Decrypt This: How a cookie ruined routers for the rest of us

best cable modems internet router
Last week, I gave you your first taste of the wild world of home router security.

In the report, I delved into a few of the reasons why, even after three decades in business, router manufacturers continue to struggle to maintain pace with hackers in keeping the personal, professional, and financial information of their customers safe from harm.

Now as promised, I’m back this week with act two. I’ll dive headfirst into why even after so much time on the market, our home networking equipment still lags woefully behind the bell curve when it comes to protecting the data you hold most dear.

This is your primer on where router security is weakest now, and where can it stand to improve the most on the path forward.

Acronyms abound

First, I’ll start by dishing out a few terms that the average reader might be able to recognize without having to break out a dictionary first.


If you can pick out the one I made up, congratulations, you’re already halfway through your education on the many different styles of defense that routers can deploy to secure a locally broadcast wireless signal.

The inherent problem with our dependence on these encryption standards is that as strong as they may be on their own, for the time being they only address threats that attack your wireless network, and not much else.

Wi-Fi encryption protects your data on the airwaves, but does nothing for security flaws in router firmware.

Sure, if one of your neighbors is trying to poach your Wi-Fi signal from next door, WPA2 is a great way to keep your network under lock and key. Thanks to 256-bit AES encryption, it would take years before a standard computer could come within a mile of cracking the wireless access password.

But even still, the AES protocol doesn’t account for hackers who might try to duck in over the wires, usually through holes left open in universal Plug n Play services, WPS authentication (the one-press wireless login button on top of your router), or the Home Network Administration Protocol (HNAP). The first two are so riddled with vulnerabilities it would take an article dedicated to each to list the problems in full, but the last is where things really start to go off the rails.

The HNAP protocol is designed to give you or your ISP the ability to access a router’s web-based configuration tool, usually through a browser or your computer’s file system directly. You’d likely recognize it best as the prompt that asks for your username and password whenever you type “” (or some variation of those numbers therein) into the address bar.


According to a study released in 2014 by Tripwire, roughly 80 percent of users don’t change these credentials from the default combination they originally shipped with. This makes it exceedingly simple for hackers to break into the core of a router’s inner workings using remote administration privileges, usually without having to do anything more than type in “admin” and “password” in the awaiting empty fields.

From here your router — and everything it’s supposed to protect — is open season for criminal organizations and their financially-motivated whims. And while this may not be the fault of the router makers themselves (there’s only so much a company can do to protect a customer from themselves), you’ll find out in the next section where they’ve dropped the ball just as hard as the rest of us.

“Firm” is a strong word

As the name implies, firmware is similar to software, except it applies to the tools responsible for operating the inner workings of a piece of hardware, rather than supporting any programs or applications installed on top of the system itself.

Every router you’ve owned has a version of firmware running the show behind the scenes, and is most easily recognized in a visual format as the web application that opens anytime you access the HNAP login.

Image Credit: Amazon

It’s here that everything from individual port forwarding permissions to parental controls can be tweaked and configured to a user’s individual preferences, including the option of enabling (or disabling) remote administration altogether.

Theoretically the inclusion of firmware is fine on its own, necessary even. A problem arises however, when manufacturers of these devices decide to spread out the risk for infection by cramming together amalgamations of dozens of different modules into one piece of Frankensteinian-firmware, instead of designing individual loadouts customized to each new make and model on their own.

The flaws of this approach finally appeared at the end of 2014 when the world was introduced to the Misfortune Cookie. The bug which over 200 separate router models at risk from the same exploit, due to the practice of firmware cross-pollination between many of the most popular models in the business. All told, 12 million households were subjected to the whims of bulletin CVE-2014-9222, which to date has only been patched in an estimated 300,000 actively deployed routers.

And the worst part? Researchers, programmers, and manufacturers knew about the problem since as early as 2002. Even then, it took three years before a working fix could be applied on a global scale.

Something that could have been taken care of with a couple lines of code was instead left for the rest of us to figure out on our own, and Misfortune Cookie represents only one of hundreds of new vulnerabilities that are posted to threat boards around the world every year.

Worse yet, that’s just what happens when one bug affects hundreds of different router models at once. What are we going to do when the lion’s share of users are all hooked up to the exact same router/modem combo, simply because their ISP told them the potential savings are too good to pass up?

One of the crowd

Problems like what happened with Misfortune Cookie are further exacerbated by the fact that these days more than ever before, consumers are opting out of buying their own routers, and choosing instead to use whatever generically-branded box their ISP provides them on a lease-by-the-month basis.

With increased homogeneity in the marketplace comes increased risk, because now instead of hackers having to constantly update and re-tool their firmware cracks for the newest models that release each month, instead they can simply employ broad attacks that automatically affect millions of hubs at once.
Image Credit: Amazon Image Credit: Amazon

By combining the router and the modem into one (what’s referred to as an “Internet gateway”), ISPs are making their customers more vulnerable. These gateways are made by smaller, contracted companies who have only recently started creating networking equipment on an industrial scale, yet consumers are plugging in their devices by the handful without so much as a second glance at the brand name on the bottom of the box.

Simplicity squared

And it’s here the core of the problem at hand becomes apparent: consumer awareness. The reason brands like Apple do so well is because even the least technologically-educated person in the world can figure out how to use an iPad with a few minutes of spare time…but routers aren’t iPads.

Routers are complex, deeply intricate pieces of hardware by the very nature of their design. Devices that require at least a rudimentary understanding of networking just to get into in the first place, let alone to change any of the settings that leave users open to the biggest threats the Internet suffers.

Router manufacturers need to make configuring their hardware as easy as posting on Instagram.

Unless manufacturers can step up to the plate and find out how to make the process of properly configuring a router for optimal safety as easy as posting a photo on Instagram, these problems will remain as a constant on the modern network security battleground.

In next week’s finale, I’m going to address the potential solutions that might be out there for the problems presented in the first two acts, and even go as far to make a few predictions if we’ll still need these hunks of plastic in our home in the future as the standard for security continues to change and evolve on the road ahead.

Product Review

Gate’s Smart Lock is locked and loaded but ultimately lacks important basics

In a world of video cameras and doorbells comes the Gate Smart Lock, a lock with a video camera embedded. It’s a great idea, but lacks some crucial functionality to make it a top-notch product.

These are the 6 best -- and free -- antivirus apps to help protect your MacBook

Malware protection is more important than ever, even if you eschew Windows in favor of Apple's desktop platform. Thankfully, protecting your machine is as easy as choosing from the best free antivirus apps for Mac suites.

Here are the 5 of the best antivirus solutions for your small business

Getting your business off the ground is hard enough, and dealing with viruses, hackers, and security breaches only makes it harder. These 5 antivirus solutions can help keep you protected.
Smart Home

Who should fix Internet of Things cybersecurity? Congress takes a crack at it

The Internet of Things (IoT) continues to be a murky world of networked gizmos, but Congress is trying to highlight the issue with new legislation that would set cybersecurity standards for these devices.

Here's how to download a YouTube video to watch offline later

Learning how to download YouTube videos is easier than you might think. There are tools you can use both online and offline. This step-by-step guide will instruct you on how to use them.

Nvidia’s rumored 7nm Ampere graphics could debut next week, but not for gamers

Nvidia's next-generation 7nm Ampere graphics could debut as early as next week at the GTC show as part of an effort to catch up to rival AMD, which announced a competing 7nm Radeon GPU earlier this year.

Latest Skype preview now lets you chat with up to 50 people on a video call

The latest beta version of Skype is introducing an ability to enter a video call with up to 50 people, a change from the current public version which has a maximum limit of 25 participants.

Intel’s next-gen Comet Lake processors will reportedly arrive with 10 cores

Intel may give its next-generation desktop processor, known by its Comet Lake code name, a maximum of 10 cores, according to code found within the company's Linux drivers. Laptop CPUs will reportedly top out with six cores.
Emerging Tech

It’s not time travel, but scientists can turn back clock on a quantum computer

Physicists have demonstrated that they can wind back the clock on a quantum computer a fraction of a second. Don't get too excited about the prospect of human time travel any time soon, though.

Western Digital’s $55 solid-state drive gives new life to your aging PC

Western Digital is hoping that you'll pick up one of its affordable WD Blue SN500 solid-state drives to give your aging PC more storage and a speed boost. WD's NVMe-based drives are up to three times faster than older SATA SSDs.

Give your discs some extra life by watching DVDs and Blu-rays on Windows 10

Popped a disc into your Windows machine but feel lost without Media Center? You're not alone. But don't fret, with just a few tips you can learn how to watch DVDs and Blu-rays for free in Windows 10 in no time.

Walmart slices price on Canon ImageClass MF232W Wi-Fi laser printer

If you don’t need color printing, a monochrome laser printer like the Canon ImageClass MF232W can save you a lot of time and money. This beefy all-in-one Wi-Fi printer is on sale from Walmart for almost half off, letting you score it for…

Is 14 inches the perfect size for a laptop? These 4 laptops might convince you

If you're looking for the best 14-inch laptops, there are a number of factors to consider. You want good battery life, an attractive screen, solid performance, and a good build. Our favorites that do all that and more.

Get Corsair’s best mechanical keyboard at a decent discount

From March 17 to 23, you can get one of the best mechanical keyboards around at a great price. The Corsair K95 RGB Platinum is normally $200, but this week you can pick one up from Amazon for $160.