If you’ve been following this website and blog you’ll know that it’s filled with information about vulnerabilities and other security problems in home routers. But how did we ever get ourselves into this position? It certainly doesn’t need to be this way. Why is home networking equipment so problematic?
Instead of answering the question we’ll just leave a pointer here to a really great resource that talks about the reasons. Jim Gettys gave a talk at Harvard entitled (In)Security in Home Embedded Devices where he does a terrific job in explaining the origins of many of the troubles in home networking equipment. It’s easy to listen to, very informative, and worth a look.
There was one part that we found particularly interesting and worth discussing. At the end of the talk there’s a question and answer period. The first question was asked by the moderator, Bruce Schneier, a renowned expert in computer security. Schneier asked:
What can a third-party do in general for this problem? … I’m assuming that Symantec can sell a “$100 every home needs a security thing” that we’re going to install on your network and it will magically fix the problem. Is there something a third-party can do without anybody else’s help, approval…
Gettys’s response was not very satisfying. He pretty much said that we can’t do anything about this. In particular, he said:
… that’s your router, that’s your box to the rest of the world. … until you’ve replaced that man-in-the-middle you are vulnerable
We disagree with his answer because we believe that he answered the wrong question. The question that he answered is: How can we use a third-party tool to address this problem?
However, we believe that the question he should have answered is: How can we use a third-party tool to address this problem?
This is a much more important problem to solve. It not only includes the vulnerabilities that are found in the firmware, but also the problems caused by people who don’t properly configure their routers. Remember, the last few examples of Hacks of Mass Destruction that we’ve seen have not been caused by vulnerabilities buried deep within router hardware drivers. Instead, they’ve all been caused by people setting their administrator password to password.
Our data shows that vulnerabilities that are due to poor configuration also seem to occur at a higher rate than firmware vulnerabilities. Yes, they’re both important, but that’s the whole point. They’re both important. Gettys’s response was insufficient because he ignores a large part of the problem that affects the average user.
We would say to Bruce Schneier that yes, there can be third-party tools that help to address the whole problem and don’t require the help or approval of anyone or anything. This is the problem that RouterCheck was designed to address. RouterCheck can detect issues such as bad passwords or open ports and alert the user to the problem. We can also see that users who go on to retest their router after finding a problem often find fewer problems. This indicates that RouterCheck does help people fix simple problems.
But what about deeper problems that are built into the firmware? The ones that Gettys was referring to? Well, RouterCheck cannot magically fix them, but then nothing can. What RouterCheck can do is detect them and report them. This is important in an environment where the popular media is routinely reporting on vulnerabilities such as Misfortune Cookie and Wifatch. It’s bad when people hear about “a problem in your router that could allow a hacker to invade your privacy”. It’s worse when people are unable to determine whether they’re affected or not. RouterCheck is not a panacea, but it is an effective tool in helping people.
As we’ve been developing RouterCheck we’ve learned a lot about the problem that we’re solving. It’s very clear now that the problem is multi-dimensional and needs to be addressed in that way. Simply looking at the problem though the lens of “bad firmware” will ignore the realities that are caused by usability problems and human error. If we’re ever going to improve the security of home routers, all of the issues must be addressed.