Is DD-WRT safe?

As a security professional, “is DD-WRT safe?” is a question I hear a lot. While there are options that I think are safer, I’m perfectly fine with admitting I use DD-WRT myself. I know a lot of other people like me do as well.

One thing is almost certain: DD-WRT is safer than what shipped on your router from the factory.

Is DD-WRT safe?
I’m much more comfortable with DD-WRT than with most stock router firmware from a security point of view.

Router firmware tends to be really buggy and insecure. I’ve written about that before. And while your computer receives automatic updates, your router never does. DD-WRT doesn’t fix that problem, but at least people look at it from time to time and replace some of the buggy components.

DD-WRT’s maintainers backport fixes to the Linux kernel and other packages to keep its security up to date. That makes it better than most factory router firmware. But without an automatic updates mechanism, you do have to periodically download a new build and flash the router with the update. Still, at least updates are available. We just have to remember to apply them.

So let’s talk about what DD-WRT does well.

Routers would be far more secure if they would just reboot once a week. That’s the biggest advantage with DD-WRT: It has that feature built in.

And while this attitude towards security drives me nuts, the story of the bear and the tennis shoes does apply here. I have no idea who originally told this joke but I first heard it in Bo Jackson’s autobiography. Bo told the story of two men hunting in the woods who spied a bear. One hunter stopped to put his tennis shoes on. “What are you doing that for? You’ll never outrun that bear!”

“I don’t have to outrun the bear,” he said. “I just have to outrun you.”

The average consumer router, with its ancient factory-installed software, can’t outrun a sloth, let alone a bear. DD-WRT can certainly outrun the sloths.

In more technical terms, most attackers will look for vulnerabilities that exist in common routers. DD-WRT will have fewer of them. And there’s little point in looking for vulnerable DD-WRT routers when there are millions of worse routers out there.

I went over DD-WRT with a fine-toothed comb late last year and came up with my list of recommended DD-WRT settings. I would urge you to read them over and reconfigure your router. With those settings, you’re still not invincible. But that said, your router isn’t likely to be your biggest security problem anymore.

So, while I’ve had some colleagues raise questions about DD-WRT in the past, it’s not like the world is brimming with alternatives. Relatively speaking, I think DD-WRT is safe enough to use.

3 thoughts on “Is DD-WRT safe?

  • December 30, 2016 at 9:45 pm
    Permalink

    The problem I’ve seen with DD-WRT, and its structural to the nature of only having 2 code maintainers at this time, is that updating to newer Kernel versions is probably going to be too labor intensive. That in turn means that quite a few routers are tied in to much older kernels (though fortunately all of those are still being maintained long term).

    Reply
  • August 25, 2017 at 4:36 am
    Permalink

    not just 2 code maintainers. i’m at least one of them 🙂 but we have other non visible people working for us and for sure we are exchanging code with communities like openwrt etc. we do have routers using kernel 4.9 right now. some others do not. for a good reason. the kernel bloats up by its size slowly from version to version. so some newer kernels simply do not fit anymore. but we still also maintain the older kernels with patches and backports to keep them up to date

    Reply
    • August 25, 2017 at 8:09 am
      Permalink

      Thanks for the clarification! I’ve gone back and edited the post to reflect that.

      Reply

Leave a Reply

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux