

Ask HN: Home Router (In)Security - d43594

My new router has just arrived. As is the case for most now, it was supplied FOC by my ISP. When configuring the router, I couldn&#x27;t help but notice that in the re-configuration maintenance page it said this:<p>&quot;We&#x27;ll periodically update your router software automatically. There may be times when you will be advised to do this manually. Our Technical Support Team will assist you if this is the case.&quot;<p>Immediately I started to look for the option to disable this. However I could not find one. I then contacted their technical support in an attempt to turn it off. Their advisor informed me that they would not turn it off. I proceeded to state that would not, did not mean could not and probed for information which would enable me to turn it off. At this point the advisor informed that it was a secure line and that the upgrade process was infallible in terms of security; yet was unable to inform me of the security processes&#x2F;practices applied. The advisor (getting infuriated at this point as I was clearly off-script) stated that they would try to find out from a higher technical body (internally). After being put on hold for a further 20 minutes I gave up and hung up the phone.<p>Next I resorted to a (quick) Google search in the hope that an answer would be reveal itself. I couldn&#x27;t find an easy answer. Most answers I found focussed on some means of hacking the firmware on the device (based on the fact that the router was a re-brand of some other common make&#x2F;model e.g. Netgear).<p>Given that my logs tell me I receive unsolicited connection attempts out of some countries in the East every 5 minutes or so, I feel I should be worried that I have little or no control over the firmware running my router.  Have other people experienced this too? Is strikes me as a red flag in terms of security.
======
clsec
You might want to take a look at these pages and see if your router supports
OpenWrt or Tomato firmware.

[http://wiki.openwrt.org/toh/start](http://wiki.openwrt.org/toh/start)

[https://en.wikibooks.org/wiki/Tomato_Firmware/Supported_Devi...](https://en.wikibooks.org/wiki/Tomato_Firmware/Supported_Devices)

------
andymurd
Hopefully, your ISP is using TR-069[1] to update your router. It's not perfect
but it's not as bad as you might imagine. The router polls for updates and
initiates a connection to the ISPs configuration server.

The servers are usually part of your ISP's infrastructure, not a third-party
service on the public Internet.

I've seen TR-069 used very effectively to manage VOIP hardware (a lucrative
target for hackers) however I was told that routers are more difficult.

The bottom line is, if you don't trust your ISP to update your router
firmware, buy a different router. As others have said OpenWRT is awesome.

[1]
[http://en.wikipedia.org/wiki/TR-069#Security_and_authenticat...](http://en.wikipedia.org/wiki/TR-069#Security_and_authentication)

------
shawnreilly
Is the router your hardware? If the router was provided by (aka is owned by)
your ISP, then I don't understand why you would expect to be able to control
the firmware (it's not your hardware). From your providers perspective, this
would imply that they've lost configuration management control of their
hardware (not good for them). In this scenario, the simple solution is to
install something downstream, for example a security appliance (firewall/vpn)
or your own router with similar capabilities (use your own router as the
ingress). If this is not correct, and you provided the router (ISP provides
only the fiber), then you do have a valid issue. (but it could still be solved
with the above solution).

------
PeekPoke
So your ISP has the capability to automatically provide you with updates to
fix security issues on your router (thus helping keep out the 'countries in
the East') and you want them to turn this off?

Smart.

If you're really that paranoid, I suggest you open your wallet and buy a
firewall to put between the LAN port on your router and the rest of your
internal devices.

~~~
d43594
Yes. How can I be assured that their mechanism has not, and cannot be
compromised? I can obtain updates through their website. I should be able to
register for notification when updates are available. Why would I want to
allow remote access (even to my ISP) which I cannot monitor? Moreover, why
would I want to (potentially) allow (whoever has access) to install whatever
they want on my router?

~~~
mooism2
If you don't trust their update mechanism to remain uncompromised, why do you
trust their website to remain uncompromised?

------
DanBC
> Given that my logs tell me I receive unsolicited connection attempts out of
> some countries in the East every 5 minutes or so,

Do you have a cut and paste of those logs? Often those connections are either
noise and not worth bothering about, or they're your ISP and not worth
bothering about.

------
atmosx
If you router can run a decent version of OpenWRT then go for it. Otherwise
buy a decent router, unfortunately they are not easy to find. I would say go
for a carambola2, it's cheap runs OpenWRT out of the box and has FreeBSD
support too, if you are good with CLI.

