It’s incredibly hard to get ahead with home and home office broadband routers, even high-end models costing up to $250 (150). New standards and features keep emerging, especially in the wireless space, and the life expectancy of some devices must now be measured at barely two years if the user plans to keep up with the latest developments.
Curiously, one thing that rarely gets much attention is security, which is strange given that router flaws and poor configuration are now being exploited as never before. There are a number of reasons for this. Vendors have been (and most remain) very complacent about security, preferring to gloss over the vulnerability of this class of product while reviewers have a tendency to fixate on router throughput and Wi-Fi performance.
Routers are also quite fragmented in terms of the firmware they use which in theory makes it harder to execute a large-scale hack or attack for malicious purposes. One brand might be vulnerable while another might not. Security is a lurking concern for some but the assumption remains that the chances of a specific model being undermined are still quite small.
But what is security turns out to be more important than that?
There are signs that not only is router security set for a major upgrade in importance but it might now be essential. On any network the router is arguably the most critical piece of infrastructure, as much or more so than any single PC. Perhaps it has always been a logical place to put security anyway.
When Techworld was sent the popular Asus RT-AC68U to review, it struck us that as far as performance was concerned, there is not much new to say that hasn’t already been covered by other magazines in some detail - this is a fast router, both in terms of its broadband throughput and dual-band 802.11ac wireless speed and good value for money.. Nothing we experienced when using this model over several months contradicted that assessment although we did find it necessary to reboot it from time to time to clear a couple of inexplicable wireless slow-downs that might or might be the fault of the router itself.
For the record, the Asus is an impressive platform for the money with no obvious weaknesses, built atop a Broadcom chipset with the 1GHz, dual-core ARM Cortex A9 processor with 256MB RAM at its core. This is also the same board that powers the top-of-the-line and more recent RT-AC87U and is ample to support another interesting feature, the built-in VPN server that some users will find appealing. We noticed it booted quite rapidly after settings were applied although a full manual reboot still took its time.
Still, Asus’s US product site makes barely any mention of the router’s most interest innovation, that of security.
Out of the box, the Asus takes a good line on security, using the GUI to draw attention to its default security settings using a flashing icon, asking for example whether the user wants SAMBA turned on or off, reminding the user to change the default administrator login and detecting an available firmware update if there is one. There is also none of the complacency that still dogs many rivals consumer broadband routers with interfaces such as remote admin left turned on by default in the hope that consumers will understand the security risks they are taking with these settings. Setup also demands that a competent admin password is set and won’t complete until this has been set up.
This is exactly as it should be. Risky settings are turned off and those left standing are pointed out to the end user. The use of visible flashing warnings to draw attention to unconfigured options is the sort of minor innovation you’d hope would become standard on all devices of this kind.
Users often take this feature for granted but the ability to create up to five guest networks with separate SSIDs has its uses because it offers a quick way to isolate those users without having to delve into the GUI too far as well as limit their time on the network. One flaw of this is that while access to a given SSID can be limited by duration it can’t, inconveniently, be tied to specific times of the day which would have been more logical.
Until quite recently, getting an idea of the software flaws affecting a particular router was hard work or impossible. That has changed for with the site CVE Details mentioning five medium flaws from 2013 and 2014 for this Asus model, fairly average for its age. This only covers publically-disclosed flaws but it’s a good start. More to the point, Asus has been fairly good at fixing these issues, issuing a firmware fix that covers all of the above a larger update that added new security features.
On the other hand, one of the flaws that Asus quietly patched was a fairly serious one reportedly exposing the router’s AiCloud interface through which users can remotely access the files stored on an attached hard drive or synchronised from a web service. This is one of the things that makes users deeply suspicious about hooking up personal files to routers in the first place and the fact that such an important interface had an issue on a shipping product was cause for concern.
Next: AiProtection security
In late 2014 Asus issued a new firmware update that added a new layer of security called AiProtection (from Trend Micro), although when users received this would depend on model and whether their router had received older updates.
On the face of it, AiProtection is a useful upgrade but we ended up with some reservations about the terms of the EULA on which more below.
Asus describes the protection this proprietary system offers as covering three bases - router security scanning ( a constant assessment of the router’s security and configuration state), malicious site blocking (via a Trend Micro reputation blacklist), and a virtual patching design which claims to block known exploits of software flaws on attached devices even if no patch has been issued for the issue. It also sets out to detect, block and alerts regarding command and control (C2) traffic running through the router in the event of a compromise of an attached device.
Some of this integrates with the configuration security detection that was always a feature of the router so it’s not all down to the Trend Micro technology but the presence of such a complex security system is a big step up for this type of device that suggests an intriguing future in which home broadband routers are active rather than passive security products.
Under test (visiting sites containing exploits), AiProtection intervened to block pages in a similar way to the sort of filtering that is included with web browsers, although it was not possible to override the setting without turning off the security. However, testing it beyond that relatively superficial level proved difficult. Whether it would have defended an endpoint with a known flaw is impossible to confirm and obviously depends on Trend Micro rather than Asus. Pleasingly, AiProtection didn’t seem to have any impact on throughput.
Owners might want to have a close look at the End User License Agreement (EULA) for this system, which is where privacy concerns rear their head. A copy of that can be found here and applies to all Asus routers using the technology, from which we quote the following warning:
“By using the Software, You will also cause certain information (“Forwarded Data”) to be sent to Trend Micro-owned or -controlled servers for security scanning and other purposes as described in this paragraph. This Forwarded Data may include information on potential security risks as well as URLs of websites visited that the Software deem potentially fraudulent and/or executable files or content that are identified as potential malware. Forwarded Data may also include email messages identified as spam or malware that contains personally identifiable information or other sensitive data stored in files on Your router,” it states.
“You can only opt out of sending Forwarded Data by not using, or uninstalling or disabling the Software.”
What this means is that Trend micro will have access to all websites and services visited while the software is enables, a collection that is necessary for web filtering to work effectively. Whether owners are happy with this is up to them but it is important to draw attention to it because Asus certainly doesn’t.
This isn’t to criticise the router for offering this form of security simply to underline that it comes with a level of passive intrusion some might baulk at in other contexts. Equally, ISPs can collect exactly the same data if they choose so it’s important not to over-react.
This is undoubtedly a good product and one that is trying its best to reform the mistakes of the past by taking security seriously. Some of this probably arose from security flaws that hit this model (and by extension all of the firm's routers that use the same platform) not long after launch, hence the adoption of Trend Micro's filtering and reputation management technology to boost the security features already offered.
The platform suggests a near future in which all routers come with integrated security because, frankly, that is now necessary. We applaud the way Asus is pioneering this. What does need to be explained is that some of this comes with implications for privacy. Most people won't mind this but others simply won't grasp the significance of the web filtering service. While it's true that ISPs and other companeis also gather data from users Asus should be more explicit about how it stores that data and under what ocnditions. At the moment it simply isn't explained and needs more than a paragraph in a EULA nobody reads to justify it.