This past week, I received a lot of questions regarding yet another newly-found router vulnerability, this time coming from Netgear.
Some of you expressed frustrations and went as far as saying you’d “never buy a Netgear again.” Well, that’s your call, but I’d say it’s an example of overreacting.
While router vulnerabilities are clearly no good, getting overly concerned about them is also unnecessary. I’ll explain that in this post.
Security vs. vulnerability: You can’t have the former without the latter
Generally, in computing, a vulnerability is where a device doesn’t provide the level of security it promises. Since it’s tough — impossible in fact — to test every single scenario, and technology is always evolving, vulnerabilities are inevitable.
So, it’s safe to say any device that has any type or level of security will have some vulnerabilities. It’s just a matter of when or if somebody finds out and exploits them to do bad stuff. In other words, the only time you get 100 percent vulnerability-free is when you don’t use any security at all.
(It’s just like your home. After you lock the door, rest assured that the lock can be picked or compromised one way or another. The only way not to worry about somebody breaking your lock is not to use one at all. Like all security measures, that of a home is more a matter of deterrence than total protection.)
So, vulnerabilities are common, and so are updates, or security patches, that fix them. Popular operating systems, like Windows or macOS, get regular updates, as frequently as once a month or even once a week. That happens regardless of whether or not the public is aware of any issue. Security is a never-ending cat-and-mouse game.
At some point, though, older versions are “out of life”, meaning they are no longer supported by the vendor. For example, if you decide to continue using Windows 7 or earlier versions, you’re on your own.
This applies to all things in the tech world, including home routers.
Why router vulnerabilities are big deals
Home Wi-Fi routers are IoT devices. By default, they are low-value targets. However, every time there’s a vulnerability report, it’s almost always a huge deal, for a few reasons.
Routers are popular
That’s right. Popularity goes side by side with seriousness. The more people use a router, the more widespread its security issues become. As a result, the vulnerability found in routers from popular vendors like Asus, Netgear, TP-Link, etc. tends to get a lot of attention.
Routers are a special Internet of Things device
Unlike other IoT devices, your home router is your gateway to the Internet. Having the control of the router, the bad guys can do a lot of severe damages, including (and not limited to) taking over your DNS server settings to redirect you to malicious websites.
There’s nothing that grabs more attention than fear. And in the online world, attention is money.
Many times, though not always, router vulnerabilities (security issues in general) are blown up for self-serving purposes. The security firms use them to brush up their reputation or sell software. And the media take advantage of them to boost their page views.
(Let’s be honest with each other here. Many of the self-proclaimed “security experts” working for major media outlets know little or nothing about network security. They probably don’t have time or desire to learn the mundane details of a particular vulnerability, either. Instead, they repeat information from hackers or security firms, or patch-write a security blog.)
So most of the time, the vulnerabilities are not as bad as they are cracked up to be.
Is recent Netgear router vulnerability serious?
That depends on who you ask. For me, it’s not a huge deal.
The details of the issue are on this post if you don’t mind the technical jargon. But basically, it applies to the webserver in a limited number of relatively old routers.
(Some reports call the total number of affected devices as high as 79, but many of them are just variant, or different versions, of a single model. Here’s the complete list with their security patch status.)
The webserver is an integral part of a standard router. It allows users to work with the router via its web user interface, as well as other less popular tools, such as SSH or Telnet. In the case of this vulnerability, there’s an intricate way to fool the device so that one can log in without the correct password.
It’s not easy to exploit this vulnerability, and the bad guy needs to target a specific user. In other words, they need a particular reason to do it, with a relatively low chance of success, which brings us to the low-level target notion mentioned above.
Most importantly, many of the vulnerable models are among the first Wi-Fi 4 devices that are more than a decade old. If you still have one of those, you should replace it for performance reasons anyway. For a few that supports Wi-Fi 5, Netgear has already released security patches.
That said, the chance of anyone getting affected by this is meager, much lower than getting your car stolen if you leave it unlocked overnight in a sketchy neighborhood.
To put this in perspective. This whole episode is like somebody finds a security issue with Windows XP, Microsoft says it won’t fix it because the OS is no longer supported, and the media cry foul to get attention. It’s mostly just shenanigans.
Again, no, I don’t mean to downplay the importance of router security. However, there’s no need to get all wound up every time you hear of some vulnerability, either.
Just update your router to the latest firmware, keep its admin and Wi-Fi passwords secure, and don’t mess around too much with its settings (unless you know what you’re doing) and everything will be as fine as can be. It’s a matter of degrees.
Also, it’s a good idea to upgrade your network every five or six years (or when a device is “out of life”) with hardware from a reputable vendor.
Most importantly, no matter what router you’re using right now, keep in mind that it is vulnerable. You’d be fooling yourself if you believe otherwise. The only way to be 100 percent issue-free on this front is not getting online at all. But then you’ll have fewer creative options to deal with living, which by itself is risky.