To accompany recent research into the security of common Internet Service Provider (ISP) routers, we lament the current state of security in network devices, both personal and enterprise.
The Router of All Problems
Our latest contribution to the efforts of the Consumer Association (aka Which?) is to help with this piece: “Millions of people in the UK at risk of using unsecure routers” on the security of old ISP routers; also picked up in this BBC article and in the national newspapers. Their survey found a large number of UK broadband customers have a router that’s older than 5 years old, and our research showed some of these devices have security issues, and are no longer being patched.
Clearly there’s a large problem here. If a large minority of UK homes have an insecure router, it’s another chink in the armour of the already under fire telecoms infrastructure. Whilst we did find good examples of some ISPs upgrading customer routers (kudos to some of the customer forum staff for TalkTalk, for example), the practice is far from widespread, and the survey numbers speak for themselves.
Unless most people get used to asking for a router upgrade when renewing their broadband contract, much like many people do with mobile phone contracts, the ISPs won’t address the issue. There is some improvement, at least. Newer ISP router models are undoubtedly better than previous generations, but there is still a clear difference in quality between the devices provided by big ISPs and those from the smaller ISPs.
Unfortunately it’s not that things are much better in the commercial and enterprise markets. As we wrote about in our 2020 review, the last year has seen a swathe of mostly very bad vulnerabilities in networking devices, including F5 and Cisco and PulseVPN devices.
And it’s no better this year; for example we’ve just seen two more F5 vulnerabilities. Again, they’re particularly bad vulnerabilities, being Remote Code Execution vulnerabilities that score just under 10 on the CVSS scale. And new Pulse VPN vulnerabilities. Add to that the increasingly bad Accellion issues, and it’s not a good start to the year.
It does seem like a lot of vendors of enterprise networking kit haven’t yet adopted modern development practices, as many of these issues wouldn’t exist in “finished” products if the manufacturers adopted a secure development lifecycle or DevSecOps approach, and fuzzed and security-tested their own products. Until they do, it’s hard to take statements like this seriously:
(from F5 on HackerOne)
It’s a bit mean to call out one example, and we should all know the difference between PR statements and reality, but there shouldn’t be a gap between statements like the above and reality.
The Promised Land
As with many things, it likely boils down to an economic decision. There are, hopefully, people inside the manufacturers pushing for more security, be it changes to the development process, more testing, or whatever. Unfortunately, from the outside, it doesn’t seem like many of them are winning that argument. We can only assume the counter-argument is “but that would cost us money”, and that the answer more often than not is “No”.
Ideally everyone, whether building devices for consumers or enterprises, would accept the premise that if you can’t build something securely then you shouldn’t build it at all. That’s likely a pipe-dream, as we’ve seen in other industries that the only way of enforcing good practice (we’re not even talking about best practice) is by standards and regulation.
The likes of Which?, ETSI and David Rogers work hard to push the idea of basic security standards for connected devices, but it’s hard to win a fight against ISPs, manufacturers and retailers, especially if it means them spending more money.
- Which? article: “Millions of people in the UK at risk of using unsecure routers”
- “BBC News: Millions at security risk from old routers, Which? warns”
- Our Which? survey of 25 big UK companies' security
- Passwords - How much do they matter?
- Which? banking tests