took most manufacturers months to issue updates, and many are unpatched to this day. Michael Horowitz maintains a list of some of the other interesting/worrying router bugs, flaws, hacks, and vulnerabilities from the last decade.

To make matters even more confusing for consumers, it is no guarantee that security issues have been fixed even if your router does receive regular updates.

To be clear, no one can guarantee perfect security. If consumers are even aware of the problems, they expect manufacturers to be on the ball and patch things as new issues are discovered. Network equipment manufacturers haven’t lived up to those expectations.

It’s time that consumers stop assuming the manufacturers will step up to the challenge. Instead, all we can do is to vote with our wallets and stop buying their products. The only problem is that it’s difficult for consumers to know what network equipment to buy. As discussed, there’s no labeling on the product or other easy way for consumers to compare the firmware update policies from different manufacturers.

If you’ve read this far into the article, I’m sure you’re hoping for a router recommendation. I’d love to be able to point at good options in the market. However, there simply aren’t any good options in the consumer market. You need to make the switch to more involved, complicated, and expensive enterprise-grade network equipment before you see any improvements.

Maybe you could recycle an old laptop and set it up to act as your home’s next router? IPFire (Linux) and OPNsense (FreeBSD) are free firewall software suites you can explore. I wouldn’t recommend that anyone go down this route, though. Setting them up and managing them are complicated processes and they do require ongoing learning and maintenance. However, you may still want to give this a try before committing to expensive network equipment from an enterprise-grade provider. It’s not like you’d do a worse job managing it than the big consumer-grade router manufacturers.