In 2003, Dan Geer called the combination of Microsoft’s market dominance and the flimsy security of its products a threat to national security.
Today, he’s calling the security holes in consumer routers a threat to critical infrastructure.
These two things are related in more ways than being utterances from the same person. These routers were designed to protect flimsy PCs from the horrors lurking on the Internet. In 2003, they were arguably adequate. But since 2003, Microsoft operating systems have improved dramatically from a security standpoint while routers have stood still. Many of them are still running on the same outdated Linux kernels and userspaces, just on newer, faster hardware. These routers are now less secure than the computers they are supposed to protect. This isn’t a knock on Linux; Linux has improved in the last 11 years too, but router makers generally haven’t incorporated those improvements. So these routers are easy to attack, easy to use to build botnets, and the user will never be the wiser since they keep the devices until they break. The only good news here is that many of them break after a year or two, and that’s supposed to be bad news.
Sadly, these problems are all solvable.
Quit rolling your own firmware. Besides the 2001-era Linux kernel and userspace, these devices generally have poorly thought out user interfaces that have security flaws. The solution is easy: Standardize. There are several software builds out there that do a good job of staying reasonably up to date, such as DD-WRT. A vendor who wanted to set the world on fire could adopt Pfsense. Sadly, I’m seeing less and less off-the-shelf hardware that works with DD-WRT lately, so we’re really going backwards here.
By cooperating, everyone could save on R&D costs and ship better products, faster. AsusWRT-Merlin is an example of what would be possible.
Auto-update. PCs download and apply updates every month. Macs do it as needed, but several times a year, generally. Router bugs live forever. Routers are computers too, so they need updates. Do the update intelligently by tracking when they’re not in use, then updating during that window. Keep it simple to minimize problems, just deploying well-tested security updates.
Include a recovery mode. Many PCs have backup firmware to use if an update to the main firmware fails. Routers could do the same thing in case an auto update fails.
I wouldn’t call any of these problems trivial, but none are impossible.