Decrypt This: Why is router security so full of holes?

whats the problem with router security djhkblq
Image Credit: Shutterstock/Piotr Adamowicz
With every fresh wave of new routers and networking equipment that hits the shelves comes the promise of a new age of functionality, usability, and security. Whether it’s the newest Nighthawk from Netgear or just another in a long line from Linskys, I’m always surprised at the bells-and-whistles companies can come up with.

But, despite continued innovation in the market, it’s becoming apparent that a change in how we protect home networks should be at the top of everyone’s to-do list. Router makers need to step up their game if the wireless hardware of today is to protect us from whatever threats might show up tomorrow.

According to a report released earlier this year, upwards of 75% of all routers provided by ISPs contain software or firmware that can be easily exploited by hackers. Even amateurs are discovering how easy it can be to plow straight past a router’s internal defenses without issue.

Papers, please

Why do router flaws matter? To start, let’s get to know the basics of what makes a modern router tick. For almost all of their history, routers made for the consumer market have relied on three key safeguards: certificates, signatures, and firmware.

Every piece in the puzzle is an essential building block of what makes your router secure, and no one part can function on its own without the support of the others. When working in tandem, they can each help to protect a different part of your connected experience, whether it’s checking emails, downloading/installing software, or visiting websites you might not recognize before clicking in.

And even with all their apparent vulnerabilities and shortcomings, these systems are (and probably always will be) a necessary pillar in the ecosystem of Internet security. It’s only recently that analysts and industry experts have started to realized that the foundation which makes their use possible is starting to show signs of weakness, and is close to failing entirely if the stream of modern malware offensives continues to pile on.

It’s all about the Benjamins

The idea that most standard home internet routers are incapable of protecting users from a truly determined hacker shouldn’t be a secret to anyone by this point. While most broadly-cast campaigns like those designed to distribute spam or common malware programs are usually swatted away by a router’s internal firewall, if someone targets you specifically for an attack and wants to slip their way past the perimeter, a $39 dollar D-Link from Walmart isn’t going to stand in their way.

But why?

Why, even after 30 years in business and thousands of revisions to their hardware, are the biggest manufacturers in home networking equipment still struggling to create a device that can effectively protect home Internet users?

To put it in (very) simple terms; it all comes down to cost.

Since close to the inception of the web itself, the data security industry has struggled to retain talented engineers and programmers who know the mathematics of what it takes to break any given encryption protocol in two.

Rooting out holes in router security products is big business for global criminal networks.

Even though a top data scientist working to build firewalls for Netgear might be able to pull $80,000 a year before taxes, another top data scientist halfway across the world could make twice that salary in a less than a day by figuring out how to tunnel under a router’s protect fence unnoticed.

The two sides of this coin are known as “whitehats” and “blackhats.”

These are people who, despite pursuing a passion for the same subjects in school, each decided to take a slightly different path with the skills they’d picked up along the way. One works to help strengthen the Internet for a living, creating new protection methods to better preserve privacy online, while the other maneuvers around these safeguards, ducking and weaving between the whitehat’s defenses in hot pursuit of profits.

Rooting out holes in router security products is big business for the global criminal networks that make it their main source of income. They buy and sell what’s known as “zero-days”, or previously undiscovered cracks in the code of software, hardware, and operating systems. Each newly unearthed exploit can yield the hacker responsible anywhere from a few hundred dollars to tens of thousands at a time, a value that’s calculated on how widespread the effect of the crack will be against how long it’s predicted to stay functional before being patched out.

Even corporations have budgets

Details of the zero-day market can be tricky however, and the answer isn’t always simply to throw more money at the good guys and hope they stick to the righteous path after the check is already cashed. In her report “The Vulns of Wall Street” published on Tuesday, CPO of HackerOne Katie Moussouris explains why the problem runs deeper than just the dollar amount that’s being passed around between hackers on the underground circuit.

“Defenders throwing more bodies or money towards trying to find more vulnerabilities than the offense side can help, but not as efficiently as other measures,” Moussouris says in the report. “Sell a couple bugs per year, and talented developers who can write fuzzers and determine which bugs are exploitable won’t need to work much harder to earn much higher paydays than any software maker could sustainably afford to pay them.”

The assumption that companies have limitless R&D budgets is incorrect.

The (incorrect) assumption many people make here is that because companies like Cisco and Linksys are massive corporations with swollen R&D budgets, they should be able to afford to win the bidding war. Unfortunately, there’s still not a company on earth able to match the salary that a blackhat hacker could make by stealing 70 million credit cards from Target at a time.

Yes, Target had a hired staff of security engineers who were paid well enough to watch out for exactly this type of nightmare scenario. But as long as we continue to swipe, type, and tap our precious financial data into these types of systems, the opportunity for lucrative zero-day payouts will simply be too much for members of the blackhat community to resist.

That’s the problem. What’s the solution?

Which brings us back to the original point: the hacking, cracking and attacking of our routers (and by extension, our financial data), isn’t going to stop as long as there’s money to be made.

We’re just now starting realize that the defensive strategies of yesteryear are holding back the progression of what we could achieve tomorrow, and that a fundamental shift in mentality and industry practice could be necessary if we expect to keep our personal data out of criminal hands.

Next week, we’re going to dive into greater detail about the infections, viruses, and firmware exploits that continue to plague the threat landscape today. Now that we know the “why” of how hackers break through routers, it’s time to dig into the “how.”

Product Review

Gate’s Smart Lock is locked and loaded but ultimately lacks important basics

In a world of video cameras and doorbells comes the Gate Smart Lock, a lock with a video camera embedded. It’s a great idea, but lacks some crucial functionality to make it a top-notch product.

What is fixed wireless 5G? Here’s everything you need to know

Here's fixed wireless 5G explained! Learn what you need to know about this effective new wireless technology, when it's available, how much it costs, and more. If you're thinking about 5G, this guide can help!

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Home Theater

Here’s why you’re not getting Netflix in HD or 4K, and how to fix it

Are you having trouble watching your favorite movies or TV shows on Netflix in HD or 4K? We explain why loading takes so long, why the picture quality fluctuates, and what you can do about it.

Watch out for these top-10 mistakes people make when buying a laptop

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.

Don't spend a fortune on a PC. These are the best laptops under $300

Buying a laptop needn't mean spending a fortune. If you're just looking to browse the internet, answer emails, and watch Netflix, you can pick up a great laptop at a great price. These are the best laptops under $300.
Product Review

LG Gram 14 proves 2-in-1 laptops don’t need to sacrifice battery for light weight

The LG Gram 14 2-in-1 aims to be very light for a laptop that converts to a tablet. And it is. But it doesn’t skimp on the battery, and so it lasts a very long time on a charge.

Dell XPS 13 vs. Asus Zenbook 13: In battle of champions, who will be the victor?

The ZenBook 13 UX333 continues Asus's tradition of offering great budget-oriented 13-inch laptop offerings. Does this affordable machine offer enough value to compete with the excellent Dell XPS 13?

Take a trip to a new virtual world with one of these awesome HTC Vive games

So you’re considering an HTC Vive, but don't know which games to get? Our list of 25 of the best HTC Vive games will help you out, whether you're into rhythm-based gaming, interstellar dogfights, or something else entirely.

The Asus ZenBook 13 offers more value and performance than Apple's MacBook Air

The Asus ZenBook 13 UX333 is the latest in that company's excellent "budget" laptop line, and it looks and feels better than ever. How does it compare to Apple's latest MacBook Air?

AMD Radeon VII will support DLSS-like upscaling developed by Microsoft

AMD's Radeon VII has shown promise with early tests of an open DLSS-like technology developed by Microsoft called DirectML. It would provide similar upscale features, but none of the locks on hardware choice.

You could be gaming on AMD’s Navi graphics card before the end of the summer

If you're waiting for a new graphics card from AMD that doesn't cost $700, you may have to wait for Navi. But that card may not be far away, with new rumors suggesting we could see a July launch.

Is AMD's Navi back on track for 2019? Here's everything you need to know

With a reported launch in 2019, AMD is focusing on the mid-range market with its next-generation Navi GPU. Billed as a successor to Polaris, Navi promises to deliver better performance to consoles, like Sony's PlayStation 5.

Cortana wants to be friends with Alexa and Google Assistant

Microsoft no longer wants to compete against Amazon's Alexa and Google's Assistant in the digital assistant space. Instead, it wants to transform Cortana into a skill that can be integrated into other digital assistants.