1. Show the vulnerability status (patched / open)
2. Show affected firmware versions
3. Display manufacturer's last patch release date
Though lots of the dataset is clean, still we do lots of parsing and regexing to extract insights out of a massive haystack. The intention of this tool is for everyone to realize and keep their firmware updated
And No, we don't sell any services. The security reminder emails are free
I am guessing that very few of these can be exploited on the side that faces the public internet. True?
What percentage require access to the router via administrative login on the private network?
How many would need nothing but a hostile .exe on the private network?
Will changing the private network away from 192.168.* to something on 10.* protect a vulnerable router from some of these exploits?
What else can be done to protect a vulnerable router?
Not all routers can run one of these firmwares but many can and I wouldn't choose a device that didn't in the future. Its relatively easy to setup a basic secure home router using a Raspberry pi 4 and USB Ethernet and then attach one to a hub and the other to the modem and you have a 1 gbit/s capable routing device that can do SQM and remove bufferbloat and not a lot of consumer routers can remotely achieve that level of performance.
It is more hassle than the manufacturers firmware, but its also a surprisingly good way to extend a routers usable life and functionality as well. VPNs, Virtual LAN, File and web servers or just better QoS you can do just about anything you might want.
Running open-source firmware is basically necessary to have any chance against all these attacks, because manufacturers simply won't do the work.
There really really needs to be some regulation on this, internet of things devices as well. Give a defined minimum software update lifespan on the box at time of purchase and require that it be at least 3 years from the date of sale, for example.
But "VintCerf, Co-Inventor of the Internet" really made me smile!
One of the reasons why I specifically when with Asus: they've got pretty good long-term support. There's also third-party firmware that uses the open source nature of most/all of the code (e.g., Asuswrt-Merlin).
Fortunately, it does work with Atheros, Qualcomm, MediaTek/Ralink and I think some other chips.
There's frankly a lot to be said about Comcast's current proprietary router model that's basically a completely managed box. You don't even log into the router directly, you manage it on xfinity.com.
That's absolutely the worst thing I can imagine.
My current ISP (Telia) tried to replace their at-home FTTH box with one which can only be managed through their company portal (https://telia.no/minside).
I threatened with immediate service-termination unless they returned the old box which could be managed locally.
I mean... There's lines I'm not willing to cross and a router which I'm not allowed to manage locally is simply not allowed in my house.
I’m not sure if simply jumping on the right VLAN is enough though.
So I’m pedantic and in true HN spirit I’ve bought a secondary Get box (second-hand, with original Get firmware).
It arrived today, and I’m in the process of completely tearing it apart and reverse-engineering the entire setup for usage with OpenWRT.
So far I’ve extracted the PCB, figured out the serial interface and pinout, found out there’s no “free” root from there and are now in the process of extracting the full firmware via the built in bootloader for further analysis.
If I find anything else interesting I’ll let you know :D
Lol, no thanks.
The very last thing I need is an ISP controlling my LAN.
Anyway, it so nice to have a router with 8GiB ram or 32GiB storage, instead of these ram/storage starved devices that are sold as wifi routers usually that can barely support openwrt. Being able to use Arch Linux or Debian, and the latest mainline kernel and have replaceable storage is just so much more flexible in what you can do.
I'll be trying Quartz64-A with some well supported 3x3 or 2x2 mimo PCIe wifi cards, soon. (Router use excludes Intel Wifi cards, sadly) I hope that will be an amazing wifi router for me. I already run one as a non-wifi router: https://megous.com/dl/tmp/599ba099a6893863.png (well there's a USB wifi card visible there, but that's just a secondary wifi network for untrusted devices, I'd like something much better for my primary wifi)
To be fair, my current OpenWRT devices are running more up to date kernels (5.4) than my Debian-based (4.x) devices at home.
And for a router I really don't need/want more code than strictly necessary. What use is 8GBs for the system, if it all it can do is load extra services, which will starve the RAM of the device and make runtime performance less predictable?
What can you do with your 8GB+ router compared to mine 32MB?
Minimal Arch Linux is quite small. But I have option to to install anything, and the board will support it, without me having to figure out workarounds.
The board has 4 cores, you can dedicate 1 to the routing, and use the rest for whatever without starving the core functions of the router of the resources.
I mean, it's just a lot more flexible, while being cheaper and easier to replace than dedicated routers, when the HW breaks. Just copy the root filesystem to other uSD card, and swap the kernel, and it will run the same on a different ARM SBC, which I have quite a lot laying around in my home.
There’s literally a sysupgrade-image you can use to update in place without losing your config.
Has it been a while since you used OpenWRT last time?
That won’t necessarily update the kernel-image though which is often stored directly on some MTD-partitions, so flashing the sysupgrade image is the recommended approach if you want to make sure everything is up to date.
And it’s literally just uploading one firmware file to one web-ui. It’s not like it’s hard to do it particularly involved or time-consuming.
If you’ve been using OpenWRT at all I’m kinda surprised you’ve actually been able to miss them.
They’re pretty much front and center in the firmware download pages and referenced in every single release note, more or less.
Why not use dedicated router/firewall software like pfsense, OPNSense, or Untangle (all BSD-based, Untangle is a paid product though)?
I bought a little NUC with an Intel CPU and NICs to run pfSense a few months ago and it's been fantastically stable.
+ now I run the same OS on the router I run on 12 other server machines at home. This is just easier to manage and backup, and replace with any other SBC that I have at home, regardless of the model as long as it has an ethernet port.
Why? Do you have any other manufacturer you could recommend for a reasonable price? What are you using for your Quartz?
Thank you for your patience in this matter.
After checking this further, we would like to inform you that the engineering team confirmed that Intel® wireless products follow regulatory compliance and it is expected that AP mode cannot be enabled in non-2.4 GHz channels. We hope this clarifies your concerns.
Intel Customer Support Technician"
I'll be trying realtek 8822ce and 8852ae based pcie cards, using mainline Linux rtw88/89 drivers.
Qualcomm based cards are also quite common in high end wifi routers. But they are pricey.
Sadly, that means a massive chunk of the world connected by ADSL/VDSL can't use this advice.
There are a bunch of other ways to do it but you can absolutely have your network defended by your own device running open source firmware and still use the device the ISP has provided mostly as a modem. I use a DHCP WAN on my router which outputs to the ISPs provided router which is just a modem at this point and not a lot else. It still runs DHCP and DNS and all that other junk but my home network doesn't use any of it. I use Virtual LANs internally for some development services I use so the default ISP routers are useless to me and after issues with various routers with VDSL modems I gave up and have used openWRT ever since. I also use separate access points for wifi since its another area openWRT is a little behind just due to how long drivers take to come out.
It's just a bad compromise.
I wrote this up the other day. Mine is still super flaky, but I am going to be trying closer servers. I think, ideally, you want your game console on the DMZ of the router with wireguard.
The entire problem is that most of these routers haven't received updates in years from the manufacturers, they are abandoned. The open source firmware's are not abandoned and are continuously getting updates for their underlying packages from Linux/NetBSD even if they aren't doing substantial development themselves. What vulnerabilities that do exist and are not getting fixed will be in the hardware binaries for wifi for the FreshTomato supported routers and those usually listed as poor or no wifi support in openWRT, that is about it.
Many router ROMS don't come out as often as is necessary to address exploits in a timely manner.
I don't know how UDP would work over that routing, and if QUIC would work (at all).
I imagine that this can be done with OpenWRT, but many plugins and custom configuration would be required to achieve equivalent functionality.
Unless it's been overhauled to incorporate the lessons of CoDel, fq_codel, CAKE and modern active queue management in general, the QoS portions of Gargoyle can be ignored as a time-wasting anachronism. You'll be better off with vanilla OpenWRT and its SQM package.
One has to remember that the majority of the development ends up being by the SoC vendor, usually a horribly out of date fork of OpenWrt with weird looking proprietary kernel modules to support wifi, accelerated nat, etc.
Quite a few of the older devices lack some pretty basic mitigations as well; ASLR, Position Independent Executables, Stack Canaries, etc. Either they get forgotten or they're off because of they can't be bothered getting the drivers up to scratch. (Assuming they haven't just been handed a binary)
Not that Mikrotik haven't had CVE https://www.cvedetails.com/product/23641/Mikrotik-Routeros.h...
It would also be helpful to see how many vulnerabilities are in the latest release of Gargoyle.
I have heard that the best countermeasure for router vendor abandonware is to avoid the 192.168 network entirely, so I configured mine on a random 10. subnet.
New version coming out next year with 10 gbs ethernet and wifi 6. Made by an established internet company: https://www.nic.cz/
Really pleasant experience. Great all in one home router. It took my one minute to setup up and nowadays I got bird on mine for BGP LB with a home k8s cluster. One of the very few open products that is nice to use.
They have a series of routers designed to support OpenWRT (which IMO is better then DD-WRT but preferences of course). If it supports OpenWRT then others shouldn't be difficult to load on it either.
I've had a decent experience with OpenWRT on a WRT1200AC
EDIT: I haven't used it for actual wifi (just routing/switching) in a few years so I don't know how good they are nowadays.
EDIT 2: OP asked for open source hardware, not hardware that runs open source firmware - my bad!
Also, it ships with their proprietary "Smart Wi-Fi", not OpenWRT.
> While the Linksys WRT1200AC provides an outstanding experience via Smart Wi-Fi immediately out of the box, advanced users can further modify the router with open source firmware. Developed for use with OpenWRT, an open source Linux-based... 
No one, to my knowledge, makes the appropriate Gigabit Ethernet (ideally Dual Gigabit Ethernet) + Wifi Open-Source Hardware SBC that could be used as a router. There are a lot of SBCs with open-source software and mostly-accurate PDFs of their schematics, but very few (the Olimex OLinuXino project, maybe?) that are actually open hardware.
I do understand that truly open-source hardware is a tough sell, as Jay pointed out in his amazing piece "So you want to build an Embedded Linux system" 
> People forget that these EVKs are built at substantially higher volumes than prototype hardware is; I often have to explain to inexperienced project managers why it’s going to cost nearly $4000  to manufacture 5 prototypes of something you can buy for $56  each.
And an EVK is likely built at a lower volume than a consumer SBC. The idea that someone can download your hardware design, modify it, and respin it for their desired open-source router but now with a piezo buzzer added might work for Arduino-scale hardware projects but simply isn't reasonable for something that reaches the performance required of a router.
In terms of hardware like you mentioned there's few open source SBC's at all. Even fairly open hardware like the raspberry pi have a proprietary firmware blob. I guess it will come down to how strictly you define "open source". If you define it as "we have firmware/schematics for every chip on the board" then we'll likely never have that (I don't think even Linksys has that type of access).
It hasn't been updated since Jan of 2020 but I also don't see any vulns listed for it.
The web interface was much better than stock firmware though.
But I have recently settled for the tp-link Archer AX50 which is very stable and comes with a great web interface, plenty of advanced features.
Not tried OpenWRT on the latter.
Are you referring to the manufacturer's firmware or OpenWRT? The latter's last release was three weeks ago.
So if you had issues with the WRT3200acm I'd go a different route
I say "used" because my main router has been updated to an AC1900 solution, but it's still kicking, I'm just running it as an access point. Unfortunately, both it and their updated AC1200 solution:
Also, while it's pre-flashed with open-source software, it's not Open Source Hardware.
In PFSense hardware you can even find things with atom processors or laptop tier processors - which are going to be more power-hungry than ARM but also a lot faster, and x86 means everything is bog-standard drivers/etc and Just Works. Although I suppose with the world we live in, perhaps not having your web-facing device have speculative execution would be better.
At that level of cost, many people also go to standalone WAPs (although of course there's no reason you can't use DD-WRT/OpenWrt/Tomato to turn an old router into a WAP as well).
Some hardware I've seen recommended for PFsense before:
Alix PC Engines APU2
This is a serious issue because many people use old devices without knowing anything is wrong.
At the most they should let their users know of the expected life cycle of the devices and warn them even the life cycle it’s end or has ended but in no way nag the user.
It would be nice for the manufacturer to allow 3rd party software but they don’t have too and shouldn’t be forced to do so. You as a consumer have the choice to choose a manufacturer that allows you to install 3rd party software.
It’s so silly things that don’t work, e.g. the guest network not really being separated.
I’ve found it very hard to get a decent solution, especially given that I can’t really change much on the canceling, now considering getting a pfsense/opnsense router in front of a consumer mesh Wi-Fi, though that still isn’t ideal, won’t be able to really do much for the Wi-Fi devices.
I think I’ve posted this once, what’s also missing out there is a guide for the home user to set up networking with typical scenarios, along with hardware recommendations (apart from companies producing better products, would consider paying the premium for ubiquity but here again it seems to require too mutant cables to be laid).
Things that can be compromised locally just seem like the cost of doing business at this point (for non-business use, anyway).
I got a used Ruckus earlier this year and it's been great.
a) How does someone compile this and keep it current? FTWP: "17,000 routers per month" ... ? That's ... daunting.
b) Was Ubiquiti UniFi (or brand ___) excluded because their routers have no vulnerabilities or because they weren't tested?
I didn't see them on the list but of course for entirely different reasons, the business was bought by Motorola and then petered out, I think.
It seems there will always be enough undiscovered or unresolved vulns "in flight" to compromise it on demand.
Cable modems typically do not allow this; only the cable provider is able to apply oem firmware updates.
On a side note, those who write router software like this need to step up their security and stop being lazy. Seriously.