Wi-Fi devices, including home routers, are vulnerable to hackers because patches are rarely applied and updating software is difficult after release.
Well over a year ago, attention was brought to what would be a web security vulnerability of epic proportions, with the receipt of an email by a small software company. The email, sent by a computer security researcher, stated that a flaw in one of the software company’s programs was putting millions of people across the globe at risk of falling victim to being hacked.
Allegro Software Development Corp set their engineers to analyze the flaw in the program, which can help users access the controls of home Internet routers. Upon investigating, something very odd became apparent, this particular bug had been fixed 10 years prior. Yet here it was, continuing on in new devices.
The reason for this was a component maker had included the outdated 2002 version of the Allegro software with its chipset, and it had yet to be updated. These chips, specifically, are used in the making of more than 10 million devices by router makers. Router makers have responded by stating they weren’t aware the bug had been fixed by later versions of the software.
Problems with Computer Security
This particular instance shed a great deal of light on an ongoing security problem in computer security: It is difficult to fix bugs after they have been released and often gets overlooked completely. In order for this to be done, the creator must develop the fix, or “patch”. Once this is done, potentially millions of users need to be alerted, and are required to install the patch themselves, regardless of technical ability.
This creates vulnerabilities at many points. Patches often are not distributed, and when they are, users fail to install them or are unaware of the patch, meaning hackers are given a weak link to exploit.
The problem Allegro specifically had was that they were unable to apply the patch because they have no access to the effected devices. That being said, all the company can do is urge manufacturing companies to use the latest version of the software, but there is no way to require them to do so.
The Wall Street Journal conducted an experiment in an attempt to better understand the problem with routers and commissioned a computer researcher to test 20 well known Internet routers, all purchased within the last six months. It quickly became evident that a problem of great magnitude was upon as, as the following results were revealed:
- Half arrived with well known, documented security weaknesses, running outdated firmware.
- 4 in the group were running outdated firmware that had subsequent updates that could potentially contain undocumented security problems.
- 10 of the 20 tested routers didn’t easily allow for users to check for new software during the initial setup process. Users were required to run optional programs instead, or search the Web.
- 2 of the routers told users that no software updates were available, when in fact they were.
- 1 even directed users to download software that had a documented severe security flaw.
These findings align nicely with those of another investigation done by a former researcher at Check Point Software Technologies Ltd., who was also responsible for finding the Allegro bug that has been deemed “Misfortune Cookie”. This is because it allows hackers to attack the router using malicious Web cookies.
In Internet scans conducted by the researcher in the spring, it was found that almost 80% of the routers that originally contained the Misfortune Cookie were still vulnerable. This was 5 months after device makers made public announcements.
The Problem With Router Makers
Security is being put on the back burner by router makers. It is the end user, not them, who pays the price for poor security, therefore, the focus is on cutting the price in order to win contracts, not on the device’s security.
Several router makers have gone on record saying security is a priority for them, with many having plans to improve how they notify users of new software. Currently these notifications are usually dependent on the user noticing an update on the routers website. In addition many manufacturers also stated that routers are fixed according to how new they are, with routers a couple of years old or older rarely getting fixed.
You need a trusted technology partner that specializes in keeping your technology up-to-date with the latest patches. Call (800) 519-1872 or email us at firstname.lastname@example.org to find out more about our managed IT services.