Skip to main content

Decrypt This: Why is router security so full of holes?

whats the problem with router security djhkblq
Image Credit: Shutterstock/Piotr Adamowicz
With every fresh wave of new routers and networking equipment that hits the shelves comes the promise of a new age of functionality, usability, and security. Whether it’s the newest Nighthawk from Netgear or just another in a long line from Linskys, I’m always surprised at the bells-and-whistles companies can come up with.

But, despite continued innovation in the market, it’s becoming apparent that a change in how we protect home networks should be at the top of everyone’s to-do list. Router makers need to step up their game if the wireless hardware of today is to protect us from whatever threats might show up tomorrow.

According to a report released earlier this year, upwards of 75% of all routers provided by ISPs contain software or firmware that can be easily exploited by hackers. Even amateurs are discovering how easy it can be to plow straight past a router’s internal defenses without issue.

Papers, please

Why do router flaws matter? To start, let’s get to know the basics of what makes a modern router tick. For almost all of their history, routers made for the consumer market have relied on three key safeguards: certificates, signatures, and firmware.

Every piece in the puzzle is an essential building block of what makes your router secure, and no one part can function on its own without the support of the others. When working in tandem, they can each help to protect a different part of your connected experience, whether it’s checking emails, downloading/installing software, or visiting websites you might not recognize before clicking in.

And even with all their apparent vulnerabilities and shortcomings, these systems are (and probably always will be) a necessary pillar in the ecosystem of Internet security. It’s only recently that analysts and industry experts have started to realized that the foundation which makes their use possible is starting to show signs of weakness, and is close to failing entirely if the stream of modern malware offensives continues to pile on.

It’s all about the Benjamins

The idea that most standard home internet routers are incapable of protecting users from a truly determined hacker shouldn’t be a secret to anyone by this point. While most broadly-cast campaigns like those designed to distribute spam or common malware programs are usually swatted away by a router’s internal firewall, if someone targets you specifically for an attack and wants to slip their way past the perimeter, a $39 dollar D-Link from Walmart isn’t going to stand in their way.

But why?

Why, even after 30 years in business and thousands of revisions to their hardware, are the biggest manufacturers in home networking equipment still struggling to create a device that can effectively protect home Internet users?

To put it in (very) simple terms; it all comes down to cost.

Since close to the inception of the web itself, the data security industry has struggled to retain talented engineers and programmers who know the mathematics of what it takes to break any given encryption protocol in two.

Rooting out holes in router security products is big business for global criminal networks.

Even though a top data scientist working to build firewalls for Netgear might be able to pull $80,000 a year before taxes, another top data scientist halfway across the world could make twice that salary in a less than a day by figuring out how to tunnel under a router’s protect fence unnoticed.

The two sides of this coin are known as “whitehats” and “blackhats.”

These are people who, despite pursuing a passion for the same subjects in school, each decided to take a slightly different path with the skills they’d picked up along the way. One works to help strengthen the Internet for a living, creating new protection methods to better preserve privacy online, while the other maneuvers around these safeguards, ducking and weaving between the whitehat’s defenses in hot pursuit of profits.

Rooting out holes in router security products is big business for the global criminal networks that make it their main source of income. They buy and sell what’s known as “zero-days”, or previously undiscovered cracks in the code of software, hardware, and operating systems. Each newly unearthed exploit can yield the hacker responsible anywhere from a few hundred dollars to tens of thousands at a time, a value that’s calculated on how widespread the effect of the crack will be against how long it’s predicted to stay functional before being patched out.

Even corporations have budgets

Details of the zero-day market can be tricky however, and the answer isn’t always simply to throw more money at the good guys and hope they stick to the righteous path after the check is already cashed. In her report “The Vulns of Wall Street” published on Tuesday, CPO of HackerOne Katie Moussouris explains why the problem runs deeper than just the dollar amount that’s being passed around between hackers on the underground circuit.

“Defenders throwing more bodies or money towards trying to find more vulnerabilities than the offense side can help, but not as efficiently as other measures,” Moussouris says in the report. “Sell a couple bugs per year, and talented developers who can write fuzzers and determine which bugs are exploitable won’t need to work much harder to earn much higher paydays than any software maker could sustainably afford to pay them.”

The assumption that companies have limitless R&D budgets is incorrect.

The (incorrect) assumption many people make here is that because companies like Cisco and Linksys are massive corporations with swollen R&D budgets, they should be able to afford to win the bidding war. Unfortunately, there’s still not a company on earth able to match the salary that a blackhat hacker could make by stealing 70 million credit cards from Target at a time.

Yes, Target had a hired staff of security engineers who were paid well enough to watch out for exactly this type of nightmare scenario. But as long as we continue to swipe, type, and tap our precious financial data into these types of systems, the opportunity for lucrative zero-day payouts will simply be too much for members of the blackhat community to resist.

That’s the problem. What’s the solution?

Which brings us back to the original point: the hacking, cracking and attacking of our routers (and by extension, our financial data), isn’t going to stop as long as there’s money to be made.

We’re just now starting realize that the defensive strategies of yesteryear are holding back the progression of what we could achieve tomorrow, and that a fundamental shift in mentality and industry practice could be necessary if we expect to keep our personal data out of criminal hands.

Next week, we’re going to dive into greater detail about the infections, viruses, and firmware exploits that continue to plague the threat landscape today. Now that we know the “why” of how hackers break through routers, it’s time to dig into the “how.”

Editors' Recommendations

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Zoom just fixed a major security flaw on Mac. Here’s why you should update now
The Logitech Brio 4K Pro attached to a Macbook.

If you have Zoom installed on your MacBook, you'll want to update the app right now. Zoom spent the weekend patching a major security flaw in its Mac app, and the update is available right now.

According to The Verge, it all began at Def Con, a computer security and hacker conference in Las Vegas. The founder of the security non-profit Objective-See and an ex-NSA security analyst, Patrick Wardle, took to the stage on Friday and presented a stunning find: a massive security vulnerability in the Zoom installer for MacBooks.

Read more
Why I refuse to buy another full-sized gaming keyboard
SteelSeries Apex Pro Mini and Pro Mini Wireless together.

I switch keyboards constantly, but after years of buying something new every few months to give it a try, I have a new rule: I'm never buying another full-sized gaming keyboard. I'm a changed man, free of the shackles of a number pad and media buttons, and I'm finally ready to go all-in on small form factors.

The best gaming keyboards have been dominated by full-sized options for years, but that's starting to change. More mainstream keyboard builders are releasing TKL, 65%, and sometimes even 60% keyboards, so now is the time to jump on the small form factor train and give it a try.
Hello, desk space

Read more
The M1 has a major security loophole that Apple can’t patch
Apple M1 processor on a mainboard.

Researchers at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) have discovered a new security vulnerability that targets Apple's popular M1 processor. The attack, dubbed PACMAN, is capable of bypassing the last line of defense against software bugs on the M1 and potentially other ARM-based processors.

PACMAN attacks pointer authentication, which is the final stop for most software vulnerabilities. Pointer authentication confirms that a program hasn't been changed in any malicious way, serving as a "safety net ... in the worst case scenario," as MIT PhD student Joseph Ravichandran put it. MIT's researchers developed PACMAN as a way to guess the pointer authentication signature, bypassing this critical security mechanism. Researchers say PACMAN exploits a hardware mechanism, so a software patch won't be able to fix it.

Read more