How many home routers aren't compromised or have known vulnerabilities? It would interesting if a study looked at a random sample of the population of home routers to determine this. Go to people's homes and actually check. These articles always seem to look at it from the "how many compromised routers have we found so far" angle. I suspect that if the story was "90% of home routers have known unpatched vulnerabilities", these security issues would be taken more seriously by the companies responsible for them. And if they don't act, regulate them out of existence.
When the main players of an industry demonstrate unwillingness to take it upon themselves to resolve problems that negatively affect society at large, something needs to be done for sure.
I am generally in favor of regulation, and it might be the answer in this case also. However, I worry that the regulations that would be introduced to fight router vulnerability might lead to a situation where router owners no longer have the possibility of flashing third-party firmwares such as DD-WRT.
In my opinion, being able to flash third-party firmwares is more important than a lot of people might realize.
Firstly, router makers necessarily target the market as a whole, and as such the factory firmwares found in consumer grade routers are generally lacking in advanced features that only a small portion of the market has a need/desire for.
Secondly, open source firmwares can more readily be audited for backdoors. Of course, backdoors could still exist in parts of the router hardware that are not controlled by the main firmware though...
Anyway, the reason I worry that regulation might threaten the possibility of running third-party firmware is two-fold:
1. The regulations might specify that bootloaders need to be locked down, etc.
2. Router makers might decide to lock down the routers even if the regulations don’t directly require it, in order to be able to prove that security demands are met.
3. Router makers might use regulation as an excuse to lock down routers even if there is no real reason to do so.
> And if they don't act, regulate them out of existence.
Sounds easy but doesn't work IRL. The service providers don't build the units and rely on the supplier. The supplier might have patched it but wants money, the ISP doesn't want to pay. Maybe the patch breaks something else and the ISP don't want to put that on all their users.
Also, not all vulnerabilities are equal. Some are more serious than others and require patching urgently, others less so.
And not all ISPs can push a patch so how do you tell everyone to update and what happens when it doesn't work and 1M people are calling Customer Support?
Comcast has functionality where they will email and/or text you if your connection has botnet or other nefarious activity on it and will disconnect you until it's resolved. Not a fan of them, but it's something they get right.
If an ISP can't push reliable updates to their hardware they shouldn't be in business.
Vulnerabilities should be prioritized of course. But I honestly don't mind when someone creates a worm that bricks crappy devices that isps know are vulnerable. It's a public service at that point.
I think a solution that generalizes and has the possibility of actually working is for the result of compromised hardware to show up in the consumers' bill.
We expect to pay a low, fixed, monthly price for unlimited bandwidth, but what happens when someone else gets their hands on that bandwidth?
It's nice to hold manufacturers accountable for their woes, like shipping routers with "admin":"" creds, but what about all the other reasons devices get pwned, like users downloading malware or falling for those fake download-button ads or using something like Hola VPN that turns them into an open relay?
Some ISPs will give you a phone call or shut you down entirely if they probabilistically think your bandwidth is compromised, but that involves a lot of complexity.
If ISPs weren't racing to the bottom with the meaning of the word "unlimited", they could be honest about bandwidth prices and service levels instead of using a complicated throttling system to maintain the facade that bandwidth really is unlimited.
Also, there would be natural filtering pressure against, say, insecure IoT devices that end up impacting people's ISP bill.
