There has been a lot of talk in the news lately about the inadequacy of SOHO routers, and I couldn't agree more. For more than ten years, I have been advocating the use of real, XTM (extensible threat management) security appliances for even home use because anything less is just grossly inadequate.
I decided to write this article to try to help readers understand why those SOHO routers are only slightly more effective than having nothing. I'll start by giving you some links to some excellent security research so you can see the opinions of other security experts.
Security Evaluators published an excellent report that condensed SOHO router exploits into an easily understandable format. I highly recommend you read their report. Essentially, they describe many ways in which the devices can be completely taken over and compromised. They also describe how UPnP is a massive security vulnerability and how WPS should not be used or enabled. I have been saying all of this for 10 years, so I'm always glad to hear when other security experts are publishing informative documentation that comes to the same conclusion.
I don't agree with all of the recommendations made by Security Evaluators though. They suggest that router manufacturers publish firmware upgrades that address the security vulnerabilities in their products. Sure, that's nice to say, but I have yet to see the makers of residential-class equipment effectively do that. They might publish one or two firmware updates for a few years, but then they stop entirely. They don't do it more often because they think that the devices are throwaway, and I also believe that they aren't really selling these SOHO routers as security appliances. They are selling them as "routers". A better recommendation is to tell people to just stop buying this garbage equipment because it doesn't meet the basic security needs and the vendors are not committed to supplying security/firmware updates for the devices in a timely fashion or for a reasonable service life.
I do love that SE suggests using a non-default, non-standard IP subnet configuration. This is another thing I've been advocating for at least the last 15 years. I'm still disgusted when I see people who claim to be knowledgable in IT security or networking using default subnet configurations. There is something to be said for not using configurations that are easily guessable. Hey why not use 192.168.0.x/24 everywhere all the time?! (sarcasm)
Another article you need to see is the research study on wireless routers. Remember that these are being sold as wireless routers, not security appliances. So if you buy them thinking that they offer any security, then you are not understanding the situation correctly.
Some of these devices, such as all of the newer Cisco wireless routers, don't let you have a non-broadcasting SSID for wireless. No kidding. That's like giving away 50% of the equation required to get into your systems. It's the same as if everyone knew your username and all they had to do was to guess or brute force your password in order to get into your system. This is why account lockouts on bad password attempts were invented. But there is no such functionality on the vast majority of these SOHO routers.
Can you name one SOHO router that will lock out password attempt access for a period of time for bad password attempts? I'm only aware of biz-class security appliances that do that. So with SOHO routers, the attacker can sit there all day and brute force attempt to hack your router password.
I'm glad Security Evaluators are publishing these reports as I think they intend them to be helpful to increase the awareness of the average home computer user. For those of us in the security industry, the topic is a combination of the "well-duh" moment and just outright head shaking. I mean, please, let's remember that THESE SOHO ROUTERS ARE NOT SECURITY APPLIANCES.
Any device that comes with UPnP or WPS as an option is NOT a security appliance. These are CONVENIENCE appliances for the uninformed.
I really enjoyed the fact that the Security Evaluator's study on insecure router services exposes the widespread issue of router backdoors, vulnerability to buffer overflows, and other completely stupid default configurations.
One way to think about a device is to think about whether or not the manufacturer designed it to be secure by default, or was it designed to be convenient by default. Security and convenience are not mutually exclusive, but they have a negatively correlated relationship. The more security you have, the less convenience you have. The job of a good security engineer, like myself, is to find that balance for clients. What is the prudent level of security that is appropriate for the client?
In November 2012, I fired a non-profit client because the director of the organization demanded that I violate security 101 common sense and FTC law. Despite me explaining in writing at least 8 times to her that what she wanted me to do would be a violation of the law, she still demanded that I do it. Needless to say, I have no intention of doing things that I find to be unethical, illegal, or just plain stupid.
What was this all about? She wanted to have no password changing and no password complexity on an account authentication system that was accessible from anywhere on the internet. No kidding. And what data was vulnerable to being breached? If her one account was compromised, any hacker in the world could authenticate to the system and gain access to all the org payroll records, the entire donor list, and a bunch of other information that doesn't belong in the hands of the hackers.
You may wonder why the system was even exposed like that. That was a product of me trying to put proper security in place to have a two-factor authentication system, but being constantly road-blocked by an org's director who cared more about convenience than the personally identifiable identity information of thousands of people. You see now why I fired that org. For those of you in IT, I suggest you think long and hard about where your ethical line is with regards to security. People will challenge it. I suggest that you need to be prepared to diplomatically and authoritatively articulate to management and users why it is that security is not only legally necessary for compliance, but why it's just plain good sense.
So on that note, PLEASE get rid of your SOHO routers and get a real security appliance like a WatchGuard XTM device with a security suite subscription. But remember that your security is only as good as the intelligence of the person who programmed your system. Therefore, you need to get some seriously competent help also. As always, anyone in need of these services can contact me at QPC using the contact page on this website. I wish you good security.
Hacker News has an article describing the Moon malware spreading from Cisco router to Cisco router. The article incorrectly states "Linksys". The routers are Cisco devices. Cisco engineered, Cisco branded, and Cisco supported. The attack vulnerability comes from the Home Network Administration Protocol. It's just another example of a feature designed for convenience and not security. As a result, it creates a more insecure environment than just simply not having that protocol at all.
What I find particularly funny in this article is that the author suggests that device admins should monitor the logs of port 80 and 8080 usage on those devices. Really? With what? These SOHO devices do not have the ability to send their logs anywhere for collection and reporting. Only security appliances have those features. This is one of the many reasons why WatchGuard devices are phenomenal when programmed properly (see my point in red above). They can send all their log data to a Dimension server. Dimension is supplied as a free virtual server with the purchase of a WatchGuard firebox. All you have to do is supply the VM host (HyperV, VSphere, ESXi, VMWorkstation).
For at least a decade, WatchGuard has had logging and reporting server capabilities. They were always very helpful and usable. But the new Dimension product is a gigantic leap forward. I think it totally smokes the competition in the UTM security appliance market. Cisco has nothing that can even remotely compete. And yet I see companies still investing in that trailing Cisco technology that is exhorbitantly expensive.