Hacker News new | comments | show | ask | jobs | submit login
Fixing Weak Wi-Fi Router Security (nytimes.com)
45 points by uptown 6 months ago | hide | past | web | favorite | 66 comments

there is a linux distribution for wifi-routers:


table of hardware: https://openwrt.org/toh/start

- current master runs kernel 4.14 / 4.9 for most targets, flow offloading, performance fixes, wireguard in base, lua-based ui called uci.

- security fixes land after a few hours/days in master, a few days/weeks for a new stable release

- pretty much only non-commercial and volunteer effort, so be kind and friendly and help - check the wiki and the forum first.

> security fixes land after a few hours/days in master, a few days/weeks for a new stable release

The latest stable release seems to be ~8 months old, though, unless I'm looking in the wrong place: https://downloads.openwrt.org/releases/

yes. 17.01.4 is last stable, there is a 17.01.5 planned and this month there will be 18.06 - there a lot of hickup due to the split between active devs - that forked LEDE and the others - they reunited and things should go on more smooth now. You can use snapshot builds for the latest updates: https://downloads.openwrt.org/snapshots/targets/

Releases are a fixed point in which packages are updated over top, as I understand it

Similar to installing say, Debian 6.1 and then running apt-get to update packages

unfortunatly not really - due to the small flash on most devices the rootfs is compressed into a squashfs - but you can checkout the latest stable branch from git and build images with up2date kernel.

> Replace your router every few years

How about instead of this, use open source software on your router? It will keep being updated, and with the manufacturer's proprietary software on the device you can't really trust it anyway.

That's a good solution for geeks, not so much for everyone else. Regular people don't even update their routers, much less flash 3rd party software on them. I don't think most people even know updating your router is even a possibility.

I use Google Wifi and it updates itself. In the future I might put in a PFSense, but wifi solutions like Google Wifi/Eero/etc are the way to go if you're not a computer person.

That may be behind the Eero move to go subscription only. Could be good if implemented properly but much more expensive that just buying a high end router.

Plume just announced that you'll need to buy an annual cloud license for their new stuff as well. I just dont see this taking off as a business model. How large is the intersection of people who know give a high enough importance to router security with the people who couldn't roll their own solution?

Plume is the one that switched to subscription only. Eero plus is only extras, the eero’s themselves are still up front and subscription free.


> Regular people don't even update their routers

I work on a product that gets connected to people's home wifi. In the last year we've had several with routers running WEP security.

WEP was superseded in 2003 by WPA, and deprecated in 2004!

This does sound like a good general model. Assuming it has a 2nd partition or whatever to guarantee you'll never end up with a non-working router.

google wifi might give you some security and ease of use but you also give up privacy. not a good tradeoff considering the alternatives.

Your odds might be better, but there's no guarantee that the software will keep being updated. DD-WRT for many models is simply defunct, for example.

That is the reason I run a pfsense router/firewall. You never worry they are going to stop supporting your device cause your device is x86 with FreeBSD base.

Actually, that is not strictly so [1]. Starting in 2.5, they are requiring AES-NI instructions. I am a bit irritated with that as I bought one of their "official" routers to support them (The one based on the PC Engine APU2) and I use it as a home router, so I really don't need that support.


You can always swap to OPNSense.

I'm annoyed they discontinued support for x86-32. My Soekris could run with a VPN board and saturate its 100 mbit ports.

Good news there as well is that OPNSense supports x86-32 just fine though.

Said it below, but the APU2 does support AES-NI.

I wanted to make sure you saw this.

Thank you for that, I made a mistake. I was thinking of the APU1.

And how much money are you bleeding running that machine 24/7?

Not OP but I run a PC Engines APU2[1] as my pfsense box. It's 6-10 watts.

Updates are easy to manage, I use Pfblocker which is similar functionality to PiHole, and have cloudflares DNS ( set up.

As for wireless I attach a Ubiquiti AP through a switch.

I've done this at a couple different sites for relatives and it's comforting to know there's some semblence of security and privacy for them.

[1] http://www.pcengines.ch/apu2.htm

I have one of those as well. As a word of caution, they are dropping support for that in 2.5 [1]. Starting in 2.5, they are requiring AES-NI instructions (like I said in my other post, I am a bit irritated they did that, especially when that is a requirement for something I do not need).


The APU2 does have AES-NI so no need to worry.

Mine is active and working (I use it with OpenVPN right now).

You're right, my mistake, I had the APU1.

For 100 MBit/s firewall all you need is Raspberry PI. Most people’s WAN connection is probably less than that. And if you need gigabit then there’s still plenty of options, anything from ODROID-C to 10W Goldmont, the latter a little expensive but it can double as HTPC etc. Idk how any of those work with BSDs but they work fine on Linux.

Also the nic.cz people have a neat new product[1]. It’s really cool, but I think still too pricey.

[1] https://www.indiegogo.com/projects/turris-mox-modular-open-s...

RPi systems die too frequently unless you get the right kind of sd cards and power adapters.

Last I checked pfsense wasn't running on ARM. And there were worries that it wouldn't even be able to keep up unless you were very careful with your filters, although that might be less of a problem with the more recent hardware.

I suppose at gigabit the pi might have some issues. Unfortunately, I don’t have this problem. I doubt Goldmont would break any sweat though. If you don’t want to jump all the way to Intel there’s always this: http://espressobin.net/

the SG-1000 that pfsense sells is listed as ARM: https://www.netgate.com/solutions/pfsense/sg-1000.html

Not much. Have not noticed a real increase in my electric bill. However, it is a mini desktop and designed to be low power. Probably far less then my Plex Server easily.

There are options for much lower power hardware. I may do an experiment to see. Be kinda interesting but also hard to duplicate traffic effect and CPU loads.

However the reliable updates, advanced firewall, physical multi LAN, and durable VPN can't be understated for my use.

Shouldn't be too much. You can buy one [SG-1000] linked from pfsense that is only 2.5W (idle) draw.

Sure. Be at least you're likely to get rather longer support than from the manufacturer. (And, length of support aside, not having concealed code running on the thing that handles both my internal and external networking is somewhat valuable to me.)

Great resource: https://routersecurity.org/

thanks for this. i'm contemplating an upgrade of my venerable linksys wrt54g running tomato to something more modern. i'll have to check out their recommended peplink surf router:


Grab a decent microtik router and a few Ubiquiti Unifi AP's, setup automatic updates, and never touch them again.

So... two of the routers affected by the recent VPNFilter malware? Interesting choice.

> So... two of the routers affected by the recent VPNFilter malware? Interesting choice.

If you're looking for a router that's never had a documented security flaw, you're probably going to buy a no-name brand that's full of them (because no one's looked yet, so it has a "clean" record).

The factors that you really need to look for are 1) good engineering practices for security, and 2) prompt and effective response to flaws. 1) can hard to verify completely, but you can get a sense of 2) based on patch cycles.

I have a Mikrotik router at home, and I chose it because their products are inexpensive and aimed at professionals, which means the software support is much better than consumer routers. Mine is quite old, but it still gets patches.

I wasn't aware that the Unifi stuff was vulnerable to the latest VPN stuff. I own a few ER-Xs and a Unifi AP. They're reasonable kit, but I wouldn't recommend them at all as a set it and forget it system.

- Ubiquiti has a track record of GPL violations (e.g. u-boot which dovetails nicely with a security vuln)

- The Unifi AP is tolerable for a simple home env but not much else.

- Ubiquiti support is non-existent. They basically slapped a slick GUI on Vyatta and resold it. It's nice, but they don't have much in the way of developers. So, for instance, they still haven't fixed the hardware acceleration bugs in the ER-X or the WPA2 enterprise issues in the Unifi AP.

- Ubiquiti hardware itself is hit and miss. The ER-L, for instance, is known to overheat and cook itself to death. There was a mixup with some of the PoE stuff (UBNT historically used non-standard PoE) meaning you're not entirely sure what's in the box.

UBNT hardware cheap and you can hack on it, so that's nice. But, being aimed at professionals and actually suitable for professionals are two separate issues.

I'm looking for something to update to. If not Unifi, then what brand would you recommend that would be suitable for home use by a professional, that can be updated and has good support?

Get an apu2 [0] from pcengines and slap OpenBSD on it (or Linux, if you prefer).

Same with UBNT, though i really like the functionality Mikrotik offers. Their UI takes a bit of getting used to. My favorite thing was when you made a setting change and it’s validation was to say “Not invalid”. :) My experience with UBNT in the field is pretty solid - no overheating and cooking issues that I’ve seen yet. I’ve RMA’d one device in about 50 deployed, over the course of a few years.

This is pure FUD. If you don't patch your Cisco machine running iOS, your Juniper machine running JunOS, your Netgate machine running pfSense, your Deciso machine running OPNSense, your PC running OpenBSD or Windows or Linux or FreeBSD or NetBSD or whatever software you may be vulnerable and someone might write malware for that vulnerability.

The vulnerability exploited by VPNFilter was apparently patched by Mikrotik in March 2017.

While not necessarily exploitable Ubiquiti ships known vulnerable packages. Let's not forget their u-boot fiasco and GPL violations.

What do you recommend router-wise? I'm currently using an EdgeRouter PoE and have been happy with it, but I'm setting up a home network at a condo and am researching options.

I'm actually just running a hAP lite for home use, one of my friends works for a WISP and they're using EdgeRouter's on their towers, he seems pretty damn happy with them.

I don't have much going on with my router, a few open ports, blocked domains and its running a L2TP over IPsec VPN for when I want to access my home IP cams.

I bought the older RB2011UiAS-RM years ago for work to replace their two crappy BT business hubs and setup dual DSL failover with a 3G dongle as a backup. I've never had to reboot any of them due to a malfunction or crash, they just keep going and the performance is top notch for the medium size business they're servicing.

It's hard to beat a $50 craigslist dual+ core box, a second nic and pfSense.

I have a dell optiplex 780. I paid $15 for a second nic. It's great.

> It's hard to beat a $50 craigslist dual+ core box, a second nic and pfSense

unless you pay for your own power. An edge router lite uses <10w.

How much does it cost to run the pfsense box over the course of 2 years?

Those dells pull about 30W at near-idle. Let's assume 40W given an extra NIC and the workload running. US domestic power averages about 12.3 cents per kWh.

So 36 bucks a year versus 8 bucks per year for the ERL.

Don't forget that the ERL will cook itself to death unless you improve the cooling. The case itself will reach temps of about 40C under normal operating conditions.


> Don't forget that the ERL will cook itself to death unless you improve the cooling.

It will? No, that implies it is inevitably going to happen with every device which is not the case. A better wording is it might, depending on (unclear) circumstances.

> It will? No, that implies it is inevitably going to happen with every device which is not the case. A better wording is it might, depending on (unclear) circumstances.

At those temperatures (40C exterior temp at idle) cooking to death is pretty certain. Look at the complaints of glitchy ERLs as a proxy for impending death. Meanwhile it's pretty clear that the Octeon runs hot and UBNT didn't provide sufficient cooling.

Again, I am not denying there are people who have issues what I am saying is we don't have enough data to figure what the signal/noise ratio is regarding dying devices.

why not Ubiquity edgerouter? I use the ERX, so curious what makes microtik better?

I just haven't used them before, judging from the quality of my AP's they should work just fine.

I don't know how flexible they are though, RouterOS might be a bit of a pig to use but it can do pretty much anything you want, the Ubiquiti gear is very user friendly and that usually means less flexible.

Yes, the GUI apps are user-friendly (though UNMS requires a VM and Unifi Controller requires Java; they should merge these 2 which they are doing I think, ditching the latter).

If you want to, you can SSH into the machines. The disabled bash completion will bring you back to the 80s and reevaluate how "user friendly" it is (it does work as root, but then you gotta be root all the time...). I call this part of user-friendliness, and not in a positive way.

Regardless, I'm happy with the Ubiquity gear I got. The entry level hardware is cheap yet good quality. If you want the more advanced stuff, that's expensive though. 16 port managed switch with PoE costs nearly 300 EUR while 8 port costs 100 EUR.

The article concludes that you should spend $200 on Eero or Google WiFi. Is this an advertisement?

Also note that $200 in “value” is mostly covering the massive marketing budget of Eero and Google. You do not need to pay $200 for a secure WiFi solution.

Honest question: What I'm paying for isn't secure WiFi per se, but a working, out-of-the-box solution, right?

My time is valuable and I've been known to make mistakes. So rather set up and maintain my own router, I bought a Google Wifi unit, and now I'm reasonably certain that my wifi is not the weakest link in my home electronics security profile.

Isn't that a real value proposition for anyone who can afford one and unable to continuously update their DIY router?

Possibly. The NYT bought The Wirecutter, which did (pretty good) reviews of "best in class" products and then made money from the Amazon affiliate commissions.


I'd still say the point stands that 99% of the routers out there have awful security and it's just a matter of time (often months) because your router is overtaken by a botnet, especially if you don't update to the latest firmware (whenever/if that may arrive).

Open source software helps, but if the firmware for your particular router is updated less often than every 12 months, I think you'll also become just as exposed.

Is there any reason to believe Wirecutter or NYT has compromised the integrity of their reviews? That seems an unfair allegation to throw around absent any evidence beyond it possibly being in their financial interest.

Here is one example allegation:


With most conflicts you won't know the whole truth, but it's a data point.

The Wirecutter also doesn't give the 'best' in everything. They do have implict budgets.

For example, they won't recommend $5000 stereo speaker pairs, even though they would be better than the KEF Q150s they recommend currently. They don't recommend full frame / medium format cameras either, since they are probably too high end and expensive for their target markets.

I don't really fault them although for having some cost limits although. They would probably make the valid argument that if your buying the full frame cameras and $2500 loudspeakers that you probably know what your doing and don't need the wirecutter. I do wish they pointed it out a bit more in some of their guides although.

Fair enough, but you should do the courtesy of posting their response https://thewirecutter.com/our-response-to-nextdesk/

Why aren't we seeing more MITM attacks if this is the case? I'd imagine it's trivial to MITM a PDF download and riddle it with malware. Why would the botnet not fully exploit the router?

It's an advertisement for Eero and (a competitor) Google Wifi? One that calls out their comparatively high price? One that does not disclose itself as an advertisement? Seems like that would go against their own advertising policy:


This should be renamed to "Fixing router security". Nothing in the article is actually specific to Wi-Fi. They don't even mention disabling WPS which is the #1 vulnerability in consumer-grade Wi-Fi networks.

Thanks, we've added a “Router”.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact