Skip to main content

Decrypt This: How a cookie ruined routers for the rest of us

Image used with permission by copyright holder
Last week, I gave you your first taste of the wild world of home router security.

In the report, I delved into a few of the reasons why, even after three decades in business, router manufacturers continue to struggle to maintain pace with hackers in keeping the personal, professional, and financial information of their customers safe from harm.

Now as promised, I’m back this week with act two. I’ll dive headfirst into why even after so much time on the market, our home networking equipment still lags woefully behind the bell curve when it comes to protecting the data you hold most dear.

This is your primer on where router security is weakest now, and where can it stand to improve the most on the path forward.

Acronyms abound

First, I’ll start by dishing out a few terms that the average reader might be able to recognize without having to break out a dictionary first.


If you can pick out the one I made up, congratulations, you’re already halfway through your education on the many different styles of defense that routers can deploy to secure a locally broadcast wireless signal.

The inherent problem with our dependence on these encryption standards is that as strong as they may be on their own, for the time being they only address threats that attack your wireless network, and not much else.

Wi-Fi encryption protects your data on the airwaves, but does nothing for security flaws in router firmware.

Sure, if one of your neighbors is trying to poach your Wi-Fi signal from next door, WPA2 is a great way to keep your network under lock and key. Thanks to 256-bit AES encryption, it would take years before a standard computer could come within a mile of cracking the wireless access password.

But even still, the AES protocol doesn’t account for hackers who might try to duck in over the wires, usually through holes left open in universal Plug n Play services, WPS authentication (the one-press wireless login button on top of your router), or the Home Network Administration Protocol (HNAP). The first two are so riddled with vulnerabilities it would take an article dedicated to each to list the problems in full, but the last is where things really start to go off the rails.

The HNAP protocol is designed to give you or your ISP the ability to access a router’s web-based configuration tool, usually through a browser or your computer’s file system directly. You’d likely recognize it best as the prompt that asks for your username and password whenever you type “” (or some variation of those numbers therein) into the address bar.

Image used with permission by copyright holder

According to a study released in 2014 by Tripwire, roughly 80 percent of users don’t change these credentials from the default combination they originally shipped with. This makes it exceedingly simple for hackers to break into the core of a router’s inner workings using remote administration privileges, usually without having to do anything more than type in “admin” and “password” in the awaiting empty fields.

From here your router — and everything it’s supposed to protect — is open season for criminal organizations and their financially-motivated whims. And while this may not be the fault of the router makers themselves (there’s only so much a company can do to protect a customer from themselves), you’ll find out in the next section where they’ve dropped the ball just as hard as the rest of us.

“Firm” is a strong word

As the name implies, firmware is similar to software, except it applies to the tools responsible for operating the inner workings of a piece of hardware, rather than supporting any programs or applications installed on top of the system itself.

Every router you’ve owned has a version of firmware running the show behind the scenes, and is most easily recognized in a visual format as the web application that opens anytime you access the HNAP login.

Image Credit: Amazon

It’s here that everything from individual port forwarding permissions to parental controls can be tweaked and configured to a user’s individual preferences, including the option of enabling (or disabling) remote administration altogether.

Theoretically the inclusion of firmware is fine on its own, necessary even. A problem arises however, when manufacturers of these devices decide to spread out the risk for infection by cramming together amalgamations of dozens of different modules into one piece of Frankensteinian-firmware, instead of designing individual loadouts customized to each new make and model on their own.

The flaws of this approach finally appeared at the end of 2014 when the world was introduced to the Misfortune Cookie. The bug which over 200 separate router models at risk from the same exploit, due to the practice of firmware cross-pollination between many of the most popular models in the business. All told, 12 million households were subjected to the whims of bulletin CVE-2014-9222, which to date has only been patched in an estimated 300,000 actively deployed routers.

And the worst part? Researchers, programmers, and manufacturers knew about the problem since as early as 2002. Even then, it took three years before a working fix could be applied on a global scale.

Something that could have been taken care of with a couple lines of code was instead left for the rest of us to figure out on our own, and Misfortune Cookie represents only one of hundreds of new vulnerabilities that are posted to threat boards around the world every year.

Worse yet, that’s just what happens when one bug affects hundreds of different router models at once. What are we going to do when the lion’s share of users are all hooked up to the exact same router/modem combo, simply because their ISP told them the potential savings are too good to pass up?

One of the crowd

Problems like what happened with Misfortune Cookie are further exacerbated by the fact that these days more than ever before, consumers are opting out of buying their own routers, and choosing instead to use whatever generically-branded box their ISP provides them on a lease-by-the-month basis.

With increased homogeneity in the marketplace comes increased risk, because now instead of hackers having to constantly update and re-tool their firmware cracks for the newest models that release each month, instead they can simply employ broad attacks that automatically affect millions of hubs at once.
Image Credit: Amazon Image Credit: Amazon

By combining the router and the modem into one (what’s referred to as an “Internet gateway”), ISPs are making their customers more vulnerable. These gateways are made by smaller, contracted companies who have only recently started creating networking equipment on an industrial scale, yet consumers are plugging in their devices by the handful without so much as a second glance at the brand name on the bottom of the box.

Simplicity squared

And it’s here the core of the problem at hand becomes apparent: consumer awareness. The reason brands like Apple do so well is because even the least technologically-educated person in the world can figure out how to use an iPad with a few minutes of spare time…but routers aren’t iPads.

Routers are complex, deeply intricate pieces of hardware by the very nature of their design. Devices that require at least a rudimentary understanding of networking just to get into in the first place, let alone to change any of the settings that leave users open to the biggest threats the Internet suffers.

Router manufacturers need to make configuring their hardware as easy as posting on Instagram.

Unless manufacturers can step up to the plate and find out how to make the process of properly configuring a router for optimal safety as easy as posting a photo on Instagram, these problems will remain as a constant on the modern network security battleground.

In next week’s finale, I’m going to address the potential solutions that might be out there for the problems presented in the first two acts, and even go as far to make a few predictions if we’ll still need these hunks of plastic in our home in the future as the standard for security continues to change and evolve on the road ahead.

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Razer, somehow, made a mouse pad exciting
The Razer Firefly V2 Pro mouse pad sitting on a desk.

A mouse pad has to top the list of the most boring peripherals for your PC setup, but Razer managed to make its Firefly V2 Pro exciting. It's a fully-illuminated RGB mouse pad. No, it's not a mouse pad with RGB lights strung around the edges -- we've seen that dozens of times -- but one that carries RGB light throughout the surface.

It includes 15 controllable lighting zones that you can adjust through Razer Synapse, and it supports the lighting effects built into Razer's software. These effects will automatically sync to things happening in games such as Diablo IV, Dredge, Ghotrunner 2, and Cyberpunk 2077. You can make your own effects as well, and sync them with other Razer peripherals.

Read more
RTX 4090 owners are in for some bad news
Nvidia GeForce RTX 4090 GPU.

Nvidia's RTX 4090 remains the undisputed most powerful GPU on the market right now, despite being a year-and-a-half old. As such, you might think that reselling it later should be a breeze, not to mention that it should net you a nice amount of money -- but that is not always the case.

Wccftech reports that one owner of an MSI RTX 4090 tried to use the Micro Center GPU Trade-In Program to get some money back, and the GPU was valued at just $700 -- a mere 36% of the total cost of the graphics card.

Read more
Best 14-inch laptops for 2024: tested and reviewed
The ThinkPad X1 Carbon Gen 10 laptop, opened with a colorful wallpaper on the screen.

The 14-inch laptop offers a small — but noticeable — screen size upgrade over even the best 13-inch laptops, making them better choices for entertainment, gaming, or professional design while still being slim and portable enough to carry anywhere with you.

If this seems like a good fit for your busy life, we have the best 14-inch laptops you should check out, beginning with an excellent all-rounder, the Apple MacBook Pro 14. The new machine has some of the best performance and battery life around, along with an excellent display. We also have picks for gaming, extra power, and affordability, so there should be something for everyone.

Read more