Skip to main content

Decrypt This: How a cookie ruined routers for the rest of us

Image used with permission by copyright holder
Last week, I gave you your first taste of the wild world of home router security.

In the report, I delved into a few of the reasons why, even after three decades in business, router manufacturers continue to struggle to maintain pace with hackers in keeping the personal, professional, and financial information of their customers safe from harm.

Now as promised, I’m back this week with act two. I’ll dive headfirst into why even after so much time on the market, our home networking equipment still lags woefully behind the bell curve when it comes to protecting the data you hold most dear.

This is your primer on where router security is weakest now, and where can it stand to improve the most on the path forward.

Acronyms abound

First, I’ll start by dishing out a few terms that the average reader might be able to recognize without having to break out a dictionary first.

WEP, WPA, WPA2, WPA-KLMNOP.

If you can pick out the one I made up, congratulations, you’re already halfway through your education on the many different styles of defense that routers can deploy to secure a locally broadcast wireless signal.

The inherent problem with our dependence on these encryption standards is that as strong as they may be on their own, for the time being they only address threats that attack your wireless network, and not much else.

Wi-Fi encryption protects your data on the airwaves, but does nothing for security flaws in router firmware.

Sure, if one of your neighbors is trying to poach your Wi-Fi signal from next door, WPA2 is a great way to keep your network under lock and key. Thanks to 256-bit AES encryption, it would take years before a standard computer could come within a mile of cracking the wireless access password.

But even still, the AES protocol doesn’t account for hackers who might try to duck in over the wires, usually through holes left open in universal Plug n Play services, WPS authentication (the one-press wireless login button on top of your router), or the Home Network Administration Protocol (HNAP). The first two are so riddled with vulnerabilities it would take an article dedicated to each to list the problems in full, but the last is where things really start to go off the rails.

The HNAP protocol is designed to give you or your ISP the ability to access a router’s web-based configuration tool, usually through a browser or your computer’s file system directly. You’d likely recognize it best as the prompt that asks for your username and password whenever you type “192.0.168.1” (or some variation of those numbers therein) into the address bar.

Dlerp
Image used with permission by copyright holder

According to a study released in 2014 by Tripwire, roughly 80 percent of users don’t change these credentials from the default combination they originally shipped with. This makes it exceedingly simple for hackers to break into the core of a router’s inner workings using remote administration privileges, usually without having to do anything more than type in “admin” and “password” in the awaiting empty fields.

From here your router — and everything it’s supposed to protect — is open season for criminal organizations and their financially-motivated whims. And while this may not be the fault of the router makers themselves (there’s only so much a company can do to protect a customer from themselves), you’ll find out in the next section where they’ve dropped the ball just as hard as the rest of us.

“Firm” is a strong word

As the name implies, firmware is similar to software, except it applies to the tools responsible for operating the inner workings of a piece of hardware, rather than supporting any programs or applications installed on top of the system itself.

Every router you’ve owned has a version of firmware running the show behind the scenes, and is most easily recognized in a visual format as the web application that opens anytime you access the HNAP login.

r6100
Image Credit: Amazon

It’s here that everything from individual port forwarding permissions to parental controls can be tweaked and configured to a user’s individual preferences, including the option of enabling (or disabling) remote administration altogether.

Theoretically the inclusion of firmware is fine on its own, necessary even. A problem arises however, when manufacturers of these devices decide to spread out the risk for infection by cramming together amalgamations of dozens of different modules into one piece of Frankensteinian-firmware, instead of designing individual loadouts customized to each new make and model on their own.

The flaws of this approach finally appeared at the end of 2014 when the world was introduced to the Misfortune Cookie. The bug which over 200 separate router models at risk from the same exploit, due to the practice of firmware cross-pollination between many of the most popular models in the business. All told, 12 million households were subjected to the whims of bulletin CVE-2014-9222, which to date has only been patched in an estimated 300,000 actively deployed routers.

And the worst part? Researchers, programmers, and manufacturers knew about the problem since as early as 2002. Even then, it took three years before a working fix could be applied on a global scale.

Something that could have been taken care of with a couple lines of code was instead left for the rest of us to figure out on our own, and Misfortune Cookie represents only one of hundreds of new vulnerabilities that are posted to threat boards around the world every year.

Worse yet, that’s just what happens when one bug affects hundreds of different router models at once. What are we going to do when the lion’s share of users are all hooked up to the exact same router/modem combo, simply because their ISP told them the potential savings are too good to pass up?

One of the crowd

Problems like what happened with Misfortune Cookie are further exacerbated by the fact that these days more than ever before, consumers are opting out of buying their own routers, and choosing instead to use whatever generically-branded box their ISP provides them on a lease-by-the-month basis.

With increased homogeneity in the marketplace comes increased risk, because now instead of hackers having to constantly update and re-tool their firmware cracks for the newest models that release each month, instead they can simply employ broad attacks that automatically affect millions of hubs at once.

http://ecx.images-amazon.com/images/I/811NrykZ4XL._SL1500_.jpg
Image Credit: Amazon Image Credit: Amazon

By combining the router and the modem into one (what’s referred to as an “Internet gateway”), ISPs are making their customers more vulnerable. These gateways are made by smaller, contracted companies who have only recently started creating networking equipment on an industrial scale, yet consumers are plugging in their devices by the handful without so much as a second glance at the brand name on the bottom of the box.

Simplicity squared

And it’s here the core of the problem at hand becomes apparent: consumer awareness. The reason brands like Apple do so well is because even the least technologically-educated person in the world can figure out how to use an iPad with a few minutes of spare time…but routers aren’t iPads.

Routers are complex, deeply intricate pieces of hardware by the very nature of their design. Devices that require at least a rudimentary understanding of networking just to get into in the first place, let alone to change any of the settings that leave users open to the biggest threats the Internet suffers.

Router manufacturers need to make configuring their hardware as easy as posting on Instagram.

Unless manufacturers can step up to the plate and find out how to make the process of properly configuring a router for optimal safety as easy as posting a photo on Instagram, these problems will remain as a constant on the modern network security battleground.

In next week’s finale, I’m going to address the potential solutions that might be out there for the problems presented in the first two acts, and even go as far to make a few predictions if we’ll still need these hunks of plastic in our home in the future as the standard for security continues to change and evolve on the road ahead.

Topics
Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Best Surface Laptop and Surface Pro deals: From $450
Microsoft Surface Go 3 sitting on table.

If you want a thin and light laptop that's similar to the MacBook Air but not in the Apple ecosystem, then the Microsoft Surface lineup of laptops is absolutely the way to go. In fact, if you've seen the recent unwrapping of the business version of the Surface Pro 10 and Surface Laptop 6, you might be fired up and ready to grab your own surface. Unfortunately, the Surface lineup can be quite expensive, which is why we've gone out and scoured the retailers for the best deals we could find and collected them below. So, be sure to check out everything, as well as some of these other great laptop deals if you aren't fully committed to the Microsoft Surface lineup.
Microsoft Surface Go 3 -- $450, was $550

Functioning as a 2-in-1 laptop that can switch between tablet mode and laptop mode, the Microsoft Surface Go 3 won't have trouble dealing with basic tasks as it's equipped with the Intel Pentium Gold 6500Y processor and 8GB of RAM. The 10.5-inch touchscreen with 1920 x 1080 resolution is bright and colorful, and its 128GB SSD is more than enough for your documents. The Microsoft Surface Go 3 ships with Windows 11 Home in Mode, so you can start using it as soon as you unbox it. The device also promises up to 11 hours of battery life before requiring a recharge.

Read more
Best GPU deals: MSI, XFX, EVGA
An AMD graphics card in an external GPU enclosure.

If you're building a new PC from scratch, or upgrading an old one, then a new GPU is probably one of the biggest upgrades you can make, at least if you're looking for great gaming performance. Unfortunately, the last generation of RTX 40-series cards really amped the prices up, and even if you're going for AMD, you're going to be paying a pretty penny to get your hands on a good GPU. That said, there are some good deals to be had; whether you want something budget-friendly or high-end, you can always put that extra money you save into more RAM or a better CPU. Also, be sure to check out some of these gaming PC deals if you'd rather just grab something already pre-built.
MSI AMD Radeon RX 6500 XT Mech 2X 4GB GDDR6 -- $175, was $190

If you're looking for something that is ultra-budget, then this RX 6500 XT is a good option in the lower range and should let you handle at least some of the main free-to-play games like CS:GO and Rocket League, although you will have to play with graphical compromises. It should also handle indie and casual games, especially older ones like the ones you might find on emulators, so it's also a good option for that sort of budget build. the 4GB of VRAM is not a lot, but again, if you're not planning to play any modern AAA or AA games, then this isn't a bad option.

Read more
Horizon Forbidden West is a marvel — if your PC can handle the heat
Aloy shooting a bow in Horizon Forbidden West.

More than two years after its release on PS5, Horizon Forbidden West is now available on PC. The original game, Horizon Zero Dawn, has become a mainstay for performance testing on PC, and it's one of the pillars of our GPU reviews. The sequel ups the ante in a big way with more graphics options and a more demanding world overall.

I've been playing the game over the past week, drilling down on the best settings, comparing DLSS, FSR, and XeSS, and testing the bounds of performance. Horizon Forbidden West lives up to the standard set by the original release, though weaker GPUs with only 8GB of memory will struggle with high graphics settings and resolutions.
Best settings for Horizon Forbidden West PC

Read more