torstein
Senior Member
UPDATE: Most of the statements linked below are false or have been fixed. I should have done a more thorough search before posting. My apologies to the community.
TL;DR: All popular consumer routers have outdated software, kernels and services. They have hundreds of knows security flaws, that the manufacturers don't fix. The only safe option is enterprise grade routers. Of all the consumer routers, Asus with @RMerlin is the best option if you don't want enterprise routers.
I stumbled upon this blog post from routersecurity.org warning against consumer grade routers. Even @thiggins is quoted in the article. It got me worried, and I wanted to hear my community fellows opinion on it, if it's still relevant or if it's overblown scare tactics. Some quotes:
He does end on a somewhat more positive note saying:
TL;DR: All popular consumer routers have outdated software, kernels and services. They have hundreds of knows security flaws, that the manufacturers don't fix. The only safe option is enterprise grade routers. Of all the consumer routers, Asus with @RMerlin is the best option if you don't want enterprise routers.
I stumbled upon this blog post from routersecurity.org warning against consumer grade routers. Even @thiggins is quoted in the article. It got me worried, and I wanted to hear my community fellows opinion on it, if it's still relevant or if it's overblown scare tactics. Some quotes:
- In 2017, up to 32 Wi-Fi routers from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link had a known security vulnerability. No zero days needed. A majority had more than 10 "Severity High" vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities.
- In 2016 Asus had to settle with the FTC due to many critical security flaws in their Home Network Routers and cloud services that caused 12,900 customers' private files being available on the internet unsecured. The punishment was to be audited for the next 20 years for security improvements.
- Fraunhofers Home Router Security report 2020 is really depressing reading. They looked at the latest available firmware as of March 27, 2020. Some routers had hundreds of known vulnerabilities. The average number of critical vulnerabilities per router was 53. A third of routers used a version of Linux 2.6.36 from October 2010 with 233 known security vulnerabilities.
- Our @thiggins is quoted warning: "Linksys is by no means alone in using its customers as beta testers ... Chip vendors race to get to market first, then push their customers (the router manufacturers) to get new technology (11ac, MU-MIMO, etc.) into their products ASAP. Router makers, in turn, push not-fully-baked products to market, bowing to pressure on one end from the chip makers and retailers (BestBuy, Amazon, etc.) on the other end, to get new stuff on the shelves with higher numbers on the boxes because that's what sells. Behavior will not change unless buyers break the cycle and leave stuff on the shelves. Unfortunately, with social media and YouTube 'stars' pumping the hype machine, and people still being sucked in by inflated speed numbers, things won't change anytime soon."
- In September 2020, Daniel Aleksandersen blogged that Network Routers are just computers. Manufacturers of consumer routers are not incentivized to provide ongoing support and security updates for devices that provide no new revenue. He concludes that there is not one secure consumer router. For better software support, he says you need to make the switch to more involved, complicated, and expensive enterprise-grade network equipment.
- In February 2021, Bruce Schneier wrote: "Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable."
- In July 2020, Martin Rakhmanov of Trustwave wrote about two bugs he found in the Asus RT-AC1900P router. One bug was lazy programming, Asus was not checking the certificate of downloaded firmware when updating. Asus did not issue a security advisory preferring to sweep the bugs under the rug. It took Asus three months to fix the bugs and they never bothered to tell Rakhmanov. When he happened to notice the new firmware, he asked them if they fixed one or both bugs. They didn't know.
- In May 2019, Troy Mursch reported a bug to Linksys that affected 33 Linksys Smart Wi-Fi routers. The company decided not to fix the problem. Shortly thereafter, Ars Technica contacted Belkin (which owns Linksys) about the bug and got the cold shoulder, Belkin never responded.
He does end on a somewhat more positive note saying:
My distaste for consumer routers means avoiding TP-Link, Netgear, D-Link, Belkin, Buffalo, Linksys and the like. That said, the best of the lot is probably Asus running Merlin firmware.
- What do you think? Is the state of consumer home networking routers this bad?
- Are the engineers really as "lazy" and incompetent as stated?
- Why doesn't the manufacturers upgrade to a newer linux kernel and software etc?
- Is my home network not safe, and should I be worried even on latest firmware?
- What are your thoughts on the above snippets?
Last edited: