2018 will be the year of leaks, that’s already for sure. We still get the waves and impacts from last year attacks of KRACK, Meltdown & Spectre among other almost daily upcoming data breaches.
No provider and I really mean no provider, OEM’s or hardware manufacturer has given us something on the firmware subject over the last year, there is only the EULA and security guidance but when it comes to the most important question how long we get firmware updates nothing is mentioned! Router or in general hardware based firmware updates are a global problem if the provider wants he gives you an update and if not you’re vulnerable forever.
Some provider not even allowing you to install aftermarket firmware like OpenWRT to fix security holes, they argue that you lose your warranty which is totally nonsense because special sectors of most hardware are separate protected and can’t be overridden or damaged with a simple flash procedure – besides such protection mechanism – a simple re-flash or backup would solve this too, but the big ones preventing this.
- How long we should get updates for a product? 2,3,5,.. years?
- How does the customer can identify how long a specific product gets an update, there is no logo or sticker available?
- WHo is responsible in case a damage happened or a new leak appears like KRACK attack?
- How about flashing aftermarket firmware like OpenWRT, why not allowing it by default and provide
- There is no internationGroup which controls, monitors it and punish the big OEM’s when they do not hold what they promise
- Is the ISP responsible to give us new hardware in case old hardware runs out of support?
What can you do?
- Install OpenWRT, no matter if you lose warranty or not, flashing the firmware back to the original state is always possible and who really checks that if the hardware is broken? RMA. Probably no one, because time is money and it’s not worth in such a case.
- Ask your provider/OEM about updates, like BIOS/Firmware and how he handles it.
- Build groups or join existent forums which are providing support/help or modded firmware.
- Stay up-2-date, no matter what, it’s better than the opposite.
- Ask, ask and ask … It’s better to ask twice than asking nothing, this shows you’re interested and that you care – others with the same issue might join and this could help to find together a solution.
- No not support providers or manufacturers which not giving you enough details – The latest xyz notebook is maybe fine and the fastest on the market but it doesn’t help you at all when there no updates were given and it’s wide open to everyone. Security comes first! Do not make a compromise just because the other notebook has 2 MB more RAM. It’s also not that you can’t upgrade something on your own in 10 minutes. If the manufacturer lets you – ahahah!
Because of the recent leaks more and more people realizing that a lot of this could have been avoided if there would be an open dialog about the remaining question – what about firmware updates? It’s not that there aren’t firmware updates but they’re difficult to find, some pages are simply confusing and some people are not aware that there was a data breach which needs a firmware update. No one seems to be responsible for such important questions and no one seems to give a damn it seems. Oh yeah, another leak – so what my device is running and nothing visible happened to me so why should I care?! This is dramatically dangerous and in a modern world, I expect solutions very soon, at least some concepts this year.
In my opinion the ISP should work more together with OEMs to provide us with the updates as soon as possible, there should be no option to disable firmware updates in general, only an option to revert back or to flash other images (in case something happened or if you like to switch the firmware) – I see tons of outdated router and disabled update toggles because people simply don’t care or they using insecure default settings.
- Many home routers supplied by ISPs can be compromised en masse, researchers say (pcworld.com)
Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices (threatpost.com)
- Key Reinstallation Attacks (KRACK) (krackattacks.com)