
Don't use Linksys routers - zachinglis
https://superevr.com/blog/2013/dont-use-linksys-routers/
======
NelsonMinar
The modern equivalent of a Linksys WRT54GL is the ASUS RT-N16. It runs
OpenWrt, DD-WRT, and Tomato variants really well, does 802.11n (only one
frequency) and has plenty of memory and flash storage for extra hacking. The
ASUS RT-N66U is frequently advised if you want 5GHz 802.11n as well.

The other router mentioned in this article, the Linksys EA2700, doesn't seem
compatible with third party firmware. And apparently the Cisco firmware is
buggy, no surprise there. It is an awfully cheap Dual-Band 802.11n router, but
if you can't put working software on it it's useless.

I don't understand why some major router manufacturer doesn't just sell
routers pre-installed with Tomato. It's easy to use, stable, and works way
better than any crap the router companies cobble together. Flashing new
firmware on a stock ASUS router is too complex for ordinary consumers.

~~~
jwr
Tomato works fine until you need QoS. Then it hangs sporadically. Verified
with two different router types.

~~~
driverdan
Interestingly I found the N16 stock firmware to have the best QoS of any
router I've used. It requires no configuration and always seemed to work
great. DD-WRT's QoS, on the other hand, can require significant effort to
configure correctly.

------
spindritf
Or just put OpenWRT[1] on it. It's a real Linux distribution with a package
manager and everything. You can even disable the webinterface, if you don't
trust it, and use SSH.

EDIT: WRT54GL is pretty old and it won't run the default build of OpenWRT
Attitude Adjustment (the newest release). It also probably won't have enough
memory to operate the package manager or the webinterface.

But I do have one running a custom build. The only downside is that you need
to decide which software to include upfront. Their build tool is rather
friendly[2].

EDIT2: You can have a VPN server and any routing you like on OpenWRT, same
with Samba, radvd, vnstat... There are even webUI pluings (luci-app-whatever)
so you can control those from the webinterface for ease of access. It is a
real Linux distro that just happens to run on routers.

[1] <https://openwrt.org/>

[2] <http://wiki.openwrt.org/doc/howto/build>

~~~
AnthonyMouse
The trouble with the WRT54G series (and most of these little routers) is that
they have ~200MHz CPUs and ~16MB of RAM. This is, incidentally, why they often
crash when you open a lot of simultaneous connections -- memory exhaustion.

I find that if you're interested in experimenting with a Linux router, old PCs
are a much better choice. You can get a PowerPC G3 or G4 or a late model
Pentium III for practically zero money (if not literally zero money out of a
trash heap) and PCI NICs for secondary interfaces are similarly inexpensive.
For only slightly more money the G4 Mac Mini is an excellent choice for a
wireless router. Then you have a processor that is several times faster and
can put arbitrarily much memory and storage in it to suit your needs and then
put your favorite Linux router distribution (or Debian) on it and have at it.

~~~
jodrellblank
What is it about these class of devices that makes them so expensive?

They tend to have 500Mhz CPUs, approximately no RAM, unresponsive very basic
web interfaces, and fall over at the touch of a light breeze.

An el-cheapo Android tablet with 1.6Ghz dual core ARM processor, 1Gb RAM,
WiFi, and a bunch of other technically hard stuff on top (IPS screen, battery)
costs less than one of these style of WAP/switch/routers.

Are they really so different?

~~~
pbreit
I was always wondering that too. Seems like they should be $25-50 max. Decent
hardware with Tomato seems like the way to go.

------
UnoriginalGuy
Linksys went from being the "iPhone of home networking" to being something I
won't recommend. In Cisco's care the company has gone from being a market
leader to a dud.

Now a lot of people might say "I doesn't matter who makes it, I'll just flash
OpenWRT or DD-WRT onto it!" But I say to that, "then why buy a Linksys?"

Asus for one example are cheaper, they often have external antenna giving you
more power and flexibility (both literally and figuratively) plus and most
importantly they can be flashed with OpenWRT or DD-WRT at your pleasure.

Even without the security issues there is no good reason to buy a Linksys.

Right now I am using my ISP supplied "router" in cable-modem "mode" (i.e. just
dumb pass-through to ethernet) and have a cheap MikroTik/RouterOS device
sitting behind it which was cheaper than most retail grade routers but with
the functionality of commercial grade equipment.

RouterOS might not be as easy to use as DD-WRT, but if you can use it then it
is far more powerful as a web-based environment. Just for one example, want a
VPN server? RouterOS supports IPSec/L2TP, PPtP/GRE, SSTP, and OpenVPN.
Basically everything. The list of its network functionality is almost
endless...

~~~
illuminate
"being the "iPhone of home networking""

Howso? All I remember from their heyday was that they were good enough, cheap
enough, and flashable. I don't remember them commanding a premium for any
particular reason.

~~~
mbreese
I think they meant it not in terms of a premium price, but rather as the
default product to buy. They were never that much more expensive (if at all),
but back in the day it was the one most people bought.

~~~
dasil003
Should have said iPod then as I don't think iPhone ever attained "default"
status outside of SF.

------
brooksbp
I highly recommend Mikrotik to anyone fed up with traditional consumer wifi
routers/APs. I dont know how they compare to other vendor hw eg Asus +
OpenWRT, but this little guy has been rock solid and a joy to use:
<http://routerboard.com/RB2011UAS-2HnD-IN>

~~~
UnoriginalGuy
I have a Mikrotik/RouterOS device.

Positives: Cheap. Powerful. Stable.

Negatives: Harder to use than OpenWRT/DD-WRT or similar. It is still a web-
interface, but doesn't "baby" the user. If you aren't comfortable manually
setting up interfaces and then setting up tunnels through those interfaces for
example then skip this.

I love it. But I won't kid myself, it isn't for everyone. The documentation
isn't comprehensive and the software is very powerful but not very intuitive
(or at least it isn't if you don't have a good background configuring network
equipment).

~~~
xmodem
Anyone who has ever set up a Cisco router to do anything even slightly complex
should be able to pick up Mikrotik in a snap. The windows based GUI
configuration tool (winbox) is simply incredible. (Runs fine in wine on OSX as
well)

~~~
Ziomislaw
they rewrote it into a browser based app, looks identically, just a bit more
shiny.

------
lazyjones
My Linksys router has had Tomato on it from the first day, it's the only sane
thing to do (OpenWRT or DD-WRT would work too) when closed-source software is
regularly exploited and not patched in a timely manner - and when noone knows
what kind of government-friendly backdoors exist in such products (made by
companies that earn significant revenue from government contracts).

Also, there's plenty of very cheap router hardware coming from China nowdays,
from TP-Link you can get OpenWRT-capable routers for less than $15, so there's
not much point in paying a lot more for Linksys products.

------
mikecane
Having looked at the post, doesn't he really mean don't buy "these models" of
Linksys? Or are all models open to certain vulnerabilities?

~~~
happycube
This indicates that they're not doing enough testing of _any_ of their
routers. Not conclusive, of course...

------
dz0ny
I use Linksys routers, but not with default software (which we know is
"limited"). I would recommend alternatives from here
<http://tomatousb.org/mods>

~~~
tjoff
Which makes it a bit odd that he mentions the "uber-popular Linksys WRT54GL
router" specifically. The "L" stands for linux, and it was brought back
because people specifically wanted to install third party software on it.

And the reason for it becoming popular in the first place was probably a
security issue that allowed third party software to be installed.

The "L" version was introduced because newer routers didn't have this
capability/vulnerability and people wanted something they could install third
party software on. So when the "L" version (which I use) came it was just an
older model, with even less memory than the original and a much heftier price.
Unless you wanted to run third party software on it it was really bad value
for your money.

Anyway, all of this truly sucks. But really, I don't expect more of any
consumer router.

EDIT: Oh wow, the WRT54GL was introduced in 2005, nothing too fancy at the
time and you can still buy it today - lots of stores have it in stock even.

~~~
reefab
That's inexact. The WRT54GL was brought in as the (at the time) retail version
of the WRT54G had much less RAM and flash because they switched from Linux to
VXWORKS.

It's not that they didn't have the "security vulnerability" but they just
weren't able to run Linux in a useful manner due to low hardware resources.

I also don't remember if the WRT54G became popular in the first place because
of a security issue, I think it just enabled you to upload any firmware to it
and that the original firmware eventually became open-source after they
received GPL violation complaints. But my memory might be fuzzy, it was a
while ago.

~~~
UnoriginalGuy
Your memory is how I remember it too.

Basically the WRT54G with base firmware was better than anything else on the
market at the time of release (within the same market segment - retail
routers).

Just to put that into some perspective before the WRT54G, some of the
functionality in the base firmware was being sold to small-medium businesses
by companies like Cisco for thousands of dollars.

Word spread quickly and instead of your local coffee shop paying Cisco $20,000
to install their WiFi, they could spend $100 on a Linksys router. This meant
companies could afford to give away WiFi for free because it cost them little
or nothing to install the WiFi initially.

But what happened next is what turned the Linksys WRT54G from a "great" to a
"legendary" product - people found out it ran on Linux. Now Linux is open
source but more specifically it is under the GPL license.

What that meant is that legally Linksys were required to share the source code
that made the WRT54G run. Which after some not-so-gentle prodding and legal
threats they did.

People then made distro's (in the Linux sense) which updated the Linksys
firmware to add new functionality, fix issues, and similar. This made the
thing even more powerful than perhaps even Linksys wanted, and ate into
Cisco's small-medium business space even more.

Word spread like wildfire and soon everyone and their brother owned a Linksys
WRT54G. Linksys improved the base firmware only mildly while the third party
firmware was steamrolling ahead.

Cisco eventually purchased Linksys and started cutting corners on all of their
retail products. Using less powerful CPUs, less RAM, and stripping out
functionality while not altering the cost. Linksys stagnated.

This was likely in no small part to try and get some of their small-medium
customers back onto Cisco's books, but by then it was too late. The market
that Linksys had created had spread to Linksys's competitors and soon everyone
was "letting" their routers get firmware updates that turned a cheap little
home router into something able to fend off medium-business level commercial
equipment.

~~~
yuhong
AFAIK Cisco bought Linksys back in March 2003.

------
cdjk
I'm a fan of pfsense [1] on an alix board [2]. The alix boards a little pricey
for a router, but has a real amount of memory (256MB). The only downside is
that pfsense, since it's based on FreeBSD, doesn't support any 802.11n cards,
so you're either stuck with 802.11g, or using a separate access point like I
do.

Add in a managed switched and you have the start of a real network at home.

[1] <http://pfsense.org/> [2] <http://pcengines.ch/alix.htm>

~~~
Freaky
FreeBSD supports some 802.11n cards, doesn't it?
<https://wiki.freebsd.org/WiFi80211n>

~~~
cdjk
There are no drivers for 802.11n cards in pfsense 2.0 (current stable
version), which is based on FreeBSD 8.1. Some b/g/n cards will work, but only
in b/g modes:

[http://doc.pfsense.org/index.php/Is_802.11n_wireless_support...](http://doc.pfsense.org/index.php/Is_802.11n_wireless_supported)

Drivers for 802.11n are in FreeBSD 9.0 and later, but that won't be the base
for pfsense until 2.2:

[http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Version...](http://doc.pfsense.org/index.php/PfSense_and_FreeBSD_Versions)

------
sctechie
Let me just get this in before the cries of JUST INSTALL OPENWRT come raining
down.

Your mother / father / grandmother / etc are not installing openWRT on their
routers. Installing one of these CISCO home routers is pretty much hacking
yourself. And, just update the firmware is not gonna work.

Try it one day, go up like 10 people and ask them what's a firmware. If the
user isn't technical, you're going to get a 0/10 correct responses.

~~~
jiggy2011
Maybe they should just ship with the alternative firmware installed if the
open source is doing a better job?

~~~
happycube
I've read (but haven't personally confirmed) that Netgear used skinned OpenWRT
on some of their routers (like the wndr3700v1)

~~~
justincormack
It is true <http://www.myopenrouter.com/> is their info page. They make it
really easy to flash, and provide specs as well so they are well supported so
you can use a different version, but it does ship with it too.

------
moonboots
It should be pretty easy to upgrade vulnerable WRT54GL routers. Any volunteers
to setup a page that POSTs a newer firmware like OpenWrt or Tomato?

~~~
StavrosK
What use is that? If people don't know enough to upload a file to their
router, they definitely won't know enough to configure it after it's been
done.

~~~
fnordfnordfnord
Embed the link in a joke/lolcat/puppy/political forward-email and spam it to
all of our relatives/acquaintances who regularly do the same.

------
jiggy2011
Is this a problem if I have DD-WRT?

~~~
joenathan
No.

------
jrabone
Just buy Draytek. Playtime is over. Pricy but mine lasted 7 years before I
replaced it with another Draytek (for dual WAN support). Bomb proof and great
VPN support out of the box. I bridge my parent's network to mine over VPN, and
the Linux servers at either end provide failover DNS, mail etc. So useful,
especially for remote support.

~~~
nnexx
> Just buy Draytek. Playtime is over.

I went to their website (draytek.us) and got this:

> Database connection error (2): Could not connect to MySQL.

~~~
__del__
I guess playtime really _is_ over.

------
FollowSteph3
What recommendations do people here have for an entry level commercial router
instead of a high consumer level router?

~~~
rdl
Juniper SRX100 ($500), with Ubiquiti APs (~$100).

~~~
MertsA
That's a bit overkill don't you think? Do you really think a home user would
have a need to run BGP?

~~~
rdl
Overkill for a random home, but maybe OK if you WFH and need to vpn/IT wants
manage a bunch of devices centrally/etc. $1k in equipment vs. $300 in
equipment isn't _that_ big a difference for a few important home users if
you're already using all the same equipment in your other offices.

(also a lot of startups have like 20 people working out of a home or condo,
and they bump up against memory/crapiness/etc. limits of consumer routers and
APs pretty hard.)

OP asked for "low end commercial router", though.

------
fsckin
Google Cache of the site since it's having issues. [0]

I enjoy my Asus RT-AC66U. [1] Best commercial router I've seen, and Asus
Merlin [2] firmware makes it better.

[0]
[http://webcache.googleusercontent.com/search?q=cache:JNu4Z9X...](http://webcache.googleusercontent.com/search?q=cache:JNu4Z9XbAz0J:https://superevr.com/blog/2013/dont-
use-linksys-routers/&hl=en&gl=us&strip=1)

[1]
[http://www.newegg.com/Product/Product.aspx?Item=N82E16833320...](http://www.newegg.com/Product/Product.aspx?Item=N82E16833320115)

[2] <https://github.com/RMerl/asuswrt-merlin>

~~~
MertsA
The only problem with Asus Merlin is that it uses the older "stable" wifi
drivers. I've been running the unreleased Russian build 3.0.0.4.321 for months
now and it's stable as a rock.

------
autotravis
My ISP makes me use a "gateway"[1][2] with a wireless router built into it. In
the name of reducing electricity usage, I forego running my own router and
surrender to using theirs. I would be willing to bet many others do the same.
I wonder how secure it is?

[1]<http://www.att.com/u-verse/explore/residential-gateway.jsp>
[2][http://verrytechnical.com/wp-
content/uploads/2011/10/ATTUver...](http://verrytechnical.com/wp-
content/uploads/2011/10/ATTUverse2WireRG.jpg)

~~~
cdjk
My router uses about 3 watts. That adds about $5 per year to my electric bill,
which I'm happy to pay to avoid the painful ISP-provided router.

------
mschuster91
Half-OT: does anyone know a DD-WRT/OpenWRT compatible WiFi router with support
for 2.4/5 GHz WiFi, as well as VLAN on the ports? Bonus points for individual
VLAN assignment to the individual ports.

------
underdown
What? Linksys routers are a great deal - you can find them at goodwill for $5,
flash the firmware & configure it in 15 minutes and they work great. My one
beef is why don't they put a cheap fan on them when they cost upwards of $100
now that they come with a cisco logo slapped on them.

------
Sami_Lehtinen
Shouldn't 'hardware' firewalls be secure? And everyone knows that software
firewalls are crap. Isn't this common knowledge with professionals. ;)

~~~
happycube
;) In the end, all routers are software. A properly set up Linux or BSD
router/firewall on a regular PC can be very, very good.

A higher end hardware router actually has tested and (mostly) secured
software, these don't...

------
danielweber
I mostly-bricked a Linksys doing a security analysis on it. It still works,
but the UI is completely locked up; I can change nothing on it.

~~~
ville
I also bricked my Linksys by opening /upgrade.cgi (mentioned in the article)
on a browser.

I was able to finally fix it by downloading a firmware from Linksys, doing a
30/30/30 reset (push reset button for 30 s, turn power off for 30 s and keep
on pushing reset for another 30 s after turning it on again) and flashing it
with tftp as explained in [http://community.linksys.com/t5/Wireless-
Routers/E4200-Firmw...](http://community.linksys.com/t5/Wireless-
Routers/E4200-Firmware-Upgrade-failed-Cannot-access-
Linksys/m-p/552862/highlight/true#M236523)

After that I was able to login using the web interface again.

For Mac OS X the command to flash is just tftp, and then in the console that
opens type:

    
    
        connect 192.168.1.1
        binary
        rexmt 1
        timeout 60
        put firmware_filename.bin

------
Arainach
So this researcher went from notifying Linksys to open disclosure to the
internet after only a month? That hardly seems responsible.

------
duncans
Mitigating factor, the attacker would need to have been granted access to your
network in the first place?

~~~
InclinedPlane
Not at all. That's what CSRF is all about. All the attacker needs to do is get
you to visit a page on the internet that they control. Then the code on the
page does its magic and runs on the browser and because _you_ and the browser
are on your network it can work.

As a simple example, imagine that you had a test server behind a firewall in
your own home network, totally inaccessible from the internet. Now let's say
you have it set up so that it will, oh, let's say turn on the oven if you hit
a specific URL without any authentication (like testserver/actions/oven/on, or
some such). If someone knows of this then they could contrive to have you
visit a web page with some embedded resource such as an inline image that
causes you to hit that url from your browser. Boom, now your oven is on and
you didn't even know it. Even if you switch to using logins and cookies on
your test server to ensure that only authorized users on your network can use
it then you'll still have the same problem, because when _your_ browser hits
that URL it will be in your name, and all of the right cookies will be there.
That's the nature of CSRF.

------
seqizz
I think this is just what topic meant:

Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection.

LOL'd

------
drakaal
OpenSource is a vulnerability not an Asset according to #5.

For small projects which few contributors I would agree but, for projects as
large as OpenWRT and DDWRT and such, I don't agree.

~~~
btilly
In an ideal world, whether code is open source is neutral. The extra ease of
finding bugs is balanced by the fact that people can and do find then fix
them. Theory says that these two are, to first order, equivalent. So end user
security is the same. (But code quality tends to be higher with open source
software.)

However whenever code moves towards being more open, you've got all of the
vulnerabilities of closed source software, and all of the bug-finding ease of
open source software. This is the worst of all possible worlds.

Therefore #5 is true. The fact that you have easy access to known-to-be-crappy
code increases the vulnerability of that code.

~~~
LucasCollecchia
Just curious, but wouldn't this indicate that open source code which allow
iterators to close off their improvements would produce less vulnerable code
overall?

~~~
btilly
If a vulnerability is found in open source code, people will try it on yours.
So they won't be finding it directly in yours, but that is not protecting you.

The real consequence is that how secure a product is depends more on the
project than on whether it is open source. Apache and OpenBSD are two examples
of very good open source code. Java and Rails are two examples of not so good
open source code.

Google's website is an example of good closed source code. The software
shipped by Linksys is an example of bad closed source code.

~~~
LucasCollecchia
I get that there are different levels of quality regardless of the type of
code. I was more interested in the security effects of hiding code after the
open source community has had a chance to deal with vulnerabilities. None of
the examples you gave were specific to code which has transitioned between
open to closed.

What I've gotten from your answer so far is that it isn't an effect which is
general, and it'll depend on the project in question. Am I on the mark?

~~~
btilly
Yes. Opening closed code is always going to be problematic. But closing opened
code can go either way.

