What can you do about it? Well, some of the suspect routers made by subcontractor Sercomm are compatible with DD-WRT. Upgrade, if you haven’t. I’ll be doing another step-by-step DD-WRT upgrade, on a TP-Link device, if that Federal Express truck ever shows up with my delivery from Newegg. If you’re technically savvy and looking for a way to make some extra cash, offering to upgrade people’s routers to DD-WRT for them is sounding like a better and better business plan with every passing week. If you have a vulnerable router and it’s not compatible with DD-WRT, Newegg has the D-Link DIR-601 on sale for $15 through January 8, which is compatible. (Just don’t deploy it onto your network straight out of the box, I’m begging you!)
The silver lining is that this stuff has existed for years, and finally there are people looking at it. I think it’s shameful that being a CISSP is almost a requirement of achieving an acceptable level of network security in a private residence–and it’s no guarantee that every CISSP’s personal network is safe–but exposing these backdoors is the way to get them fixed.
Shipping with DD-WRT from the factory is one option. There’s no product differentiation if they do that, but considering the product differentiation they have now is just different ways to subvert the router, DD-WRT looks a lot more attractive. And it would be much cheaper than developing nasty firmware in house. And, besides being more secure, DD-WRT tends to be much more stable than the factory firmware. When I look at the reviews for almost any given router, I frequently find complaints of dropping connections or poor range, then someone mentions that when they put DD-WRT on it, the connections stay rock solid and the range increases. And there’s something to that theory, because most common routers are based on the same SoC device. The manufacturers just put them in their own case and load their own firmware on them.