Imagine a world where routers with vulnerabilities are protected by the software running on them, which doesn't need to be upgraded via firmware images that often arrive late or never at all. It’s a feature that would benefit everyone – consumers, IoT manufacturers, and ISPs - and the scenario is not far-fetched.
One of the biggest problems with today's routers is security, which is actually ironic given that routers are often guardians of customers' networks. Vulnerabilities are constantly found in commercial routers, but manufacturers rarely deploy the necessary patches. In some cases, it might take years for a patch to arrive.
The use of IoT devices and particularly routers in DDoS attacks is a constant problem. In fact, the current climate in which DDoS services use widespread botnets available for hire for pennies ensures that IoT remains a part of the problem.
A study telling us things we don't want to hear
A recent study from the Fraunhofer Institute for Communication looked at many popular commercial routers and investigated their firmware images for security. Collectively, we presumed that the security situation on commercial routers is terrible, but it was only a guess.
The researchers looked at 127 routers, and the results were more than troubling. Linux kernel powers 116 of 127 of the routers, which might be a good thing, but a third of them are based on Linux kernel 2.6.32, which was officially retired nine years ago! More than 50% of the inspected routers are running a Linux kernel that's no longer maintained. One of the routers in the study used a Linux kernel that received its last update in 2002.
As if this wasn't bad enough, many router manufacturers don't care about supporting their devices after launch. The same study showed that 46 out of 127 hadn't received an update in the past year, and many routers have hundreds of vulnerabilities that were never addressed and will likely never be fixed.
This means many people have vulnerable routers in their homes and risk falling prey to a Botnet. That, in turn, affects ISPs. You can imagine that each ISP has its "own" network of customers who all route their Internet traffic through the ISP's server. And that network is filled with buggy routers that haven't been updated in years, many of which are acting as zombies in large bot networks that are involved daily in DDoS attacks. It's not a good selling point for any company.
What if we could fix it?
While it's safe to say the situation is bleak, there's reason also to be hopeful. On the one hand, there's no silver bullet that can fix all the vulnerable commercial routers overnight, or even a small part, and there's no indication that companies making routers will change their ways. On the other hand, there are already some excellent solutions out there, such as the Bitdefender IoT Security Platform.
One of the things that our IoT platform does is alleviate much of the ISP's pain of needing to deal with DDoS attacks coming from inside their networks. If the ISP chooses to implement the security platform in the routers they offer their customers, they can mitigate many inherent vulnerabilities in any home network.
Moreover, the Bitdefender IoT Security Platform is flexible and has a light footprint, which means that ISPs don't need to sell or install new hardware, but rather can use the existing devices. Offering out-of-the-box security to customers is a business proposition that people will have a hard time refusing, especially in this climate.
Which leaves the question of securing vulnerable routers without input from manufacturers. It turns out that it's not impossible, and new features on the horizon show that it's going to be possible, within the existing framework and without input from the user.
Some of the features that users should look for are brute force protection, web protection, IP filtering, and local assessments of vulnerabilities. And this is only scratching the surface of what a router can do with the right security platform running in the background.
In the end, fixing hundreds of built-in vulnerabilities is extremely difficult, but an ISP that can offer their customers better security today than they had yesterday, is one step closer to increasing the value proposition of its services.