Lucian Constantin’s Motherboard guide to protecting your home router is full of excellent, nearly impossible-to-follow advice that you should follow, but probably won’t.
Constantin sensibly points out that your ability to trust your router ultimately and absolutely depends on its security track record (“How did it handle vulnerabilities being discovered in its products in the past? How quickly did it release patches? Does it have a dedicated contact for handling security reports? Does it have a vulnerability disclosure policy or does it run a bug bounty program?”) but then goes on to obliquely point out that these are largely unanswerable questions.
You can google up past security researchers’ experiences with the company (but that won’t tell you whether the company has successfully silenced researchers with threats of legal reprisals). You can “email the company’s support department in your respective country” (which seems likely to be greeted with silence — I recently spent a month and ten followups just to get a single pre-purchase data-point out of LG about their flagship 40″ monitors); and “look at the firmware update history of the router you intend to buy or of a router from the manufacturer’s same line of products” — a data-point that is likely to be buried, or unavailable, and requires expertise to really parse out, for example, you’d need to know how quickly a firmware update followed on from a major bug disclosure.
But there are alternatives to trusting the vendor: you can buy a DD-WRT-compatible router and replace the manufacturer’s software with free, open code. Whereupon Constantin offers some really excellent advice for what defaults to change and so on.
The other elephant in the room here is that most ISPs won’t let you bring your own router, so even if you do all this stuff, you’ll be left putting your router in series with the one that comes from your ISP, which is almost certainly a total fucking dumpster fire, and, thanks to the FCC’s Neutrality-killing order last month, your ISP is almost certain never to face any competition and you’re stuck with whatever you get.
This kind of article — full of excellent and important information! — is both vital and frustrating. I sympathize with Constantin’s desire not to just give counsel of despair, but honestly, solving this kind of thing by configuring your home router is like trying to personally recycle your way out of climate change.
The problems of home routers are deep and structural and need to be fixed with collective — not individual — action. Companies that don’t patch their routers and expose their customers to risk should be named, shamed, and sued into oblivion. ISPs should face meaningful competition so that you can shop around for one that lets you swap in your own router, and should also be regulated to ban the practice of forcing you to use their router. The Computer Fraud and Abuse Act and Digital Millennium Copyright Act must be reformed to ensure that researchers can’t be threatened for warning you about defects in your router. And so on.
This kind of guide really belongs in the alternate timeline in which all that other stuff has already happened — in this timeline, it’s more of a wishlist than a plan.
Research the company’s security track record: How did it handle vulnerabilities being discovered in its products in the past? How quickly did it release patches? Does it have a dedicated contact for handling security reports? Does it have a vulnerability disclosure policy or does it run a bug bounty program? Use Google to search for terms like “[vendor name] router vulnerability” or “[vendor name] router exploit” and read past reports from security researchers about how they interacted with those companies. Look at the disclosure timelines in those reports to see how fast the companies developed and released patches after being notified of a vulnerability.It’s also important to determine, if possible, how long a device will continue to receive firmware updates after you buy it. With product lifecycles becoming shorter and shorter across the industry, you might end up buying a product released two years ago that will reach end-of-support in one year or in several months. And that’s not something you want with a router.
Unfortunately, router vendors rarely publish this information on their websites, so obtaining it might involve calling or emailing the company’s support department in your respective country, as there are region-specific device models or hardware revisions with different support periods. You can also look at the firmware update history of the router you intend to buy or of a router from the manufacturer’s same line of products, to get an idea of what update frequency you can expect from the company.
How to Protect Your Home Router from Attacks [Lucian Constantin/Motherboard]