Jeremy Hitchcock

#SecurityFail For Home Routers

Have we become numb to security? Short of our phones with a black screen or someone hitting us over the head - I’m not sure that people care. The news about VPNFilter and maybe as few as 500,000 homes and small businesses being compromised passes like a normal news day. Basically, your home Internet connection is opened up like a freeway on-ramp and it’s allowing your Alexa, TVs, and cameras to be global accessible, just ready to be broken into and watched remotely.

And the fix is even more outlandish! While there is some merit to “rebooting” your router, it’s simply like closing the door but leaving it unlocked. The core problem is that home router vendors have been terrible and continue to be terrible at software.

Almost all of them are straight-up hardware companies and outsource the software and cloud/mobile applications– I mean, when is the last time a consumer router’s interface has won a usability award? When they ship their product, the software version is often stale and never updated. They act like desktop software circa 1990 where they products have little cloud-enabled smarts, they do not auto-update, and they do not evolve. For the hardware makers, they just plan on you replacing that hardware.

Meanwhile, service providers have been wrestling with the connected home. For years, they have disavowed inside the home as not something to support. Now with the tsunami of Internet of Things (IoT) devices, they are looking to extend their view past the gateway. As many of them grew through acquisition, they are faced with a heterogeneous stack of proprietary hardware that’s not designed for the IoT world. So, they want to help, but they are hidden behind years of pseudo-obsolete hardware.

I could not be more excited about Minim’s opportunity. While we focus on the consumer experience to deliver network and security management, we are often called on to manage the fleet of gateways in the field for a service provider. It means that we have to roll security releases, general releases, beta versions, and pilot tests on a customized, on-demand basis. Minim was secure from VPNFilter and countless other attacks we have observed. Even if we are ever vulnerable, we can stage a rollout and deployment in hours and save thousands of customers from being infected as a result and reverse the infection of others.

We need to call on vendors like Linksys, Mikrotik, Netgear, QNAP, TP-Link to do better. My message to them would be: focus on software, auto-update by default, or just stop. By constructing sloppy software, you are increasing the attack surface of IoT.

Short of product liability issues or a mass consumer response to a really bad attack, this isn’t going to get any better. The FTC tried to push on this issue. Consumer behavior is largely replaced by service providers who have aggregated the spending of Internet for the home. I’m willing to wager that we’ll see another one (or even two) of these events in the next 12 months.

What we need is Minim, and more solutions like Minim, to secure all of the Internet at home. Otherwise, a large portion of a million homes are going to be opened up for all sorts of identity theft, spying, extortion, or worse.