Unpatched Home Routers and IoT Devices, A Tragedy Waiting To Happen

Home routers and IoT devices are not a good combination when it comes to cybersecurity, that is the result of the study conducted by theamericanconsumer.com. The issue stems on the combination of the ignorance of end-users when it comes to home router’s firmware updates and delay of updates or lack thereof (if the user knows how to apply them). TheAmericanConsumer.com revealed that security vulnerable routers are sold on a regular basis, in fact, five out of six are publicly sold in brick and mortar stores unpatched.

“This ConsumerGram seeks to explore the degree to which Wi-Fi routers are potentially being left unpatched for known risks, making the routers themselves and the devices to which they are connected more susceptible to cybercrime and other online threats. Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud, and espionage,” said in the report.

Home router manufacturers have a laundry list of their router models, and not all are updated. Some low-end hardware is left with their default firmware or only received an update once while leaving the vulnerable firmware unpatched afterward. For those that have firmware upgrades, it takes a knowledgeable person to update a home router. A device that was issued by an ISP is usually left untouched by the home user, as long as the device continues working. This scenario is the riskiest situation for a home user, unfortunately, such a scenario is very common. Such create a situation that the home user is at risk by default, unless she takes all the necessary precaution, including learning through self-study how to update a router’s firmware.

Compared to Windows update or an app update, a firmware upgrade for a home router is not a walk in the park. A wrong update to the router or a power failure while in the middle of flashing the firmware is enough to brick the device. A bricked device can no longer be repaired, unless the user is a very skilled soldering professional that can unmount and remount integrated circuits in the router’s motherboard.

“In addition, manufacturers often do not provide user-friendly ways for consumers to update firmware or may even view building security protocols into their devices as an unnecessary expense. Sometimes accessing firmware updates requires consumers to have registered their products with the manufacturers, while other times these updates are not readily available online, and still other times somewhat older routers are not supported at all. This means that even consumers who try to update their router firmware might download outdated code that is all but useless against critical vulnerabilities discovered since its sale. Simply calling on consumers to turn their routers on and off is insufficient,” explained in the report.

IoT devices are also in the same boat, as their firmware can only be updated through a firmware upgrade procedure. All the limits imposed and the risks involved with flashing a new firmware to a router also applies to IoT devices. Hardware manufacturers are highly advised to enable easy flash updates to the firmware of both home routers and IoT devices. Their reputation and their business existence are on the line; users are at their mercy for an easy to use flashing procedure in order for their customers to remain secure and private.