5

Recently, I started looking for a wireless router. Before considering specific products, I looked up some general information about different brands offering such routers. To my dismay, I learned that the vast majority of router manufacturers has a history of backdoors being discovered in their products.

Based on this newfound knowledge, it seems to me that avoiding routers with backdoors may not really be feasible and instead of (or rather, in addition to) choosing a router carefully, I must face the possiblity that I end up having a product with backdoors. The question then becomes, how can one mitigate the risks associated with potential backdoors hiding in router equipment?

It's not government agencies I am worried about, but hackers exploiting security vulnerabilities found in networking equipment, like in this recent question. And a backdoor is basically an intentional security vulnerability begging to be found and exploited by someone, and due to its intentional nature, one that router manufacturers would be reluctant to fix.

Zoltan
  • 274
  • 2
  • 8
  • For anyone interested in this topic, I found a great web-site about router security: https://routersecurity.org/ – Zoltan Mar 13 '18 at 20:38

3 Answers3

7

Most of the router backdoors I am aware of have been fixed quite quickly. Believe it or not, the router manufacturers don't usually put the "backdoor" there on purpose -- at least not at the organizational level. Almost certainly, they are either placed there as a debugging tool and meant to be removed before production, or placed there by a rogue employee. (What benefit is there to a manufacturer to have a backdoor? If they want to do something, they can do it via firmware updates. Also, your network is just not that interesting to them.)

I don't know if "vast majority" is an accurate description either, but I won't quibble semantics. You asked how to protect yourself, and here are some options:

  1. Have your perimeter-most device (i.e., first hop from the internet to your LAN) be reputable. Consider a Unifi Security Gateway, or a Netgate SG-1000 at the perimeter. Both of those companies sell to enterprises, but also price products that can be reasonable for the power user at home. They have a reputation to maintain, and that reputation is currently quite good.
  2. Consider a router that lets you run OpenWRT or DD-WRT. These codebases, while not immune to vulnerabilities, are at least open and reduce the risk of backdoors being placed in them.
  3. Don't expose the web interface to the internet. Backdoor or not, this is where a huge proportion of the bugs are. Use an nmap scan from the internet to see what exposure you have.
  4. Use a non-default subnet and change the port for the web interface. I know, I know, security by obscurity, but it actually does help for exploits using DNS rebinding or similar techniques. (This is only useful against automated exploitation, don't expect it to be useful against a manual attacker.)
  5. Never trust the network. Even if you have strong security controls, practice defense in depth. Use TLS and don't click through certificate errors. This way, even if your router is popped, it becomes only a denial of service instead of a more significant compromise.
David
  • 15,814
  • 3
  • 48
  • 73
  • Unfortunately, even without having an intentional backdoor, the vast majority of routers _are_ rather insecure and, even when they are kept up to date, often have nasty vulnerabilities. +1 for solid advice and mentioning OpenWRT. – forest Mar 13 '18 at 02:55
  • Great answer, thanks. Regarding the Unifi Security Gateway specifically, a quick search on Ubiquiti (manufacturer of USG) revealed the following page: https://web.archive.org/web/20170317174847/http://libertybsd.net/ubiquiti/ – Zoltan Mar 13 '18 at 09:42
  • @Zoltan was not aware of that, hopefully they're not so bad now. That being said, they do make rock-solid hardware, so if they're not violating the GPL, quite worth the look. – David Mar 13 '18 at 16:38
  • Concerning "vast majority". Some router manufacturers with multiple backdoor CVEs: Cisco, Juniper, Fortinet, Linksys, Netgear, Belkin. That's about 99% of the market right there. What's your definition of "vast majority"? – Tyler Durden Aug 11 '18 at 13:08
3

The first decision is not use a router provided by an ISP as they are likely to built in a back door for themselves.

As for consumer routers, all cloud services for router admin are back doors, in my opinion. Some routers require a cloud service, some have an optional service, a rare few do not support any cloud service. AmpliFi mesh routers have no cloud service. Peplink has an optional cloud service. Almost all mesh routers require a cloud service.

As for remote access directly into the router, I think all routers disable this by default.

For a secure router, I personally like the Pepwave Surf SOHO. In the US its about $200. Here is why https://www.routersecurity.org/pepwavesurfsofo.php

Michael
  • 31
  • 1
1

You generally have to choose, either trust a vendor or build something fron parts you can verify. This also means that unless you have the skill, knowledge and time to do this, you will have to trust third parties up to some point.

If you want to find trustable brands/vendors, you could check for timely updates, updates over the lifespan of the device, and the way the vendor communicated defects, bugs, security issues and how it was resolved. Most general consumer brands utterly fail at all of the above, mostly due to the ‘sell-and-forget’ nature of their business, and their dependencies on the actual whitelabel manufacturers that often supply both hardware and software, and can be the only party capable of engineering updates.

If trusting a vendor to make safe software isn’t an option, projects like openwrt, ddwrt and lede are things to check out for wireless access points (and built in routers if you require one - but i’d suggest splitting that up since no single location is optimal for both tasks). Routing can be done with something like pfSense.

John Keates
  • 820
  • 4
  • 7