Comment on U.S. agencies back banning top-selling home routers on security grounds
tal@lemmy.today 3 days ago
I think that, TP-Link aside, consumer broadband routers in general have been a security problem.
They are, unlike most devices, directly Internet-connected. That means that they really do need to be maintained more stringently than a lot of devices, because everyone has some level of access to them.
People buying them are very value-conscious. Your typical consumer does not want to pay much for their broadband router. Businesses are going to be a lot more willing to put money into their firewall and/or pay for ongoing support. I think that you are going to have a hard time finding a market with consumers willing to pay for ongoing support for their consumer broadband router.
Partly because home users are very value-conscious, any such provider of router updates might try to make money by data-mining activity. If users are wary of this, they are going to be even more unlikely to want to accept updates.
Home users probably don’t have any sort of computer inventory management system, tracking support for and replacing devices that fall out of support.
People buying them often are not incredibly able to assess or aware of security implications.
They can trivially see all Internet traffic in-and-out. They don’t need to ARP-poison caches or anything to try to see what devices on the network are doing.
My impression is that there has been some movement from ISPs away from bring-your-own-device service, just because those ISPs don’t want to deal with compromised devices on their network.
A long time ago, for whatever reason, I decided to do a port scan on my entire WAN subnet. That’s how I discovered that a certain brand of DSL modem (I don’t recall which) made the admin portal accessible from the WAN. And of course the credentials were admin/admin.
I think most hardware providers do better now but it was just mind boggling to me that it even happened in the first place.
Honestly, even limiting it to, say, the WiFi network, having a default admin login is not great.
Like, Android isolates apps from the rest of your system, but not from touching the rest of the network. If any random app I install on my phone can reflash my WAP’s firmware, that’s not great.
Jason2357@lemmy.ca 3 days ago
Yes, this really is a situation where ISP managed devices could really be the right option for most -if they weren’t such terrible companies.
phoenixz@lemmy.ca 3 days ago
That last part says it all, though.
The ISPs are horrible companies, mostly, and that alone warrants that users should be able to have their own router
I need a better router than my ISP wants to give me, then just give me the modem, I’ll do the rest
Jason2357@lemmy.ca 3 days ago
I agree, but for the reasons above, it’s a terrible outcome for everyone on the internet. The number of people who will keep their router up to date with security patches are abysmal. Fix the ISPs and it would work, but you can’t fix the situation where the majority of residential humans suck at managing routers.