Oft-forgotten, why the humble router remains one of the most insecure devices in your home - Action News
Home WebMail Friday, November 22, 2024, 06:45 PM | Calgary | -11.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Science

Oft-forgotten, why the humble router remains one of the most insecure devices in your home

With all the emphasis on security, ask yourself: When was the last time you updated the router in your home?

Rarely updated, routers are easy, high-value targets for intelligence agencies and criminals alike

Experts say there's no incentive for manufacturers to release updates for their routers after they've been sold. (Andrew Sorensen/Flickr)

For all the time that we spend thinking about the security of our phones and laptops about encryption, strong passwordsand two-factor authentication comparatively little attention is paid to the humble internet router.

The tiny box is probably one of the most important pieces of technology you have in your home. It's the one device through which all of your other devices connect to the internet.But despite being responsible for such an important task, most routers remain hidden away, rarely monitoredand even more rarely updated if their software is updated at all.

It's why, for intelligence agencies and criminals alike, routers plentiful and often insecure are ever-increasing targets for attack.

"Once you target a router, you don't just get access to one computer," says Eva Blum-Dumontet, research officer for London, U.K.-basedPrivacy International. "You get access to any computer" or device that connects to the internet through that router, too.

Documents released by WikiLeaks this week that detailthe breadth of CIA hacking tools underscore just how valuable that access is and, according to privacy and security experts, how easy it is to get.

"This is a very dramatic problem," said Blum-Dumontet. While our phones and laptops have gotten more secure, she explained, "We're connecting to the internet through routers which are just literally, absolutely, atrocious in terms of security."

'It's really child's play'

The WikiLeaks archive details numerous tools and techniques the CIA can use to spy on smartphones and computers. It even describes turning a Samsung Smart TV into a covert listening device.

But there are also many pages devoted to finding and exploiting the numerous security holes in networking devices common models of home and office routers that connect phones, laptopsand smart TVs to each other, and to the wider internet, too.

Cyber vulnerabilities

8 years ago
Duration 5:49
Matt Braga on revelations that show the U.S. intelligence community knows about many of our technological insecurities

Katie Moussouris, CEO and founder of U.S.-basedLuta Security, called routers "one of the biggest, most lush attack surfaces that we have."

Their softwaredoesn't differ greatly from country to country."And nobody really thinks about keeping those updated," Moussouris said, which leaves them especially vulnerable to attack.

With access to a router, an attacker could passively spy on the contents of unencrypted traffic as it passes to or from the internet or even between devices in the home. A router could also be used to launch a cyberattack, as was the case last year when attackers hijacked thousands of home routers (amongother devices) and used them to take large swaths of the internet offline.

An attacker could even redirect users to fake websites say, a website that that lookslike Facebook designed to steal passwords or credit card information, or install malicious software.

"It's really child's play for the CIA," said Blum-Dumontet. "It shouldn't surprise anyone that they're doing this, because this is literally the easiest way of targeting people."

The CIA's Network Devices Branch appears to have spent considerable time and effort cataloging exploits for a range of routers and network switches from popular manufacturers such as Apple, Cisco, Asus, HPand ZTE, which are used worldwide.

One of the documents even describes efforts to make the CIA's spy software have as little impact as possible on the performance of the router, so that more savvy targets wouldn't notice that the software was installed.

But the reality is, even if performance was affected, most users probably wouldn't notice anything was amiss.

What can you do?

Both Moussouris and Blum-Dumontet say there's "no incentive" for manufacturers to support their routers once they've been sold not when they can sell a newer model the following year.

It's part of the reason routers get so few security updates, and have so many security holes. (Further complicating matters, some routers pull double duty as cable or DSL modems too.)

Security expert Katie Moussouris called routers "one of the biggest, most lush attack surfaces that we have." (Matt Rourke/Associated Press)

But the onus isn't so much on consumers to get smarteras it is device manufacturers to do better and for consumer to demand they do so, experts say. That means more frequent updates, but also routers that are easier to update than most currently are, and designed from the start to be more secure.

"You've got an entire uneducated consumer base that has enough trouble keeping their PCs and phones up to date, let alone the very device that connects them to the internet when they're at home," said Moussouris.

She even suggested there's "a potential role for regulators to play," pointing to the U.S. Food and Drug Administration's recent guidance on cybersecurity for manufacturers of medical devicesand recent actions by the U.S. Federal Trade Commission (FTC).

In January, the FTC filed a complaint against router manufacturer D-Link, pointing to "inadequate security measures" that left users of the company's wireless routers at risk part of efforts to "to protect consumers' privacy and security in the Internet of Things."

On such issues, governments such as Canada's often follow the U.S.lead.

But there's still more that could be done.

"There are a lot of security concerns around routers, and the problem is, there is no liability," said Blum-Dumontet. "And no company is really addressing the security issues around this."