Decrypt This: Why is router security so full of holes?

whats the problem with router security djhkblq
Image Credit: Shutterstock/Piotr Adamowicz
With every fresh wave of new routers and networking equipment that hits the shelves comes the promise of a new age of functionality, usability, and security. Whether it’s the newest Nighthawk from Netgear or just another in a long line from Linskys, I’m always surprised at the bells-and-whistles companies can come up with.

But, despite continued innovation in the market, it’s becoming apparent that a change in how we protect home networks should be at the top of everyone’s to-do list. Router makers need to step up their game if the wireless hardware of today is to protect us from whatever threats might show up tomorrow.

According to a report released earlier this year, upwards of 75% of all routers provided by ISPs contain software or firmware that can be easily exploited by hackers. Even amateurs are discovering how easy it can be to plow straight past a router’s internal defenses without issue.

Papers, please

Why do router flaws matter? To start, let’s get to know the basics of what makes a modern router tick. For almost all of their history, routers made for the consumer market have relied on three key safeguards: certificates, signatures, and firmware.

Every piece in the puzzle is an essential building block of what makes your router secure, and no one part can function on its own without the support of the others. When working in tandem, they can each help to protect a different part of your connected experience, whether it’s checking emails, downloading/installing software, or visiting websites you might not recognize before clicking in.

And even with all their apparent vulnerabilities and shortcomings, these systems are (and probably always will be) a necessary pillar in the ecosystem of Internet security. It’s only recently that analysts and industry experts have started to realized that the foundation which makes their use possible is starting to show signs of weakness, and is close to failing entirely if the stream of modern malware offensives continues to pile on.

It’s all about the Benjamins

The idea that most standard home internet routers are incapable of protecting users from a truly determined hacker shouldn’t be a secret to anyone by this point. While most broadly-cast campaigns like those designed to distribute spam or common malware programs are usually swatted away by a router’s internal firewall, if someone targets you specifically for an attack and wants to slip their way past the perimeter, a $39 dollar D-Link from Walmart isn’t going to stand in their way.

But why?

Why, even after 30 years in business and thousands of revisions to their hardware, are the biggest manufacturers in home networking equipment still struggling to create a device that can effectively protect home Internet users?

To put it in (very) simple terms; it all comes down to cost.

Since close to the inception of the web itself, the data security industry has struggled to retain talented engineers and programmers who know the mathematics of what it takes to break any given encryption protocol in two.

Rooting out holes in router security products is big business for global criminal networks.

Even though a top data scientist working to build firewalls for Netgear might be able to pull $80,000 a year before taxes, another top data scientist halfway across the world could make twice that salary in a less than a day by figuring out how to tunnel under a router’s protect fence unnoticed.

The two sides of this coin are known as “whitehats” and “blackhats.”

These are people who, despite pursuing a passion for the same subjects in school, each decided to take a slightly different path with the skills they’d picked up along the way. One works to help strengthen the Internet for a living, creating new protection methods to better preserve privacy online, while the other maneuvers around these safeguards, ducking and weaving between the whitehat’s defenses in hot pursuit of profits.

Rooting out holes in router security products is big business for the global criminal networks that make it their main source of income. They buy and sell what’s known as “zero-days”, or previously undiscovered cracks in the code of software, hardware, and operating systems. Each newly unearthed exploit can yield the hacker responsible anywhere from a few hundred dollars to tens of thousands at a time, a value that’s calculated on how widespread the effect of the crack will be against how long it’s predicted to stay functional before being patched out.

Even corporations have budgets

Details of the zero-day market can be tricky however, and the answer isn’t always simply to throw more money at the good guys and hope they stick to the righteous path after the check is already cashed. In her report “The Vulns of Wall Street” published on Tuesday, CPO of HackerOne Katie Moussouris explains why the problem runs deeper than just the dollar amount that’s being passed around between hackers on the underground circuit.

“Defenders throwing more bodies or money towards trying to find more vulnerabilities than the offense side can help, but not as efficiently as other measures,” Moussouris says in the report. “Sell a couple bugs per year, and talented developers who can write fuzzers and determine which bugs are exploitable won’t need to work much harder to earn much higher paydays than any software maker could sustainably afford to pay them.”

The assumption that companies have limitless R&D budgets is incorrect.

The (incorrect) assumption many people make here is that because companies like Cisco and Linksys are massive corporations with swollen R&D budgets, they should be able to afford to win the bidding war. Unfortunately, there’s still not a company on earth able to match the salary that a blackhat hacker could make by stealing 70 million credit cards from Target at a time.

Yes, Target had a hired staff of security engineers who were paid well enough to watch out for exactly this type of nightmare scenario. But as long as we continue to swipe, type, and tap our precious financial data into these types of systems, the opportunity for lucrative zero-day payouts will simply be too much for members of the blackhat community to resist.

That’s the problem. What’s the solution?

Which brings us back to the original point: the hacking, cracking and attacking of our routers (and by extension, our financial data), isn’t going to stop as long as there’s money to be made.

We’re just now starting realize that the defensive strategies of yesteryear are holding back the progression of what we could achieve tomorrow, and that a fundamental shift in mentality and industry practice could be necessary if we expect to keep our personal data out of criminal hands.

Next week, we’re going to dive into greater detail about the infections, viruses, and firmware exploits that continue to plague the threat landscape today. Now that we know the “why” of how hackers break through routers, it’s time to dig into the “how.”


Think iPhones can’t get viruses? Our expert explains why it could happen

If your iPhone has been acting strangely, then you may be concerned about the possibility it is infected with a virus or some malware. We take a look at just how likely that is and explain why iOS is considered relatively safe.
Product Review

With the S10e and S10 Plus, do we really need the Samsung Galaxy S10?

The Galaxy S10 is the middle child in this year’s Galaxy S10 range, between the Galaxy S10e, and the Galaxy S10 Plus. There’s no striking reason to buy it, but it’s still an excellent phone you’ll be happy with.

Rooting your Android device is risky. Do it right with our handy guide

Wondering whether to root your Android smartphone or stick with stock Android? Perhaps you’ve decided to do it and you just need to know how? Here, you'll find an explanation and a quick guide on how to root Android devices.
Product Review

Gate’s Smart Lock is locked and loaded but ultimately lacks important basics

In a world of video cameras and doorbells comes the Gate Smart Lock, a lock with a video camera embedded. It’s a great idea, but lacks some crucial functionality to make it a top-notch product.

If you have $5,200, Apple has 256GB of RAM for your iMac Pro

Professionals looking to run intensive applications will be able to push their work a bit further with Apple's latest iMac Pro, which holds 256GB of DD4 ECC RAM for $5,200. Here's why it costs so much to upgrade your iMac Pro to the top.

Don’t be fooled! Study exposes most popular phishing email subject lines

Phishing emails are on the rise and a new study out by the cybersecurity company Barracuda has exposed some of the most common phishing email subject lines used to exploit businesses. 
Product Review

The Lenovo Legion Y740 brings RTX 2080 graphics power for under $2,500

Coming with the Intel Core i7-8750H processor, Nvidia GeForce RTX 2080 Max-Q graphics, 16GB of RAM, and a 256GB PCIe NVMe SSD, the Legion Y740 one big beast. But priced at under $2,500 how does Lenovo’s Legion stand up against the crowd?

From Air to Pro, here are the best MacBook deals for March 2019

If you’re in the market for a new Apple laptop, let us make your work a little easier: We hunted down the best up-to-date MacBook deals available online right now from various retailers.

Oculus shows off the Rift S, plans to phase out its original VR headset

Oculus plans to phase out its flagship Rift VR headset for its newly created Rift S. The Rift S made its debut this week at the 2019 Game Developers Conference and is expected to be released in spring 2019.

Secure your Excel documents with a password by following these quick steps

Excel documents are used by people and businesses all over the world. Given how often they contain sensitive information, it makes sense to keep them from the wrong eyes. Thankfully, it's easy to secure them with a password.

Get the best of both worlds by sharing your data on MacOS and Windows

Compatibility issues between Microsoft Windows and Apple MacOS may have diminished sharply over the years, but that doesn't mean they've completely disappeared. Here's how to make an external drive work between both operating systems.

Give your MacBook Air some added style with one of these great cases or sleeves

Whether you’re looking for added protection or a stylish flourish, you’re in the right place for the best MacBook Air cases. We have form-hugging cases, luxurious covers, and padded sleeves priced from $10 to $130. Happy shopping!

Intel teases mobile 9th-generation Core i9 mobile processors at GDC 2019

Intel teased its new 9th-generation Intel Core i9 processors at GDC 2019. The company offered few specifics about the hardware, but a leak from late February provides insight into what the new processors might offer.

Intel Command Center lays foundation for next year’s ‘Arctic Sound’ GPU

Intel revealed its new Command Center driver software at GDC 2019. The updated interface will control current Intel integrated graphics and also lays the groundwork for next year's Intel video card.