
Fixing Weak Wi-Fi Router Security - uptown
https://www.nytimes.com/2018/06/13/technology/personaltech/wi-fi-router-security.html
======
nisa
there is a linux distribution for wifi-routers:

[https://openwrt.org](https://openwrt.org)

table of hardware:
[https://openwrt.org/toh/start](https://openwrt.org/toh/start)

\- current master runs kernel 4.14 / 4.9 for most targets, flow offloading,
performance fixes, wireguard in base, lua-based ui called uci.

\- security fixes land after a few hours/days in master, a few days/weeks for
a new stable release

\- pretty much only non-commercial and volunteer effort, so be kind and
friendly and help - check the wiki and the forum first.

~~~
ac29
> security fixes land after a few hours/days in master, a few days/weeks for a
> new stable release

The latest stable release seems to be ~8 months old, though, unless I'm
looking in the wrong place:
[https://downloads.openwrt.org/releases/](https://downloads.openwrt.org/releases/)

~~~
IntelMiner
Releases are a fixed point in which packages are updated over top, as I
understand it

Similar to installing say, Debian 6.1 and then running apt-get to update
packages

~~~
nisa
unfortunatly not really - due to the small flash on most devices the rootfs is
compressed into a squashfs - but you can checkout the latest stable branch
from git and build images with up2date kernel.

------
_emacsomancer_
> Replace your router every few years

How about instead of this, use open source software on your router? It will
keep being updated, and with the manufacturer's proprietary software on the
device you can't really trust it anyway.

~~~
rhinoceraptor
That's a good solution for geeks, not so much for everyone else. Regular
people don't even update their routers, much less flash 3rd party software on
them. I don't think most people even know updating your router is even a
possibility.

I use Google Wifi and it updates itself. In the future I might put in a
PFSense, but wifi solutions like Google Wifi/Eero/etc are the way to go if
you're not a computer person.

~~~
albertop
That may be behind the Eero move to go subscription only. Could be good if
implemented properly but much more expensive that just buying a high end
router.

~~~
lozaning
Plume just announced that you'll need to buy an annual cloud license for their
new stuff as well. I just dont see this taking off as a business model. How
large is the intersection of people who know give a high enough importance to
router security with the people who couldn't roll their own solution?

------
excalibur
Great resource: [https://routersecurity.org/](https://routersecurity.org/)

~~~
clairity
thanks for this. i'm contemplating an upgrade of my venerable linksys wrt54g
running tomato to something more modern. i'll have to check out their
recommended peplink surf router:

[https://routersecurity.org/pepwavesurfsofo.php](https://routersecurity.org/pepwavesurfsofo.php)

------
amiga-workbench
Grab a decent microtik router and a few Ubiquiti Unifi AP's, setup automatic
updates, and never touch them again.

~~~
unluckier
So... two of the routers affected by the recent VPNFilter malware? Interesting
choice.

~~~
kinsomo
> So... two of the routers affected by the recent VPNFilter malware?
> Interesting choice.

If you're looking for a router that's never had a documented security flaw,
you're probably going to buy a no-name brand that's full of them (because no
one's looked yet, so it has a "clean" record).

The factors that you really need to look for are 1) good engineering practices
for security, and 2) prompt and effective response to flaws. 1) can hard to
verify completely, but you can get a sense of 2) based on patch cycles.

I have a Mikrotik router at home, and I chose it because their products are
inexpensive and aimed at professionals, which means the software support is
_much better_ than consumer routers. Mine is quite old, but it _still_ gets
patches.

~~~
inferiorhuman
I wasn't aware that the Unifi stuff was vulnerable to the latest VPN stuff. I
own a few ER-Xs and a Unifi AP. They're reasonable kit, but I wouldn't
recommend them at all as a set it and forget it system.

\- Ubiquiti has a track record of GPL violations (e.g. u-boot which dovetails
nicely with a security vuln)

\- The Unifi AP is tolerable for a simple home env but not much else.

\- Ubiquiti support is non-existent. They basically slapped a slick GUI on
Vyatta and resold it. It's nice, but they don't have much in the way of
developers. So, for instance, they still haven't fixed the hardware
acceleration bugs in the ER-X or the WPA2 enterprise issues in the Unifi AP.

\- Ubiquiti hardware itself is hit and miss. The ER-L, for instance, is known
to overheat and cook itself to death. There was a mixup with some of the PoE
stuff (UBNT historically used non-standard PoE) meaning you're not entirely
sure what's in the box.

UBNT hardware cheap and you can hack on it, so that's nice. But, being aimed
at professionals and actually suitable for professionals are two separate
issues.

~~~
IOT_Apprentice
I'm looking for something to update to. If not Unifi, then what brand would
you recommend that would be suitable for home use by a professional, that can
be updated and has good support?

~~~
jlgaddis
Get an apu2 [0] from pcengines and slap OpenBSD on it (or Linux, if you
prefer).

------
chatmasta
The article concludes that you should spend $200 on Eero or Google WiFi. Is
this an advertisement?

Also note that $200 in “value” is mostly covering the massive marketing budget
of Eero and Google. You do not need to pay $200 for a secure WiFi solution.

~~~
mtgx
Possibly. The NYT bought The Wirecutter, which did (pretty good) reviews of
"best in class" products and then made money from the Amazon affiliate
commissions.

[https://www.recode.net/2016/10/24/13381002/new-york-times-
wi...](https://www.recode.net/2016/10/24/13381002/new-york-times-wirecutter-
purchase-30-million-briam-lam-consumer-guide)

I'd still say the point stands that 99% of the routers out there have awful
security and it's just a matter of time (often months) because your router is
overtaken by a botnet, especially if you don't update to the latest firmware
(whenever/if that may arrive).

Open source software helps, but if the firmware for your particular router is
updated less often than every 12 months, I think you'll also become just as
exposed.

~~~
eli
Is there any reason to believe Wirecutter or NYT has compromised the integrity
of their reviews? That seems an unfair allegation to throw around absent any
evidence beyond it _possibly_ being in their financial interest.

~~~
woolvalley
Here is one example allegation:

[http://www.evodesk.com/wirecutter-standing-desk-review-
pay-t...](http://www.evodesk.com/wirecutter-standing-desk-review-pay-to-play-
model)

With most conflicts you won't know the whole truth, but it's a data point.

The Wirecutter also doesn't give the 'best' in everything. They do have
implict budgets.

For example, they won't recommend $5000 stereo speaker pairs, even though they
would be better than the KEF Q150s they recommend currently. They don't
recommend full frame / medium format cameras either, since they are probably
too high end and expensive for their target markets.

I don't really fault them although for having some cost limits although. They
would probably make the valid argument that if your buying the full frame
cameras and $2500 loudspeakers that you probably know what your doing and
don't need the wirecutter. I do wish they pointed it out a bit more in some of
their guides although.

~~~
eli
Fair enough, but you should do the courtesy of posting their response
[https://thewirecutter.com/our-response-to-
nextdesk/](https://thewirecutter.com/our-response-to-nextdesk/)

------
Rjevski
This should be renamed to "Fixing _router_ security". Nothing in the article
is actually specific to Wi-Fi. They don't even mention disabling WPS which is
the #1 vulnerability in consumer-grade Wi-Fi networks.

~~~
sctb
Thanks, we've added a “Router”.

