Keeping home network infrastructures safe

While regular security updates are available for most desktop and laptop computer operating systems, they are not for consumer grade networking gear like routers, firewalls and wireless access points. That’s a huge problem.

First, the vendors of a lot of the other devices on home networks today like smartphones, smart TVs and consoles don’t ever make updates available. Second, many of the latest security threats involve fundamental mistakes in the implementation or even the theories behind critical network protocols.

One solution, of course, is to get those key network devices updated. That’s usually not possible with consumer gear that is designed to cost as little as possible to manufacture and support, which is to say to cost almost nothing to manufacture so that support can amount to simple replacement under warranty. That’s why most consumer models only get updates, if at all, within a year after their initial release. That year corresponds to the maximum warranty period for almost all these devices.

The other option is to replace older device with new ones. Given that the average home router only costs around $30 that might not be unreasonable, especially for non-technical users. But there’s actually no way to independently verify that the firmware in the latest product release has been updated, since the manufacturers don’t allow public inspection of their code. Even some open source firmwares like DD-WRT or OpenWRT for specific hardware models may be based on older, vulnerable, versions of the Linux kernel. I think Mikrotik would be a real contender if they open sourced their RouterOS code, as has pfSense.

So that leaves to one obvious alternative: building your own.

If you’ve followed this blog or had occasion to browse through it, you may have noticed that last year I did just that. While I could have used an old PC for the project, I decided to go with an embedded motherboard designed by PCEngines for the purpose and installed the open source pfSense firmware on it.

At the time I originally installed pfSense in November of last year, I went with the then current version 2.1.5, based on FreeBSD 8.3 Release. This got upgraded in February to pfSense 2.2, and contained lots of changes due to its redesign around FreeBSD 10.1 Release. Last night (or rather early this morning) I performed another update to version 2.2.2, that among other things included multiple fixes for vulnerabilities in OpenSSL. That’s 3 updates in 6 months. Not nearly as frequent as most Linux systems, but pretty close to what I’ve experienced with FreeBSD servers. It’s certainly a lot more than any consumer (and even some commercial) routers out there.

Now that I’ve got a dependable, regularly updated, router in place, I’m turning my attention to the two wireless access points needed to distribute wifi around my property. Both are fairly cheap, consumer grade models for which the last firmware update available over a year old. That means they’re vulnerable to all of the exploits discovered since that time, including some fairly serious ones in wifi security that were just announced. Considering the success of the home built router project, I’m now looking at plans for wifi access points built on the seemingly ubiquitous Raspberry Pi. Things are still in the research stage, but its likely I’ll have something in place before summer.

Never a dull moment here at Casa Lembo.

This entry was posted in Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).