305 comments

[ 4.7 ms ] story [ 295 ms ] thread
D-Link SIRT :: For Accurate and Up-to-Date information please go to: https://bit.ly/2nNawAc
The irony of using a shortened link in a comment on cyber security.
For national security sake all routers should be required to support open firmwares.
You can install OpenWRT on most D-Link routers. I have one at home that works fine that way.
Most, maybe, but not all. Only one of the 4 models in this case is listed as supported on the OpenWRT site.
Not exactly what you’re asking for, and it has its own problems [0], but the US military has a “trusted foundry program” [1] for sourcing chips.

[0] https://semiengineering.com/a-crisis-in-dods-trusted-foundry...

[1] https://en.m.wikipedia.org/wiki/Trusted_Foundry_Program

Is there an equivalent of the Trusted program in Europe? I know of a bunch of companies capable of manufacturing chips, like STM, but because of the scattered nature of europe, I don't know how euro militaries handle this issue, specially Airbus.
Being open source at the chip level, while an admirable goal isn't really required for open source firmware. Most router firmware is linux, that runs on either ARM or MIPS based SoCs. Opening up that code is more than enough to fix any security flaws like these.
Open source software on routers is a little complicated.

FCC requires home router manufacturers to prevent users from modifying transmit settings (primarily to prevent interference with weather systems - which 5G is also going to mess with). While the router manufacturers themselves might not provide features to modify the parameters, allowing third-party open source firmware opens them upto liability, because third-party firmware -- almost all of which are open source, can provide users with features that allow changing the transmit parameters. This is because the radio operation is controlled by the OS (most of these have linux on them), and the parameters are to be included in the same firmware blob as the OS.

FCC is not the problem here either. FCC saw the quick-fix that some manufacturers took, like TP-Link, which is to block any third-party firmware. So they required TP-Link to reverse their decision to prevent installation of third-party firmware. Then what's the solution?

The best way to prevent allowing consumers to change the transmit settings, while allowing open source firmware meant for the rest of the board (where all of the security issues arise), will require having different flash chips - one for most of the firmware, and a separate on for the storage radio parameters. This route is what Linksys is taking.

Personally, I doubt this is a good enough solution. Board designs today use a single SoC that does everything. So I'm not sure how they think storing the transmit settings on a different flash chip will prevent the firmware from using different parameters. Any design that is more complex than the two flash chip solution will require a lot of reworking of designs, because most board designs basically consist of a few components: the SoC, the flash and RAM. Nothing else.

Apart from the re-working of existing designs, there's another problem. The problem is the BOM constraints router makers face, since they are always in a race to the bottom price-wise. Adding additional chips, introduces cost and complexity, which they don't want to go through.

The solution is that there is no preemptive solution, any more than there is a preemptive solution to using an axe dangerously. You can build a transmitter out of a Raspberry Pi and a short length of wire; for extra credit, you can buy a cheap amplifier and really go to town, but the simple fact you can strobe a GPIO pin fast enough to transmit on unauthorized frequencies is the final nail in the coffin for any plan to restrict broadcasting by restricting radio sales.

The enforcement comes down to this: If you transmit in an obnoxious way and you annoy someone, you get squashed. If you kill someone, you get squashed harder. That doesn't bring the dead back to life, but sending someone to prison for killing someone else with an axe doesn't bring the dead back to life, either.

Really it seems like the radio ASICs themselves should be adding a little bit of embedded flash or OTP memory. But barring that, as the storage requirements of routers increase (having already moved from NOR to NAND flash) we may eventually reach the point where a router includes a BGA SSD whose controller can enforce permanent read-only permissions on a partition that stores RF parameters.
But what do you do when it's the radio firmware itself that has a security for and the vendor stopped patching their devices? It's a pain in the ass to secure a closed source binary blob.

Example: https://hackaday.com/2019/09/05/esp8266-and-esp32-wifi-hacke... what if Espressif dropped support for these a while ago? You couldn't securely use these in some scenarios without reverse-engineering the binary blobs and patching the flaws. And I can't imagine how many of IoT devices out there use that chip or a derivative.

Those Espressif blobs are running on the same processor as the application/OS and are responsible for a lot more functionality than the typical radio firmware for a Broadcom/Qualcomm/Mediatek WiFi NIC that connects over PCIe. That firmware is also entirely different from the RF regulatory data I was talking about; the regulatory data should be in a ROM somewhere but the WiFi firmware generally needs to be stored alongside and updated in lockstep with the operating system's driver for the WiFi device.
Most routers have the SoC integrating the radio chip, and running firmware and the OS on the same silicon.
Wireless router SoCs usually have at most one radio integrated, and the 5Ghz radio is still usually attached over PCIe. And even the integrated 2.4Ghz radio's firmware is running on entirely separate processor cores and in a different memory address space from the application processor.
I did not know that the firmware for the radio is running in a different context (memory space/processor). I assumed they would, to save cost, run everything together.
1. FCC has only started to require home router manufacturers to prevent users from modifying transmit settings some years ago, we have lived quite long without this ban and had no problems it is supposed to prevent. 2. Put detailed transmit settings modifying tool right in the web UI of default firmwares of all the routers and you'll see just a negligible portion of the userbase ever touching it. Most of the people don't even know what a megahertz is, let alone have any clue on how to tweak transmit settings for any kind of benefit.
The FCC is certainly the problem in this case. If someone modifies the product to break the law the person is at fault not the manufacturer. That someone could do modify their radio to do bad things shouldn't stop me from modifying mine to do good things.
Would you also say that Uber doesn't violate taxi laws or AirBNB doesn't violate zoning laws, and it's just the Uber drivers and AirBNB hosts who are using the products to violate the law? What's your responsibility when you hand someone a loaded gun and it goes off?
> What's your responsibility when you hand someone a loaded gun and it goes off?

Zero, as long as the person:

(1) Knew it was loaded

(2) Voluntarily accepted to receive the gun.

> Zero, as long as the person:

In this analogy the gun going off broke a law. So you voluntarily handed somebody a loaded gun - who then committed a crime with that gun.

Obviously context matter - but you can bet the police will be asking why you gave that gun to them.

When a router ships you can't select a licensed band. This is a different concept than "product does something bad" this is "is the manufacturer responsible when someone modifies the product to do something bad".

Clearly not, the person that knowingly modified it to do something illegal is at fault. Preventing anyone from modifying anything is a backwards response to the real problem: the guy that wants to do the illegal thing.

The same argument can be made with any other tools in existence. Don't blame the tool for doing something bad, blame the user.
That is a different argument than you imply, please read the existing sibling comment chain to see how as it's pretty much the same discussion.
Until there is some legally required amount of time to provide security updates for connected devices, I would expect the "buy a new one if you want to be protected" response to continue indefinitely.
What do you expect from companies that sell kit at $50/£50/€50?

You always kind of get what you pay for. If you pay an annual maintenance, then you can expect regular and secure updates, otherwise you are buying the product as is at time of purchase.

Then again, I buy stuff that can be flashed with OpenWRT ...

$50 honestly seems expensive considering how long home routers have been around. It's not as if it's novel technology.

I'd expect cheap mass-produced routers to be around $15 - $25, like an immersion blender.. I don't quite understand why cheap ones are still $40-$60.

People pay hundreds for these things on the high end; the market seems to have settled on the price. There may be room to under-cut, but you risk looking like a cheapo option when all the established manufacturers charge more.
$50 is incredibly cheap for a home-router (which also is a wireless access point, a switch and a firewall). Prosumer or enterprise grade hardware is usually magnitudes more expensive.

An edgerouter X is $50 for instance, but doesn't have wifi and lacks serious routing features. It is considered a very low end router compared to more expensive stuff from Juniper or Cisco. (even an entry grade router/firewall like an SRX300 will run you back atleast 4x the price of the edgerouter.)

One thing these $50 routers lack besides proper software is stability. Most consumer networking equipment has an abysmal track record in terms of reliability.

They are that cheap... e.g. Microcenter has models in the $15-$25 range. They're pretty much at the too cheap to not work level as they can't afford to develop complex, bloated features at that price point.
Maybe this should be the way forward. We all should buy hardware that can run Software like OpenWRT
If a car spontaneously combusts we hold the auto manufacturable liable for correcting that defect. It doesn't matter if it's a Prius or a Ferrari. These vendors are selling defective devices and it is fixable via software patch. Just because they stopped selling them doesn't mean they shouldn't have to fix it.
> If a car spontaneously combusts we hold the auto manufacturable liable for correcting that defect.

This is a bit of a spurious comparison. Nobody is dying from an unpatched router. Why should a company be on the hook for a device, particularly if it's out of warranty? If you expect more than that, you need to be buying something with a contract stating you're going to get more than that.

Somebody can conceivably receive significant financial damage though. Why they shouldn't be liable?
> Somebody can conceivably receive significant financial damage though. Why they shouldn't be liable?

Not just financial damage, the owners of defective routers can be targets of criminal lawsuits if their connections are used as proxies for attacks, death threats, bank fraud, etc.

It's not just "one unpatched router". It could be millions. Or millions or billions or IOT devices in the future that are unpatched.

That does have the potential to create some damage if anyone takes control of them. Maybe even kill some people, if say they DDoS the V2I network for self-driving cars in the future, or a hospital network over which remote surgeries are performed, etc.

I feel like this argument that "you get what you pay for" is pretty lazy. Usually, or ideally, consumer regulations are about setting standards and raising the bar.

So that means that if there were strong laws for stuff like this, then the minimum router price may become $70 instead of $50 - but everyone would be reasonably protected for the large majority a device's lifecycle (only a small portion of the customers should be affected by leftover bugs when support ends, like say <5%, as others will have moved on to new products by then).

Without agreeing with this point it's a perfectly reasonable one to make. Why is it dead? Seems to be quite a bit of this sort of thing of late, new ML tools?
It's not "you get what you pay for", even the most expensive consumer routers are out of support 2 years later.
The damage from an unpatched router can be pretty far-reaching, especially in cases where it can be exploited over Internet (not sure about this one, but some other D-Link vulnerabilities reportedly could).

I find it regrettable that the architecture commonly in use does not make a clear distinction between devices for convenience and for security.

It’d be crazy if in our homes the main entrance lock always came as an afterthought in the package of all the inside doors, and we didn’t have an obvious way to replace it separately on our own.

The front door lock is actually a bad example: in single-family houses, the front door is a social and legal signifier more than it is a security device. Smash a window; go around back; use a crowbar: the lock isn't what's keeping you out, it's designating the social expectation that you don't have a right to be there without an invitation and the legal assertion that crossing the threshold violently is a bigger crime than wandering in absently.

This case is more like a golf cart being sold as a car: it's technically usable for that, but lacking any sort of safety or weather protection.

I’m sure it depends on location, but there is the opportunistic crime—if home owners are away, probe the door to see whether it’s locked, get in and grab something if not. Routers and mass scans are somewhat similar.
In an hospital, someone could die from a hacked device.
I should really, really hope hospitals are not using routers like these.
Medical equipment more and more often has networked embedded software that can't be updated. They won't throw away a multimillion-dollar device just because it can't be upgraded from Windows XP.
I'll bet they still have service agreements for those devices though, even if the software is old. Consumer routers do not have support like that.
Oh, yes, they're usually still serviced- the systems are babied and locked down and generally taken care of, and if Microsoft releases an emergency XP patch I expect it would be applied. Still, there's a lot of old stuff floating around since medical hardware can last a lot longer than an OS support lifetime.
I'd expect a hospital has to have a pro-ish router due to the size of the network. However, I can easily see someone setting up some of these as a "temporary" fix just to get things working for some subnet. I totally expect some small clinics, independent doctors' offices, or EMS stations use devices like these.
I've worked in quite a few hospitals. I've got some really, really bad news for you.
You have warranties for those, though. Also, no lives are in risk in dlink's case. It's more comparable with a shirt that falls apart after washing a few times.
If vulnerable D-link router becomes part of botnet, and attacks devices on my network?
Think about why and how governments have that kind of leverage over the auto industry.

There are arbitrary and discretionary licenses that have been created in response so prior issues.

Licensing/certification regimes allow for almost any expansion of the role of government to those licensed, including capital requirements to resolve an issue.

So first you would need a license, determine the scope of the license, who needs it, and the consequences of operating without one.

Good luck

>> If a car spontaneously

This is false equivalence. A car is not $/£/E/50 piece of hardware.

> You always kind of get what you pay for. If you pay an annual maintenance, then you can expect regular and secure updates, otherwise you are buying the product as is at time of purchase.

Let's unpack this:

You get what you pay for... yet you also say that OpenWRT solves this problem and is available free of charge.

If you pay for a support contract, you get support right up to the point where the company decides to stop that support. If you have a contract worded the right way, you might be able to take the company to court over it, but if the company's willing to settle, you end up with some go-away money and an insecure router nobody's supporting. Does the money pay for next week's massive outage due to someone taking over your routers?

Finally, the product as it was at time of purchase was a product fit to be sold, without major defects. In other industries, that's a standard companies are held to: If a ball joint goes out completely after 10,000 miles, Ford's kinda on the hook for that, neh? They can't say that you have the car you purchased because the car you purchased was driveable and not sitting on the side of the road.

>Finally, the product as it was at time of purchase was a >product fit to be sold, without major defects If somebody later discovers a bug in the firmware that bug was present from the beginning, so this is false.
I could consider things like catching on fire or assisting a crime (DDoS, botnet, etc) to be such cases where they absolutely should be on the hook to be required to fix.

And we already have a system put in place to assess. It's called CVEs. If you exist, you should be on the hook to fix.

It's called 'Being Responsible'. And corporations have a strong tendency to not want to be. That's why we need the 'stick'.

Xiaomi sells routers in this price range that ship with OpenWrt. The buildroot even has config options for branding! It costs them nothing for the OS. It costs D-Link more to produce their mess.
"But how will we differentiate from the market without our \"value added\" non-standard software?"
The same way Dell and HP do with a Windows PC. The OpenWrt buildroot can help them do that too! ;-)
What do I expect or what does a typical consumer expect? The folks on HN are not typical consumers of these products.

Often times when defective products are sold there is some responsibility for some time to correct or notify people. Cars, child seats, and many other things fall into that.

The defective devices that get updates or notifications are often safety related. Yet, safety and security are not talked about much with regard to technology. Maybe it's time to start doing that.

I expect them to not sell devices at unmaintainable price-points.

You know, like tons of other safety-relevant products. Anything you plug into the wall, or put gas in, or has enough torque to hurt someone ends up going through safety checks.... except software.

Kits are different. Every router kit I've seen doesn't come with any software. Some come with a blank SD card and you can load what you want on it. Here's a tutorial I wrote for one kit I got:

https://battlepenguin.com/tech/using-the-banana-pi-bpi-r1-as...

but then I learned the hardware itself could fail into an insecure state, and there was no way to deal with it in software:

https://battlepenguin.com/tech/banana-pi-bpi-r1-fails-into-a...

I wonder if the GP meant 'kit' as in the UK-English sense, i.e. equipment and not the literal kit with no software.
There's also just you know, installing Custom Firmware if you're determined enough.
I'll never use vendor firmware again. If the router doesn't support OpenWRT, it's a time bomb waiting to go off, as this article shows; plus, of course, OpenWRT has sufficient additional functionality that that alone makes it worthwhile.

And once again, we're all reminded of the divide between people who know how to do things like this and people who don't, and how the people who do know have an advantage in life.

I don't usually install CFW on mine, but it's something I look for the possibility of doing in case something like this D-Link issue occurs.
I bought a couple of Netgear AC1600 routers and installed DD-WRT/Kong firmware on them right away (clicked the PayPal contribution link and paid up - it is worth it). They work well and update quite frequently.
Can this model be used as a VPN server routing through your home ISP connection?
At one "legal training" class our lawyers said that there is the potential that we could be required to recall and fix any product we have ever made. We have machines we made in the 1950s that are still regularly used for the purpose they were bought for, but without modern safety standards. We believe we can argue in court that the modern safety devices didn't even exist back then so we shouldn't have to update those machines, but we are not entirely sure and there is always the possibility that the legal framework could change. We have an official policy that once a recall is made, the replacement parts for a safety issue will be available forever, or until we can prove all existing machines have either been updated or scrapped. (The latter is considered impossible to prove and so there are kits available for machines that last shipped in the 1980s.) This policy has in fact protected us in lawsuits: we take safety seriously so mistakes are taken as unintentional and punitive damages don't apply.

I would expect a consumer router to run without problem for not less than 10 years: they should update it to work. Now they shouldn't have to add support for the next protocol or feature, but if it isn't secure that is different and should be fixed. All it takes is a lawyer.

Note that you don't have to have the affected router, just prove that an affected router is attacking you. I think there are people in IT who are able to prove this latter one so all that is left is bring it to your lawyers to get dlink to pay your costs from the attack.

> I would expect a consumer router to run without problem for not less than 10 years

That's not a realistic expectation. Nobody is selling consumer devices with a 10-year support lifecycle.

How long do vehicle recalls last for, if something like an airbag turns out to be defective and dangerous?
You want to equate a consumer electronics device with an incendiary device legally mandated to be installed in every vehicle that may explode and kill people?

Well, the legal answer is 10-years for a no-charge repair [0].

If D-Link routers start burning down homes I'm sure the Consumer Product Safety Commission will take an interest, but if it's more than a few years old the recommendation will likely be to throw it out and buy a replacement.

[0] https://www-odi.nhtsa.dot.gov/recalls/recallprocess.cfm

I've a 2006 Toyota about to have it's second set of defective airbags replaced for free. In Oz.
Until all affected vehicles are fixed or scrapped. This works out to forever because it isn't practical to prove either. The law might allow less, but any smart company is going to have the above policy because you can pull it out in unrelated court cases to show that you care about safety and so whatever the current situation is doesn't warrant punitive damages.
(comment deleted)
In my jurisdiction, consumer device must have "reasonable lifetime" by law. This lifetime of course is not to be determined by the manufacturer, but by the courts in the event of a disagreement. Ten years is bit long, but it's not absurd to think (i.e. reasonable) it should work ten years after the time of purchase even if the technology becomes obsolete.
Nobody would sell consumer electronics in your jurisdiction if they thought it were a remote possibility that courts would endorse "Purchase date + 10 years" or even "First sale date + 10 years" for software updates.

An original iPad isn't even 10 years old and is many years past being able to run an iOS version that receives security updates. A 10 year old MacBook Pro is a few years beyond having a supported OS with security updates. Cisco, with a support contract on actual Enterprise gear, offers up to 5 years from the end-of-sale date and do not actually promise to provide security updates for that whole period.

To expect a $50 junk router to provide an industry-leading support lifecycle is absurd.

Handheld devices cannot be reasonably expected to last 10 years.

However consumer goods must be fit for purpose for a reasonable time. The case of the insecure router after 5-10 years was probably not brought to court, but I hope the court would agree that it isn't fit for purpose if insecure..

If you are really interested, you can read on the law here (my jurisdiction is Quebec, Canada) : https://www.opc.gouv.qc.ca/en/consumer/good-service/goods/sm...

Fortunately, we don't have to care what manufacturers think is absurd or not; it's been decided for them.

> not less than 10 years: they should update it to work

> get dlink to pay your costs

What happens when the company is gone?

For DLink, you're out $20-$100. What happens when Tesla is gone?
You get out your Tesla shop manual, diagnose the problem, order 3rd party replacement parts and fix your car yourself.

(wakes up from dream)

crap.

10 years ago we had 802.11 a/b/g - n wasn't approved until October 2009 and not generally available until 2010.

In your case I'd imagine these are multi million dollar machines vs a $30 bottom line home router.

It's times like this i'm glad my home router is a x86 mini PC running Arch Linux + iptables + Unifi (Complete with DNS MITM forcing all DNS out of my apartment over TLS)
How high-touch is this kind of setup? I have a separate access point and I am using a consumer-grade "wireless router" for DHCP. (and other things?)

I'm more of an app developer that does DevOps stuff when I have to. Is this something I can get done in a day or so? Is a Raspberry Pi enough, or do I need something more powerful?

If you want a less touchy solution (not completely plug and play though!) I can't recommend Ubiquiti products enough. I run an EdgeRouter X and Unifi AP at home. Not big enterprise gear but way more enterprisey than whatever you'll find on the shelf at Best Buy. Updates are released regularly and once you get your initial configuration done they just chug along, no random 'internet is down, need to reboot something' issues that (used to?) plague mass consumer designed gear.
Cheaper and older alternative is the Ubiquity Unifi Security Gateway + 8 port switch + UAC AP-PRO if you don't want the Edgerouter X cost. Less customizeable but if you're buying an EdgeRouter you know what you want.
how does power consumption compare with a setup like this vs some consumer all-in-one thing?
to be honest, most routers like this have very low power usage. I think an edgerouter X has a power consumption of something like 5W under load.
Isn't the EdgeRouter X cheaper than the USG?
What WAN throughput can you get on an Edgerouter X with moderate Firewall and some basic QoS rules enabled?
I can't give you a good answer for that as the fastest plan my ISP provides in my area is 100/10. This setup maxes that out no problem (which isn't surprising or impressive), usually hitting about 130/15 due to turboboost or whatever word they're using for temporary speed increases these days.

I think you can find some better info with a search though.

Low touch once it's working, but took me forever to get right. I recently added wireguard + policy based routing + a second route table + a VLAN so that all devices connected to a secondary wireless SSID are NAT'd to the Internet over a VPN. I don't know how you'd accomplish this with anything consumer, or even anything semi-Enterprise.

The primary motivation for that one is that native wireguard (UDP) is blocked by several wireless networks I use on the move. So on those networks I have to use a shitty OpenVPN configuration over tcp port 443. OpenVPN on Android is buggy and prone to crash all the god damn time. Now, at home at least, I don't have to suffer it.

The device I use has a metal case, is fanless/noiseless, the size of an AP, has 4 gigabit ports, 4 x86-64 Bay Trail cores, 8GB of RAM, runs standard Linux, and cost me like $150. Honestly I'm done with plastic off-the-shelf crap.

It depends, and it's certainly not a consumer solution. I use Ansible manage my devices so it takes a bit more up front time to setup but it pays off in the long run. It's very low maintenance overall but you do need some technical knowledge.

I recently switched from OpenBSD to Linux and it was mostly painless. nftables is almost as usable as pf.

If you get a decent WiFi card you can just use hostapd and manage your wireless networks on the gateway; slicing it up however you want without needing vlan capable switches on your network.

How to make a PC talk over a DSL cable? I assume a specialised chip would need to be plugged in at which point the potential for vulnerabilities of that PCB need to be considered...
Back when I had an ISP-provided cable modem I just put it into "modem mode" (disables NAT and all the builtin firewall and parental crap) and connected it via Ethernet
I do something similar. Fanless PC (but I do have a heppa filter pointed at it for hot days) running CentOS 7 and El-Repo 5.2.x kernel. I enable power management on everything except for the network cards and disable most other devices on it. On UPS it can run about 3 hours.

I have unbound DNS and iptables to intercept all DNS requests destin for the internet, so I can block some ads. I null route the DoH servers and some hostile countries. Works great.

>I have unbound DNS and iptables to intercept all DNS requests destin for the internet

dnsmasq (caching) + stubby for me

> D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor

First released in 2011, EOL in 2018. Can't say I blame 'em, EOL is EOL, but it's also the new planned obsolescence. (Better buy a new router every 7 years or the hackerman'll get ya!)

This is precisely why I chose to install DD-WRT on all my routers. Not only does it give me more fine grain control over all my admin privileges, I know I don't have to rely on some company making the cost-benefit decision over if it's worth patching security bugs.
DD-WRT doesn't necessarily provide more security, typically models will get one release and then not get any more updates.
I've found OpenWRT to be better in this case, support does get dropped eventually but it's usually longer term even if less polished.
I'm aware of the "but what if the router is connected to an ICU bed? A patient's life depends on it!" straw man but let's be honest, it would only be the ICU's admin fault.

Having sorted this out, let me clearly state that the only ethical solution is to brick these devices offline.

i hope an intensive care unit doesn't really on a bottom of the barrel consumer device for their network reliability.
What is the best wifi-router out now for home hackers? I'd like to do a pi-hole type setup but without the pi-hole and I also need a stronger wifi signal than on the box my ISP gives me.
Probably some low tier mikrotik. It's not for dummies though, it requires to know a bit of networking.
I'm generally happy with my RB3011 but you are very much correct that it isn't meant for a typical end user.

Many QoL things that a consumer level router + TomatoUSB firmware does for you are either difficult to set properly set up (NAT reflection) or are not available at all (per-IP traffic accounting).

It really doesn't. The quickset (essentially basic configuration like most home routers) has been a feature for like 7 years.
It doesn't meet your hackability requirements, but I suggest Ubiquiti for wifi AP's at a price point that home owners can afford. I personally prefer keeping my wifi separate from the router, which this affords you.

See this for a crash course in an entire Unifi setup, https://www.youtube.com/watch?v=f_-iuY_xxFY

I personally run pi-hole on a pi, use an edgerouter x and unifi aps for the house.

I'd suggest to avoid dealing with wifi routers as much as possible, they are not worth the time, and instead separate wifi and routing. Doing all the dhcp, dns/pi-holing, nat, firewalling on a PC-based router and using a wifi router behind it only for wifi.
this is the "proper" answer.

Seperating routing from providing wireless makes things far more flexible, not to mention you usually get two seperate devices which are far better at doing their sperate jobs compared to an all in one solution.

pfSense on an old computer and a UniFi AP.

If you want to level that up, use Proxmox with pfSense VM and any other junk you want to throw on it.

The T-Mobile Cellspot AC1900 (rebadged ASUS RT-AC68U) seem to work well enough and are often on sale. As with all wifi routers, put them into access point mode, and run an ethernet cable.
Sounds like exactly the kind of bug that lets you hack/install dd-wrt on them.
This is unacceptable. Companies that do this stuff should be boycotted.
This is the new normal, folks. Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from. Changing that requires a significant upheaval in their business models.

This applies to every "connected device:" printers, cell phones, home routers, refrigerators, thermostats -- you name it. Michael DeGusta did a great infographic demonstrating this for Android phones in 2011 [1, 2]. Sadly, this hasn't materially changed in the eight years since. Just this year, Google added new terms to the Android license requiring security patches, but even then only for "popular devices." [3] Imagine those dynamics in the secondary and tertiary markets of printers and refrigerators.

As an industry, we've been to this rodeo before. The advancements we've made in operating system and core applications security over the last 20 years have more about patching speed and agility than shipping fewer bugs. However, those areas have backing and control from Apple and Microsoft, managing the end to end ecosystem. There is not a similarly equipped manufacturer of embedded operating systems with the scale to provide post-sale/post-deployment patching infrastructure.

Since this is Hacker News, I'll point out the enormous opportunity to anyone who can address that problem. Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves? Do you have a better approach to it? There's a burgeoning multi-billion dollar market waiting for a few leaders to take it over.

1 - https://theunderstatement.com/post/11982112928/android-orpha...

2 - img link is broken in his post, the graphic itself: http://media.theunderstatement.com/016a_android_orphans.png

3 - https://www.theverge.com/2018/10/24/18019356/android-securit...

For D-Link this is the normal, normal and has been for years. Check out VU#924307 which they never fixed. It could be triggered either by an attacker or just in the normal course of using the router:

https://www.kb.cert.org/vuls/id/924307/

I daresay people aren't going to like this answer but, you ultimately have to align the interests of the manufacturers and the consumers. Which probably means some sort of subscription model and even a requirement that the subscription be current to function.

I know. Yuck. But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

> the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions

I am unclear why this is not the preferential solution here. "Don't sell lemons" is a societal good.

It drives prices up in equivalence with subscription pricing over the typical lifespan.

(i.e. not obviously better or worse)

Maybe the manufacturers would figure out more efficient solutions given incentives that encouraged them to do so. For example, they might decide it’d be more efficient to use OpenWrt than to do separate security maintenance for N incompatible closed platforms.
Subscriptions are ongoing cash-flow. There's no reward to doing a good job, and there's only a perverse reward to not doing a good job--it keeps people subscribed.

Frankly I think the better option might actually be the reverse: a mandatory payout to every customer for every nontrivial security defect. Not sure how you'd adjudicate it, so it's pie-in-the-sky, but take it out of the realm of the class-action lawsuit and see how serious these manufacturers become about correctness.

Businesses fear only the big stick; it should be swung on the consumer's behalf.

Right. There are differences in incentives and how easy it is to make receiving updates mandatory or the default. But it's reasonable to assume that, however implemented and legislated, everyone ends up--from a financial perspective--having to pay for an ongoing support subscription.
Can you explain to me how a subscription, for which only subscribers get fixes, is not a perverse incentive to ship broken software?

Normal software has an argument towards subscriptions if it's adding features. But routers shouldn't be adding features. Routers should be fixing bugs.

Companies seem to be doing a pretty good job of shipping broken software today without the perverse incentive of a subscription.

Companies do buy subscriptions for older software even though they may only be getting security fixes at this point.

That said, I do think bundling longer-term updates into the cost is better insofar as it means buyers don't get a choice to just use the unpatched software. But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

> But it does mean that companies can cut costs by just not patching software at all or for a short period (as today).

Sure. Hence the use of a very big stick.

The lack of restraint on bad actors is a societal problem, not an economic one.

Of course, it's a big stick for both vendors and users. Vendors need to patch the software for N years (or whatever) and, given a competitive market, users have to pay for it.
They're not necessarily lemons at the time of sale though. In general, we don't legislate that products need to upgraded and maintained after they're sold. (Yes, there are lemon laws and warranty requirements for defects--which are at least related.)

However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

There is an idea of harm to the ecosystem/society with unpatched IoT and other network devices though. So perhaps a heavy-handed approach is justifiable.

They were lemons at time of sale, though, we just didn't know it yet. Between that and the ecosystem/society argument, I think it's a no-brainer.

> However, how would you feel about legislation that required five years of dealer service to be included with every automobile sale? Or other products in a similar vein?

This analogy doesn't work for me; software bugs are defects, they aren't something getting old and falling apart. I think that a defect in an automobile should be repaired at manufacturer expense whether it's a year old or twenty.

The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

The economics of providing 5 years of defensive patching on a $100 device simply does not work.

Then maybe they shouldn't be able to make a profit on doing society wrong in the medium or long term.
Maybe they need to stop shipping a dozen different $100 models with wildly different specifications and come up with a common platform to reduce support costs, like most other industries.

Support costs increase as fragmentation does, it things sold at a reasonable price and without dozens of variations it would be more feasible to maintain longer supported life cycles - but these companies have no incentive to think beyond the next quarter’s earnings call.

> The operative difference is that intelligent adversaries are not coming up with new and better methods of making your bumper fall off.

Not yet.

Laws requiring that consumer electronics not be effectively disposable is also a net good for the environment as well. I'd like my router to have active cooling (so it doesn't self destruct from heat) and run an open source firmware that will survive longer than a single manufacturer may be willing to maintain it. (They all can jointly contribute.)

Phones should have some level of modularity and repairability, so they can last a multiple of their present service life. (Think smaller scale standards like in desktop PCs.)

We would need stronger consumer protection laws and regulations around defective products. My car’s manufacturer just fixed my 10 year old airbag for free, presumably not out of the goodness of their hearts but because they are required to.
Or increase the initial price enough to cover the N years it is expected to be in service. If you make a 5 year router, charge for that. If you make a 10 year router, charge for that. But don't charge for a 5 year router and drop it after 2.
> But the only other real possibility is to legislate that such updates be made available for N years as part of the purchase conditions.

What would be better is to require that the firmware be replaceable with something like DD-WRT or OpenWRT. One of the biggest issues with hardware like this is that the original manufacturer goes out of business and yet millions of people still have their devices.

You can't require updates from a company that no longer exists, but that's not really a problem if their hardware can run the latest versions of half a dozen different open source router firmwares.

There is an even better solution. Simply use open source firmware on these devices and this will not be an issue. It's much less effort to maintain one common firmware rather than a new one for every device.
Some subset of the code may be common. A lot of code that is specific to a particular device won't be. I'm actually open to the idea that vendors could benefit from working with open source firmware and differentiate in other ways. But "use open source" doesn't magically reduce the effort. They probably already have core software bases that they don't need to change all that much for new devices.
The thing is that for a new device you only need hardware enablement in the kernel - something largely one off that manufacturers can do in the same cadence as device sales so their priorities align.

What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT and using regulation to compel device manufacturers seeking approval by the bureau to submit their requests contingent to providing device specific hardware enablement upstream and to default-ship their devices with this common OS. Then those certification costs fund the ongoing operating system project.

If a company then wanted to implement a new feature to push their hardware, they could... by submitting it upstream.

There have been so many billions of developer hours wasted in the pursuit of profit by reinventing every single damn wheel a trillion times over its disgusting to think about and governments should be recognizing this flaw in US-IP-driven software business models and work to correct it.

> What should be happening is that the FCC / international communications bodies should be directly funding a project like OpenWRT ...

The exact opposite is what actually happened. In late 2016, the FCC specifically banned owner-based firmware upgrades[0]. It was ostensibly due to RF configuration, it could also be seen as a concession to the manufacturers.

0 - https://hackaday.com/2016/02/26/fcc-locks-down-router-firmwa...

Pretty much the only custom code that router vendors write is the web UI, which is sometimes a fully custom job and sometimes a reskin of DD-WRT or OpenWRT's web interface. Otherwise, they're generally shipping whatever code they got from the SoC vendor, which is generally a fork of OpenWRT from around when that SoC taped out.

"Use open source" would make the situation appreciably better, because it would mean not accepting any closed-source or out of tree drivers that lock you in to particular kernel versions and non-standard management APIs. Once those problems are out of the way, frequently rebasing the web interface on current upstream OpenWRT is pretty straightforward.

If they used open source the drivers could be mainlined and then you really could just drop one standard OS on it
I'm not really sure there is enough evidence behind your assertion. Google wifi APs have got continuous updates from Sep. 2015 to current day. Sonos players have been continuously supported for 15 years. Apple's just-released OS runs on 7-year-old hardware. There are and have always been fly-by-night organizations that sell junk with bad software and no updates. That's not new, nor is the existence of reputable vendors with long support policies.
All the brands you've cited are "luxury" brands whose proposition includes long-term support.

It's a different market segment that doesn't refute GP's point.

i have a $30 netgear router from walmart that has gotten security updates for at least three years
I’m not going to be hacked because of my Apple TV or my google Wifi router; it’s going to be my light switch that does me in.
Your Apple TV runs 3rd party apps, any of which could be hacking you.
>anyone who can address that problem

If no one addresses this problem, regulations will be imposed.

Do you think it’s possible to regulate all of the internet connected consumer devices coming from China? Routers, WiFi lightbulbs, toasters, etc?
Of course it is. Nations regulate lots of imported goods, from foodstuffs to cars. Nations also have the power to impound cargo deliveries if the importer is notorious for not validating that their cargo is compliant with local regulations.
I think consciousness raising is important to. Many have made efforts to explain these downsides, but it is a never ending challenge to keep the public aware of why closed source technology harms them compared to potential open options. Consumer opinion is one of the tools we can use to change this situation, and an important one IMO.
> This is the new normal, folks. Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from. Changing that requires a significant upheaval in their business models.

Ubiquiti has a number of CVEs and has addressed them in a timely manner, IMHO. If you’re buying the cheapest product then expect the cheapest support. My UniFi stuff is easy to manage and upgrade. I can set a number of auto updates I can’t do with other vendors.

Ubiquiti isn't really consumer, though. They want to target enterprises and businesses.

Sure, their hardware ends up in residential deployments more often than perhaps any other kind of enterprise computer stuff, but if you're not willing to call them "enterprise", I'm going to insist they be practically alone in their own category of "pro-sumer but actually professional-consumer, and not the yuppie garbage that you usually call pro-sumer that's just the normal consumer crap but priced at 4x with a slick black plastic case."

I agree with GP in that the spectrum you are suggesting ("you get what you pay for" actually looks more like this:

<cheap garbage> ----------- <expensive garbage> ----[huge $$$ gap]----- <enterprise stuff for price-insensitive corporations who value brand and risk-aversion more than actual specs>

Which I would reify into the realm of, for example, computer hardware, as follows:

<a $100 best buy laptop with Windows> --------- <a $4000 alienware desktop with windows> --------------- <a $40000 Dell server with out-of-band management and ECC ram and HSM's and dual power supplies and actual RAID controllers and so on>

The best buy laptop and the alienware desktop are going to have the same issues with regards to control and privacy, and you need to make a huge jump to get to anything remotely respecting you.

Ubiquiti is targeting small business (not enterprise) but their prices are firmly within consumer range. (For actual enterprise look at Meraki prices.) Likewise Apple Airport (RIP), Google Wifi, Eero, etc. have long-term support for a modest premium. There's no huge gap.
Yeah, and you don't even need to install a super old version of java to manage or update Ubiquiti products either.
I also have Ubiquiti networking equipment at home.

Originally I had a DLink gaming router, but as soon as that router went out of support I switched to Apple networking gear, thinking Apple would do an excellent job with support. Also, 802.11AC wasn't supported on my Dlink router.

Then I read an article about Ubiquiti networking equipment on ArsTechnica a few years ago and thought about getting that for a forever home.

The thing that sealed my home network upgrade was Apple discontinuing their networking equipment. I figured (at the time) that Apple would abandon support for their devices. I remembered the Ars article from 4 years ago, and took the plunge on a cloud key, access point, USG, and Unifi Switch. Is this overkill or a 1 bedroom apt or 2 bedroom condo? Yes. However, having the piece of mind that the hardware I bought has continuous software upgrades and excellent customer support via their forums is outstanding.

Until consumers are willing to spend on subscription services to keep devices up-to-date, new hardware is the de facto method of paying for software development work.

Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

So they'd have to physically drive around looking for these three specific D-Link routers.

And then what would they get out of a successful exploit? Access to your network's traffic and unprotected file shares (most people don't even have any file shares), and even that level of access will be rather useless for getting important information like bank credentials (protected by HTTPS).

Am I wrong about any of this?

A lot of non-technical people use old Android phones, old printers, etc, and never experience any serious security breach. Some of them do experience a security breach, but it's far more likely to happen in a social exploit (phishing, whaling, etc) or institutional breach (your reused password being breached from a database hack of a popular website). In a lot of ways, ignorance is bliss.

Most routers I've seen have a setting to enable "remote management". The DIR 655 does (see pg. 75 of its manual). If you have enabled that, then its login page is accessible via the Internet.

Many small businesses not only have unprotected file shares, and have remote admin turned on so that their IT person can administer the router remotely (as silly as it is). I saw this so many times when I worked in IT. People make all sorts of assumptions about LAN privacy when setting up their network and devices.

(comment deleted)
You can use Javascript in an ad to make the browser connect to the internal IP address, which often is something like 192.168.1.1 and then once you’re in you can add the device to a botnet and sell its bandwidth or reroute its traffic.
>Of course, in reality, this CVE seems almost un-exploitable in the wild, anyway. How will an exploiter get to the login page in the first place? They'd have to know your network password and be in your physical vicinity, or your ISP would have to send traffic to your router's login page from the Internet.

Nope. Not at all. Most router attacks these days are malicious JavaScript (like in ads and trackers) that send HTTP requests to the router from the user's own web browser (already inside the network). No proximity access is needed

https://arstechnica.com/information-technology/2019/07/websi...

Would this not also require some sort of exploitable CORS vulnerability?
Depends on the attack and the vulnerability. The article does say this:

> The attacks work when routers use weak administrative passwords and are vulnerable to CSRF attacks.

Which implies that a cross site request is being made. So e.g. you put a hidden form in a netf1ix.com page whose action is at some URL on the router. The user ends up accidentally posting data to that URL which is not affected by CORS and same-origin.

CORS prevents the JS from seeing the result but it doesn't prevent the sending of the request.

This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

> This is one of the reasons my internal network is not 192.168.1.1/24 and the router is not 192.168.1.1.

Do you also disable WebRTC on all clients on your network? An attacker (or script) may be foiled by your non-standard gateway network, but your work in obfuscating the router is wasted if they can get at your client IP address.

Doesn't CORS generally send an OPTION request first to see if the target site even allows the requests, thus preventing this? That's what I've seen when trying to work around browser CORS limitations.
You can also just do a normal form post request into an invisible iframe that is generated by the attacker's javascript.
You can submit forms without CORS as long as there is no CSRF protection. I don't know what CSRF protection is being used.
Normal form posts don't require pre-flight requests. DNS rebinding attacks can be used too.
Until consumers are willing to spend on subscription services...

You cannot shift a Gresham's Law race-to-the-bottom dynamic by insisting on consumer (or producer) willpower. You've got to enforce a floor.

In other consumer (and industrial) products, this has tended to happen through the combined mechanisms of strict liability, certification, and independent inspection (in specific cases).

Where manufacturers, or as seems more likely given the industry concentration around sales points, retailers, are liable for the consequences of unfit-for-purpose devices and services, a reasonable set of minimum requirements (including life-of-product and update requirements) can be specified, then you might see a shift to some mix of time-of-sale plus subscription service pricing and payment models.

More likely you'll see devices bundled with services (which sometimes happens), though preferably in a far more user-friendly basis than is presently the case (e.g., cable service set-top boxes).

There's actually a long history of leased-equipment business in the IT sector, most notably as pioneered by IBM in the 1950s and 1960s.

Ma Bell was leasing telephones since the days of Alexander Graham Bell. In fact you weren't allowed to use any telephone except one leased from your telco until the breakup of the Bell System in the 80s.

Not sure that is what we want to go back to.

There were definitely problems and abuses with the model.

But the hardware itself was robust and reliable.

Remember: "We don’t care. We don’t have to. We’re the Phone Company"

Fake commercial on Saturday Night Season 2 Episode 1.

(It wasn't called Saturday Night Live until later.)

See also the Charter lawsuit where it was revealed that Charter was renting very old equipment to their customers for years and didn't care.
AT&T didn't just come out and install a newer telephone because they had a newer model. If the equipment is fit for the service why replace it?
If you rent a $100 device at $10 a month for 10 years you end up paying $1200 and still not owning it.

I can see why consumers and consumer advocate groups don’t like this.

The customer should always have the option to buy their own hardware - that's to me something that was fought for (and won) with Carterphone
(comment deleted)
I should have said they were renting very old and inadequate equipment; it wasn't fine and they knew it.
AT&T later in its history, 1960s - 1970s, offered the option of uplines (touch-tone, "Streamline", "Princess", and eventually Mickey Mouse telephones) as service upgrades. So there wasn't no interest in innovation, though I'd agree with the general view that the interest was low.
None of those were real technical improvements over the 500/2500 set however, they were upgrades designed to please the customer aesthetically.

Meaning, all of those sets performed more or less (in some cases less, specifically in certain special service applications) identically to a 2500/500, and at least one of those was a 2500 in a mouse shaped box.

Touch-Tone was actually a value add for the telco because it reduced register holding times in crossbar switches, and could reduce the amount of common control hardware needed, yet they still charged more for it (and the service too)

(Also, I think you mean trimline not streamline)

Thanks, yes, Trimline.

I'm really not going to try to defend AT&T's specific level of innovation.

I'm noting, however, that the possibility of offering a range of hardware at a range of price levels and allowing for volitional subscriber updates is possible, and was practiced.

That's where the minimum standards aspect comes in. The problem of noncompetitive monopolies failing to innovate and actively quashing independent inventors (see: Walter Shaw, Sr., amongst many others) is a risk of this approach.
As soon as warranty/support expires, the device must be free for DRM/reverse-engineering. This will incentivize manufacturers to offer longer support.

Edit: Rather they should actually provide the spec, drivers etc

There are a lot of routers using GPL code that have open source firmware available (ddwrt,openwrt,tomato,etc.) I think once support for a device ends it should be mandated that the company release the source code for future development.

There is a worrying increase in the amount of IoT devices that will remain forever unpatched due to the (cheap overseas) manufacturers never updating them or ending support for them.

Make that one year before ending support, so there is both time to prepare and incentive to open source early.
As support expires or EOL the manufacturer should be forced to release their firmware code to ensure older devices can be patched, if they want to keep operating and selling new devices. this requires legislation though.
(comment deleted)
And most consumers probably lease their routers through their ISP as modem/WiFi router combos, which essentially remain supported and updated by the ISP.

If we alternatively enforce a floor on security updates for user-purchased routers, let’s say we require security updates for the physical lifespan of the device (10 years?), they will be baked into the price of the device in some way, and I’m not sure the majority of home router customers who essentially look to spend around $20-40 will be willing to bear that cost.

An example of that in action would be purchasing a business SKU laptop compared to a consumer one, and taking a look at the length of driver support.

As others pointed out JavaScript can try to access stuff but even more than that, the 400 apps on your phone, the 50 on your Mac and all your Steam games on your PC, all have full network access that JavaScript in the browser does not have. They can access every port, send corrupted packets, and scan your entire network for exploitable devices.
I just fundamentally don't think a subscription service is fair here. After all, users are paying for the fixing of errors that shouldn't have been there to begin with. It's not the fixing of problems that are newly created but the fixing of defects that were there all along. Plus, the incentive here is backwards; in the most degenerate case, companies are incentivized to sell things as buggy as possible in order to sell the most bug fix subscriptions possible.
I see your point but I overpay for the iPhone I’m typing this on partly for that upgrade service. It is also something I appreciate about the Tesla as opposed to every other car I’ve ever had.
> Until consumers are willing to spend on subscription services...

Ok, I’m willing. Where do I sign up?

Which manufactures are offering this service for residential grade equipment?

There is none. Everyone should have a Meraki security appliance in their home.
Eero doesn't charge for updates, but they do have a subscription service for value-add services that cost them money, and have a pretty good track record of pushing automatic updates.
One solution would be to force the source code of non supported devices to be released (by law) so that third parties could be paid by individuals to update and patch them as long as there is a market.
Or manufacturers can stop making "smart" devices just so they can fill them with ads and malware, leaving customers exposed to unlimited amount of threats.

It's not like they're just "giving you the choice" either. TV makers have already started completely removing non-smart TVs from their line-ups for instance.

I don't want a smart TV. If I want my TV to be smart, I'll buy a $50-$100 set top box I can upgrade in 2-3 years and is probably significantly more secure. Meanwhile a "smart" TV I will keep for 10+ years, but won't receive updates even for 20% of its lifecycle.

Why can't an attacker with router access poison the DNS, redirecting a bank address to the router itself with a fake cert, and duplication of the login screen and steal credentials that way? (Or probably better, steal online MUA [ie email] credentials).

I guess 2FA might block them, but if it were a typed in code you could still get it.

Until manufacturers are liable for the damage they cause to security, and data loss events for consumers manufactures will continue to have unrealistic planned obsolesce model (12 months should never be the expected life span of a router) to force consumers to continually buy new hardware
>"Today's manufacturers cannot afford to update software for hardware devices they have already moved on from."

What is this statement based on? None of your links show any kind of unit economics that support the assertion that providing critical security patches for a defined support window is infeasible for manufactures and their business models.

I agree wholeheartedly, and outright reject the premise of the original statement.

This is a choice that they make. Yes, having a legacy support team is going to cost a bit of money, but not a ridiculous amount. Maybe instead of having a ridiculous number of barely-differentiated SKUs, they could lighten the support burden a bit by making a smaller number of solid well-supported models.

Edit: also, basing the models on a common platform would help too. I assume they generally do this already, but if not...

basing the models on a common platform would help too. I assume they generally do this already, but if not...

They don't, because they save a few dollars by re-bidding each product. So each company is shipping a random assortment of Broadcom, Marvell, and Qualcomm reference designs, all running incompatible software stacks.

> random assortment of Broadcom, Marvell, and Qualcomm reference designs, all running incompatible software stacks

How... what... c'mon! You're totally right [1], and even within similar model numbers (e.g. the DIR-300 B-series uses Ralink chips, but the DIR-330 uses Broadcom). Yeesh.

Well... I guess I'll just keep on picking devices supported by OpenWRT and not rely on vendor firmware at all. Yuck.

[1] https://openwrt.org/toh/start?dataflt%5BBrand*~%5D=d-link

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves?

Partly to your point, Buffalo was using DD-WRT for their wireless routers [1]. I have two of them at home, updated to the latest LEDE/OpenWRT. They're mostly fine [2].

Buffalo's support was not great, lagging far behind the latest DD-WRT when they were still providing those updates. As a power-user, I didn't mind since I could switch, but it was not a great showing for vanilla consumer.

Sadly, Buffalo has stopped making them, I suppose the business model didn't survive such a low-margin segment. I definitely appreciate the continued open-source support though!

[1] such as https://www.buffalotech.com/products/airstation-highpower-n3...

[2] I've had to reboot the main one to regain network connectivity a couple times, and it currently loses Wifi settings on power loss. Not great, but not enough to make me switch away yet.

I think there are other brands that allow openwrt, such as the linksys wrt ac series:

https://openwrt.org/toh/linksys/wrt_ac_series

Their support for the first models in the beginning was a little spotty, but I think they are great systems now

The Nerves Project is positioning itself to address this well.
This all is simply fixed by open-sourcing the outdated software.
Open source the in date software as well. All home router software is absolutely horrendous
> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves?

Ubuntu is already doing this: https://ubuntu.com/internet-of-things

For Linux distributions, security updates and maintenance are a solved problem. Ubuntu adds to this a read-only filesystem with atomic updates for embedded devices, vendor-only apps and app stores, and so forth.

Disclosure: I work for Canonical, but not in this particular area.

Speaking for myself, I find it frustrating that Ubuntu's solutions aren't more widely known and recognised. As far as I know, our community is very aware of the issues involved in this space and there is no other solution that solves the "IoT maintenance" problem properly.

I've been looking forward to seeing Canonical's adoption in IoT getting better and better. Here's to hoping.
> This is the new normal, folks. Consumer technology is manufactured for six to twelve months.

Not completely true. For example, just something I discovered recently is that some e-book readers have very long lifespan if you look inside and ignore the battery. There's not even an electrolytic or tantalum capacitors there. Really nothing that will expire.

If you don't kill it mechanically, these will survive for 10 years+ just fine. Even the internal memory holding the OS and your data is easily replaceable (uSD card, and no other memory that can get corrupted). Indeed you can easily upgrade your $150 2GB e-book reader to 32GiB for $6, with a much faster uSD card. Or even replace the OS completely. ;)

The only thing that makes these devices' lives limited is the battery and the cheap noname uSD card. They even make it so that display is easily replaceable, no glue or anything.

What I hate is lack of commitment to free software. Manufacturer will just dump incomplete old kernel code on github once, without a source code to also GPLed bootloader, after years of nagging from users, and calls it a compliance with GPL.

They don't even bother with mainline Linux support, that would make it so that anyone could use their device for whatever creative prupose and it would get automatic longterm software support for free, even after they would not want to bother anymore to support it.

It's not even a cost thing, I just reverse engineered one such device and it now runs Linux 5.4-rc2 and all HW works, including an eink display driver. It took about 2 weeks of occasional work. Instead the manufacturer probably spent huge amount of time hacking together some old kernel and messy SoC vendor drivers, so that the OS at least holds together for their purposes.

It's probably just some culture thing of not giving a fuck about anything but themselves. And there's a huge amout of waste as a result. At least some people sell these devices if they are just locking up/hanging (sure sign of uSD card data corruption) on eBay. But many will probably just throw it out. Such shame.

So yeah, some tech is indeed solid, but manufacturer will gladly mess all the benefits up on the software side, for no real reason, at least to me.

What model is that?
http://linux-sunxi.org/PocketBook_Touch_Lux_3

But I hope people will buy second-hand or broken + replacement display instead of supporting the company and buying new, if they want to play with it. They don't really deserve any support for abusing the free work of others and violating the GPL license.

(comment deleted)
> I'll point out the enormous opportunity to anyone who can address that problem. Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates? Can you provide infrastructure device manufacturers can use to manage post-deployment updates themselves? Do you have a better approach to it? There's a burgeoning multi-billion dollar market waiting for a few leaders to take it over.

There's no market for this. The market is for $50 device. Android Phones, nearly flagship, that sell for $500-700 get at best two years updates. People want $50 router that they can throw away when it stops working.

I have a $350 router. I have had it for 3 years by now. It is a tiny passively cooled industrial PC that fits into a VESA mount with an Intel Celeron, 128Gb SSD and 2x wifi modules. Why two? Because i want a guest network to be separate from the real network and i want crap-wifi speaking devices to be isolated via VLAN etc. It is running Debian and even techies marvel at the speed, functionality and all the goodies. They want to know where they can get it... Until they hear that it was $350 at which point they go "I was thinking i would pay about $80". A dinner for two in a Puero Rican chicken shack with a couple of beers will be $35!

> but live in our homes for three to five years

I have a wrt54g that's 10+ years old running at my grandma's house...and running dd-wrt because no one making APs 10 years ago, and even now, was that good at security and stability.

What's telling is that the hardware is the part that still works, and I bet part of it is that software fixes are easier than hardware, so you can get away with lower quality software.

I think that's a great idea (I run openwrt)

However - I have to ask - have you upgraded her dd-wrt?

I check in on it once a year, or so. It's not really enough, but the hardware's so limited, I don't think there are many changes getting made to it, anymore.
> Can you provide an “enterprise class embedded OS” to device manufacturers and address post-deployment updates?

How about Microsoft’s Azure Sphere Linux/cloud product with “10-year lifetime” support?

> Azure Sphere will feature a turnkey cloud security service that guards every Azure Sphere device, including the ability to update and upgrade this security protection for a 10-year lifetime of the device.

https://blogs.microsoft.com/blog/2018/04/16/using-intelligen...

Samples: https://github.com/Azure/azure-sphere-samples

Pricing, with support through July 2031: https://azure.microsoft.com/en-ca/pricing/details/azure-sphe...

Azure Sphere looks awesome but they need more SoC models for different use cases.
> Today's manufacturers cannot afford to update software for hardware devices they have already moved on from.

Well, they could (D-link has millions), but they won't because it would eat into their obscene profits.

> Consumer technology is manufactured for six to twelve months, but live in our homes for three to five years. Today's manufacturers cannot afford to update software for hardware devices they have already moved on from.

And yet my over 10 year old PC still gets the latest updates. Manufacturers have brought this on themselves, by locking and closing their devices, and insisting on proprietary solutions when open alternatives exist, or could exist.

Its been the norm for a long time now. I've always wondered why printer manufacturers could get away with universally exempting themselves from security audits. People just admitted they were bad and said: "don't even look at it wrong or it'll dump all its paper and toner on the floor"
It really does. I had a network connected Xerox printer that would hang until rebooted, only by port scanning it with nmap.
> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates?

There is already vxWorks, they don't have to start from scratch and they're already widely used in the industry. (There are others as well).

Anyway: The devices in question are running some Linux with a custom web interface on top. Patching this specific flaw is just about having one engineer add a few lines to the webif git, trigger a rebuild, flash to a qemu VM (could happen automatically) and test if the interface still works. If that's the case (which is likely), put the firmware as "unsupported"/"alpha" on the company FTP.

This assumes they have proper tooling (e.g. tagged git, automatic&deterministic build server, an efficient test environment,...). If they don't have, they probably wouldn't buy it (or, maybe they would?).

Automatic post-deployment are only the end of the chain, and for cheap embedded consumer systems there are good reasons against it: "My router didn't react, so I powercycled it" is problematic if it was just applying an update (resilience against this costs money, which is tight). And then your 1st level support has to explain your grandma how to use tftp to flash the firmware via the bootloader (this is bad for 1st level support suicide rates). Did I mention all the crap should be cheap? What good is a well maintained IoShit device if it costs 4$ more than the poorly maintained competition? Chances are high you won't sell enough to sustain your company - unless you go into a premium segment and just charge twice as much as the competition, which might still be problematic (consumer expectations change a lot with price - cheap and vs. expensive and nice).

Also, at the other end of the embedded spectrum: Industrial embedded systems should probably only be updated if really necessary, e.g. if something is broken due to bad firmware. Downtime is really expensive for huge manufacturing plants, especially if unscheduled (in addition to the machine[s] not producing value, your 500 workers a fiddling their thumbs), so you want to reduce the number of opportunities for this to happen.

> Can you provide an "enterprise class embedded OS" to device manufacturers and address post-deployment updates?

Yes. At least for routers, the topic of the article, OpenWRT is that OS. Any manufacturer can make it work on their router very cheaply. Any customer can install and upgrade it indefinitely.

The killer app would be a portable, secure (say, seL4), extremely fast-booting OS that handles hardware and tasks asynchronously. Right now, I'm dealing with a Xfinity->Cisco->Pegatron router that reboots spontaneously 15x/day, the web interface takes 2 minutes to load a PHP page and it takes 2-3 minutes to reboot. This is unacceptable since software doesn't have to behave like this... we can and must do better.
Isn't planned obsolesce illegal in some places? Ending security updates is the very definition of planned obsolesce for an internet-connected device.
I used a DIR-655 router up until 4 or 5 years ago. I threw it out because there was no new firmware for it, and neither OpenWRT nor DD-WRT supported it. I replaced it with something that did. Looks like I made the right call.
I do not own a DLink router but do own a consumer-grade Gateway from Netgear. Is there any mechanism I can use to check for published vulnerabilities against my hardware?
Whoever patches them will be the one who maintains control over them. What organizations are best positioned to do that? I suggest the intelligence agencies of Russia, Israel, and the US. Whether any of them will take the opportunity is anyone’s guess.

Of course, the underlying problem here is that users depend on vendors for patching, and their incentives are misaligned. Free software like DD-WRT removes that dependency and thus the incentive misalignment problem. To the extent that educational, legal, and technical measures prevent users from exercising the freedoms of free software in practice, these problems will get worse and worse

I have a D-Link DIR-655 (which is on this list) as my home router. Ironically, I was going to replace it a few months ago, but the speed is still fast enough for my network.

A few posts mentioned installing a different (open source) firmware. But, both OpenWrt and DD-Wrt aren't compatible. Am I missing another option?

As an aside, can anyone recommend a wifi router that runs either OpenWrt or DD-Wrt well, for $100-$150?

You aren't missing another option. The 655 is based on an exotic architecture (Ubicom32) that never had the specs released for it to develop 3rd party firmware. Its why I trashed my 655 years ago.
> D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers).

OK, let's say I am someone who actually knows "end-of-lifed" is a thing, and a thing you don't want...

How would I check to see if a certain router was end-of-lifed before buying it?

If I can figure that out, and I know it's not end-of-lifed, is there any way for me to see how much time is left in it's life before it's end-of-lifed, how would I check to make sure a router I was buying woudln't become end-of-lifed tomorrow, or next week, but has, say, a year or two of supported life left at least.

Obviously, what D-Link is counting on is that most customers won't know that this is even a thing, wont' know what questions to ask, won't realize their router is end-of-lifed, won't realize their router is vulnerable, won't realize it if their router gets hacked, and it wont' effect their likelyhood of buying another D-link router or telling others to. It's not that they think this kind of support is going to be considered acceptable to their customers -- it's that they think their customers won't even be able to figure out what kind of support or security they are getting, mostly won't even realize this is even a question to ask.

And they're probably right.

How would I check to see if a certain router was end-of-lifed before buying it?

You should be able to Google "$MODEL_NUMBER support", although D-Link's Web site is pretty bad and doesn't say tha the product is EOL (although since the last firmware update is from 2013 you could guess).

Linksys routers still ship with Samba 1.0 which has literally been deprecated for like 20 years now. These companies literally don't give a crap what they ship, I can only imagine that the firmware is made by someone who stood next to a building where a talk about internet security was held....a month earlier.
I'll think twice before buying D-link again. They've just tarnished their brand irrevocably for me, even though my router is not affected - I had to turn it over and compare version numbers to be certain, and I don't want to have to track exploits and check version numbers to have peace of mind.

What manufacturer can I buy next time with a good security record?

One where you can wipe the original firmware and install OpenWRT.
Or AsusWRT! I'm pretty happy with my RT-AC3200.
There may be other answers here, but this is really the only guaranteed one.

OpenWRT really is the greatest.

(comment deleted)
Mikrotik or Ubiquiti. My >10yo hardware still receives updates (latest version, not a few backported changes).
This. I just decommissioned 5 x AP and 2 x backhaul radios this summer from Ubiquiti at a remote site I manage. These were all purchased and installed in 2011. I replaced them all with newer equivalents, not because they weren't working or weren't receiving updates - but because I'm 4 hours from the site and told the owner they've gotten their ROI and needed to preemptively replace. This happens to be my in-laws place and I don't want to deal with replacing some outdoor radios in the middle of a Midwestern winter. I sold all the gear as a package for about $150 and the buyer was well aware of the age and the fact that 3 of the devices had been outside that entire time. I commend Ubiquiti on the commitment to their line of products and the updates all devices that were in service continue to receive.
Both tend to pick pretty well-understood and supported SoCs. Large consumer brands are more cost-conscious and use cheaper chips with more custom work to support them, and the custom work ends up being buggier. IIRC, Ubiquiti started out by being based on OpenWRT. Not sure if they still are.
Ubiquiti does really nice. It is not a "here is a pizza box device that does internet" device though.
ASUSWRT is based on (and contributes to?) openWRT
Schneier has recently argued that there is a missing market for IOT security in the sense that devices manufacturers have no incentive to patch impose external costs on society, and that this might be hard to fix without regulation.

https://www.eweek.com/security/ibm-s-schneier-it-s-time-to-r...

Also - his recent book "Click Here to Kill Everybody" discusses the problem of IoT security in depth (ie. that the lack of it will risk increasingly dire consequences). One of his solutions is regulatory: a new federal agency for consumer cybersecurity. One of the particular things he would want mandated is that IoT devices be patchable, at a minimum.
My experience only, of course, but every D-Link product I've owned has been a nightmare, from config on. I've been sticking with ASUS for a while now and so far all is well...
A friend is using my old DIR-655. I would like to warn them, but I need to understand this better first.

Am I correct that this allows administrator access to the router, but requires connecting to the router's network (either via having the WiFi password or having physical access)?

IIRC, the DIR-655 is also stuck on WPA2, which was broken, so the WiFi password doesn't offer any protection either. In which case, anyone within range of the access point could access the admin panel.

On one hand, this sucks because aside from these vulnerabilities, the DIR-655 works fine. On the other hand, I think I bought it over a decade ago.

Maybe we need some class-action lawsuits. This is very bad behavior.