As a security professional, “is DD-WRT safe?” is a question I hear a lot. While there are options that I think are safer, I’m perfectly fine with admitting I use DD-WRT myself. I know a lot of other people like me do as well.
One thing is almost certain: DD-WRT is safer than what shipped on your router from the factory.
Router firmware tends to be really buggy and insecure. I’ve written about that before. And while your computer receives automatic updates, your router never does. DD-WRT doesn’t fix that problem, but at least people look at it from time to time and replace some of the buggy components.
DD-WRT’s maintainers backport fixes to the Linux kernel and other packages to keep its security up to date. That makes it better than most factory router firmware. But without an automatic updates mechanism, you do have to periodically download a new build and flash the router with the update. Still, at least updates are available. We just have to remember to apply them.
So let’s talk about what DD-WRT does well.
Routers would be far more secure if they would just reboot once a week. That’s the biggest advantage with DD-WRT: It has that feature built in.
And while this attitude towards security drives me nuts, the story of the bear and the tennis shoes does apply here. I have no idea who originally told this joke but I first heard it in Bo Jackson’s autobiography. Bo told the story of two men hunting in the woods who spied a bear. One hunter stopped to put his tennis shoes on. “What are you doing that for? You’ll never outrun that bear!”
“I don’t have to outrun the bear,” he said. “I just have to outrun you.”
The average consumer router, with its ancient factory-installed software, can’t outrun a sloth, let alone a bear. DD-WRT can certainly outrun the sloths.
In more technical terms, most attackers will look for vulnerabilities that exist in common routers. DD-WRT will have fewer of them. And there’s little point in looking for vulnerable DD-WRT routers when there are millions of worse routers out there.
I went over DD-WRT with a fine-toothed comb late last year and came up with my list of recommended DD-WRT settings. I would urge you to read them over and reconfigure your router. With those settings, you’re still not invincible. But that said, your router isn’t likely to be your biggest security problem anymore.
So, while I’ve had some colleagues raise questions about DD-WRT in the past, it’s not like the world is brimming with alternatives. Relatively speaking, I think DD-WRT is safe enough to use.