As the Wall Street Journal explains, it’s all down to the router — or, specifically, the patches.
Stuff that runs on software (so, basically all stuff) generally needs regular updates. We’re all used to our computers and phones (and video game consoles, and tablets, and…) downloading patches on the regular. A lot of the time, that’s because there was some unintended vulnerability somewhere in the original code, and the company that designed it is pushing out a patch to fix that hole.
Sometimes, though, the supply chain gets, well, a little too hairy. For example, the WSJ points to a Massachusetts company that received notice in 2014 that code they wrote home Internet routers had a big bug. The problem? The company had identified and patched this bug already a decade earlier. So why were security researchers still seeing it?
The answer had to do with the whole chain of parts that goes in to making any single widget. One company that made chips that control routers shipped its chips with the 2002 version of the software on them. Companies that make routers then bought and used more than 10 million of those chips to make their devices. And all the while, the old, unpatched version of the router control software kept circulating, even though a newer, safer version was available.
We update our computers and phones and PlayStations because they tell us to, basically. Now imagine your phone didn’t tell you when the apps or operating system needed to update. How likely would you realistically be to remember to sit down with it every week (or more), go through every program, and download and install updates as needed? And what if there were no easy interface for looking at your apps — no Google Play or App Store — and instead you had to log into each one individually to check?
Given that human nature is a real thing (how many of us actually remember to floss our teeth literally every day?), and that the vast majority of home users are not themselves super technically savvy, it seems unrealistic at best to expect that most of us would. On top of that, the firmware that runs gadgets is often out-of-date before users even open the box.
Welcome to the reasons for poor security in the internet of things.
The WSJ hired a security researcher to sit down and look at 20 of the most popular routers sold in the back half of 2015. Ten of them shipped with known vulnerabilities — outdated firmware — still present. Another four had old firmware but then installed updates that may or may not have had unknown security problems.
But here’s where it gets really tricky: of those 20, half did not have a patching process built into their installation at all. Instead of automatically checking for and offering to apply updates, those ten routers require that users know how to look on the web to find and install the correct updates. Two more said that no updates were available, when in fact updates did exist. And one updated to a “new” firmware version that had a severe, known flaw in it.
That’s 13 out of 20 that in some way failed the user on installation… and that’s a problem.
Those out-of-date routers don’t tend to get updated later, either. That 2002 bug that was still kicking around in 2014, called “Misfortune Cookie,” was still showing up on 79% of the affected routers as late as 2015.
On top of all the difficulty in finding and installing updates, the older your router is, the less likely a manufacturer is to even bother making a patch. That’s a real problem for devices that users either get from their internet service provider or buy once and then largely forget about.
While routers are literally the gateway into a home network, they’re hardly the only weak link. How often do users patch their smart TVs? How often are most consumers likely to patch their refrigerators? Their cars? Their coffee makers? Their washing machines?
Maybe the best tactic to take, the WSJ surmises, is to make automatic updates — pushed to users, frequently — the default, and much more widespread. That tactic has worked for Microsoft Windows since 2004 and for Firefox since 2013, the WSJ points out.
Rarely Patched Software Bugs in Home Routers Cripple Security [Wall Street Journal]