Science

Oft-forgotten, why the humble router remains one of the most insecure devices in your home

With all the emphasis on security, ask yourself: When was the last time you updated the router in your home?

Rarely updated, routers are easy, high-value targets for intelligence agencies and criminals alike

Experts say there's no incentive for manufacturers to release updates for their routers after they've been sold. (Andrew Sorensen/Flickr)

For all the time that we spend thinking about the security of our phones and laptops — about encryption, strong passwords and two-factor authentication — comparatively little attention is paid to the humble internet router.

The tiny box is probably one of the most important pieces of technology you have in your home. It's the one device through which all of your other devices connect to the internet. But despite being responsible for such an important task, most routers remain hidden away, rarely monitored and even more rarely updated — if their software is updated at all.

It's why, for intelligence agencies and criminals alike, routers — plentiful and often insecure — are ever-increasing targets for attack.

"Once you target a router, you don't just get access to one computer," says Eva Blum-Dumontet, research officer for London, U.K.-based Privacy International. "You get access to any computer" or device that connects to the internet through that router, too.

Documents released by WikiLeaks this week that detail the breadth of CIA hacking tools underscore just how valuable that access is — and, according to privacy and security experts, how easy it is to get.

"This is a very dramatic problem," said Blum-Dumontet. While our phones and laptops have gotten more secure, she explained, "We're connecting to the internet through routers which are just literally, absolutely, atrocious in terms of security."

'It's really child's play'

The WikiLeaks archive details numerous tools and techniques the CIA can use to spy on smartphones and computers. It even describes turning a Samsung Smart TV into a covert listening device.

But there are also many pages devoted to finding and exploiting the numerous security holes in networking devices — common models of home and office routers that connect phones, laptops and smart TVs to each other, and to the wider internet, too.

Cyber vulnerabilities

8 years ago
Duration 5:49
Matt Braga on revelations that show the U.S. intelligence community knows about many of our technological insecurities

Katie Moussouris, CEO and founder of U.S.-based Luta Security, called routers "one of the biggest, most lush attack surfaces that we have."

Their software doesn't differ greatly from country to country. "And nobody really thinks about keeping those updated," Moussouris said, which leaves them especially vulnerable to attack.

With access to a router, an attacker could passively spy on the contents of unencrypted traffic as it passes to or from the internet — or even between devices in the home. A router could also be used to launch a cyberattack, as was the case last year when attackers hijacked thousands of home routers (among other devices) and used them to take large swaths of the internet offline.

An attacker could even redirect users to fake websites — say, a website that that looks like Facebook — designed to steal passwords or credit card information, or install malicious software. 

"It's really child's play for the CIA," said Blum-Dumontet. "It shouldn't surprise anyone that they're doing this, because this is literally the easiest way of targeting people." 

The CIA's Network Devices Branch appears to have spent considerable time and effort cataloging exploits for a range of routers and network switches from popular manufacturers such as Apple, Cisco, Asus, HP and ZTE, which are used worldwide. 

One of the documents even describes efforts to make the CIA's spy software have as little impact as possible on the performance of the router, so that more savvy targets wouldn't notice that the software was installed.

But the reality is, even if performance was affected, most users probably wouldn't notice anything was amiss.

What can you do?

Both Moussouris and Blum-Dumontet say there's "no incentive" for manufacturers to support their routers once they've been sold — not when they can sell a newer model the following year. 

It's part of the reason routers get so few security updates, and have so many security holes. (Further complicating matters, some routers pull double duty as cable or DSL modems too.)

Security expert Katie Moussouris called routers "one of the biggest, most lush attack surfaces that we have." (Matt Rourke/Associated Press)

But the onus isn't so much on consumers to get smarter as it is device manufacturers to do better — and for consumer to demand they do so, experts say. That means more frequent updates, but also routers that are easier to update than most currently are, and designed from the start to be more secure.

"You've got an entire uneducated consumer base that has enough trouble keeping their PCs and phones up to date, let alone the very device that connects them to the internet when they're at home," said Moussouris.

She even suggested there's "a potential role for regulators to play," pointing to the U.S. Food and Drug Administration's recent guidance on cybersecurity for manufacturers of medical devices and recent actions by the U.S. Federal Trade Commission (FTC). 

In January, the FTC filed a complaint against router manufacturer D-Link, pointing to "inadequate security measures" that left users of the company's wireless routers at risk — part of efforts to "to protect consumers' privacy and security in the Internet of Things."

On such issues, governments such as Canada's often follow the U.S. lead.

But there's still more that could be done.

"There are a lot of security concerns around routers, and the problem is, there is no liability," said Blum-Dumontet. "And no company is really addressing the security issues around this."

ABOUT THE AUTHOR

Matthew Braga

Senior Technology Reporter

Matthew Braga is the senior technology reporter for CBC News, where he covers stories about how data is collected, used, and shared. You can contact him via email at matthew.braga@cbc.ca. For particularly sensitive messages or documents, consider using Secure Drop, an anonymous, confidential system for sharing encrypted information with CBC News.