Every exploit listed for my router (tplink Archer A7) has no "affected version" listed nor indications if it has been patched, but clicking through to the CVEs indicates all have been remediated. As near as I can tell this website is just scraping CVEs, poorly, in order to sell their security services (which consist, at least in part, of an email reminder to rotate your router password...seriously?).
OP here, Yes, I agree, we (modemly) could do better
1. Show the vulnerability status (patched / open)
2. Show affected firmware versions
3. Display manufacturer's last patch release date
Though lots of the dataset is clean, still we do lots of parsing and regexing to extract insights out of a massive haystack. The intention of this tool is for everyone to realize and keep their firmware updated
And No, we don't sell any services. The security reminder emails are free
OP here. To clarify. The affected firmware versions are always available in the detailed description text. Its just that we couldn't show them in the header due to parsing failures in few cases
Even so, you can forget about most of these being up to date. Even experienced IT people that update their servers religiously tend to forget the router in the closet.
A lot of these routers have DD-WRT, OpenWRT, FreshTomato or maybe pfsense support. Since the manufacturers long ago abandoned security updates and feature upgrades an open source firmware will vastly improve the security and the devices functionality.
Not all routers can run one of these firmwares but many can and I wouldn't choose a device that didn't in the future. Its relatively easy to setup a basic secure home router using a Raspberry pi 4 and USB Ethernet and then attach one to a hub and the other to the modem and you have a 1 gbit/s capable routing device that can do SQM and remove bufferbloat and not a lot of consumer routers can remotely achieve that level of performance.
It is more hassle than the manufacturers firmware, but its also a surprisingly good way to extend a routers usable life and functionality as well. VPNs, Virtual LAN, File and web servers or just better QoS you can do just about anything you might want.
The lack of ongoing support from device manufacturers is really awful. There were some major UPnP vulnerabilities (last year, as well as some previous ones iirc) and a parade of attacks against WPA of various levels and very few devices ever get patched for them - including high-spec devices.
Running open-source firmware is basically necessary to have any chance against all these attacks, because manufacturers simply won't do the work.
There really really needs to be some regulation on this, internet of things devices as well. Give a defined minimum software update lifespan on the box at time of purchase and require that it be at least 3 years from the date of sale, for example.
> The lack of ongoing support from device manufacturers is really awful.
One of the reasons why I specifically when with Asus: they've got pretty good long-term support. There's also third-party firmware that uses the open source nature of most/all of the code (e.g., Asuswrt-Merlin).
Without auto updates, a whole load of good that'll do. 99.9% of people are (justifiably) scared to even log in to their router, let alone update it or flash open source FW.
There's frankly a lot to be said about Comcast's current proprietary router model that's basically a completely managed box. You don't even log into the router directly, you manage it on xfinity.com.
> You don't even log into the router directly, you manage it on xfinity.com.
That's absolutely the worst thing I can imagine.
My current ISP (Telia) tried to replace their at-home FTTH box with one which can only be managed through their company portal (https://telia.no/minside).
I threatened with immediate service-termination unless they returned the old box which could be managed locally.
I mean... There's lines I'm not willing to cross and a router which I'm not allowed to manage locally is simply not allowed in my house.
Are you in Norway and formerly on Get? If so, I'd recommend getting your own router anyway - you just need one that allows you to specify the VLAN for the WAN, at least in my area they hide internet on VLAN 10. You still need their ONT as far as I know, but I can live with that.
I’m not sure if simply jumping on the right VLAN is enough though.
So I’m pedantic and in true HN spirit I’ve bought a secondary Get box (second-hand, with original Get firmware).
It arrived today, and I’m in the process of completely tearing it apart and reverse-engineering the entire setup for usage with OpenWRT.
So far I’ve extracted the PCB, figured out the serial interface and pinout, found out there’s no “free” root from there and are now in the process of extracting the full firmware via the built in bootloader for further analysis.
If I find anything else interesting I’ll let you know :D
I agree it's the worst thing ever for me and you. But it's awfully nice that I don't need to setup a VPN at my grandma's house 2000 miles away to help her troubleshoot some things.
Xfinity will allow you to bring both a modem and a router. AT&T will not because their gateway/router does authentication into their network. Some people on the UniFi forums were able to pass authentication back to the gateway but it reduced speed.
Broadcom wifi chips on these SBCs work sort of fine in ac mode (you can maybe get ~150mbit/s in practice), but it could be much better.
Anyway, it so nice to have a router with 8GiB ram or 32GiB storage, instead of these ram/storage starved devices that are sold as wifi routers usually that can barely support openwrt. Being able to use Arch Linux or Debian, and the latest mainline kernel and have replaceable storage is just so much more flexible in what you can do.
I'll be trying Quartz64-A with some well supported 3x3 or 2x2 mimo PCIe wifi cards, soon. (Router use excludes Intel Wifi cards, sadly) I hope that will be an amazing wifi router for me. I already run one as a non-wifi router: https://megous.com/dl/tmp/599ba099a6893863.png (well there's a USB wifi card visible there, but that's just a secondary wifi network for untrusted devices, I'd like something much better for my primary wifi)
> Being able to use Arch Linux or Debian, and the latest mainline kernel and have replaceable storage is just so much more flexible in what you can do.
To be fair, my current OpenWRT devices are running more up to date kernels (5.4) than my Debian-based (4.x) devices at home.
And for a router I really don't need/want more code than strictly necessary. What use is 8GBs for the system, if it all it can do is load extra services, which will starve the RAM of the device and make runtime performance less predictable?
What can you do with your 8GB+ router compared to mine 32MB?
My router runs Linux 5.15. I can cache more stuff in RAM, instead of wearing out the flash storage, or having to throw useful data away (http cache, larger DNS cache). I can use all the new stuff that's added to the Linux kernel's networking stack. I can use any scripting labguages, to automate things like updating my DNS servers easily. I compile my own kernel for the router, so I can disable anything I don't like, all the barely used and less tested protocols I don't need, etc.
Minimal Arch Linux is quite small. But I have option to to install anything, and the board will support it, without me having to figure out workarounds.
The board has 4 cores, you can dedicate 1 to the routing, and use the rest for whatever without starving the core functions of the router of the resources.
I mean, it's just a lot more flexible, while being cheaper and easier to replace than dedicated routers, when the HW breaks. Just copy the root filesystem to other uSD card, and swap the kernel, and it will run the same on a different ARM SBC, which I have quite a lot laying around in my home.
OpenWrt is a nightmare to update due to the space constraints. A more traditional distro can just be updated via the usual package manager commands. I believe OpenWrt expects you to back up configs and reimage the whole thing.
Since I used it? No. Running it on many things. Upgraded it? Yeah. I've done a lot of fresh installs but don't usually upgrade the system because it doesn't seem trivial compared to running one command occasionally on the rolling release distros I'm used to. What you're describing is unknown to me. It sounds a bit OpenBSD-like, maybe. I also consider OpenBSD to be unreasonably annoying to upgrade (although it's been a while since I tried with that either, I heard it got better).
You can always just “opkg upgrade” if that’s your cup of tea.
That won’t necessarily update the kernel-image though which is often stored directly on some MTD-partitions, so flashing the sysupgrade image is the recommended approach if you want to make sure everything is up to date.
And it’s literally just uploading one firmware file to one web-ui. It’s not like it’s hard to do it particularly involved or time-consuming.
If you’ve been using OpenWRT at all I’m kinda surprised you’ve actually been able to miss them.
They’re pretty much front and center in the firmware download pages and referenced in every single release note, more or less.
> Being able to use Arch Linux or Debian, and the latest mainline kernel and have replaceable storage is just so much more flexible in what you can do.
Why not use dedicated router/firewall software like pfsense, OPNSense, or Untangle (all BSD-based, Untangle is a paid product though)?
I bought a little NUC with an Intel CPU and NICs to run pfSense a few months ago and it's been fantastically stable.
I replaced microtik router with this, because it was annoying to have to run an odd duck that I always have to keep figuring how to manage differently, or how to workaround its defficiencies, because it doesn't run a reguar OS, but some dedicated thing for routing. It's much easier to me to do more complicated things, the manufacturer didn't add UI for on a general distro, than on some special purpose OS.
+ now I run the same OS on the router I run on 12 other server machines at home. This is just easier to manage and backup, and replace with any other SBC that I have at home, regardless of the model as long as it has an ethernet port.
I've been using one of the miniPC type OpenWRT supported devices as my core router. Though rather than adding wifi to the base I dangled my old wifi with OpenWRT off of it since my theory of instability on routers is that wifi makes everything suck.
Yes, I have similar setup. I used microtik wifi router previously, and it's still a primary wifi ap for me, but all ports are bridged together including a wan port, and it now just serves as a 5xGLAN switch + wifi ap. All the DHCP, DNS and other services are on Quartz64.
Why would you buy an expensive card that doesn't allow AP mode on anything ac or ax?
"Hello IAmMrZ
Thank you for your patience in this matter.
After checking this further, we would like to inform you that the engineering team confirmed that Intel® wireless products follow regulatory compliance and it is expected that AP mode cannot be enabled in non-2.4 GHz channels. We hope this clarifies your concerns.
Most VDSL routers don't have any decent support on DD-WRT or OpenWRT due to the proprietary firmware blobs required for all the DSP algorithms inside the modem.
Sadly, that means a massive chunk of the world connected by ADSL/VDSL can't use this advice.
You can but you need your own device that supports an open source firmware. The ISP provided modem you can potentially put in modem mode at which point its just the interface to the wire and you can then run your own router in PPPoE mode to interface to it and out to the internet. If the ISP provided device can't do that then turn off its NAT, firewall and wifi and just configure it to connect to the internet and plug into anetwork port just your router from the routers WAN port and then use DHCP WAN configuration. Then all your devices only go into your device. The only device exposed by the poor security of the manufacturer is the modem itself and your network is defended by your personal device.
There are a bunch of other ways to do it but you can absolutely have your network defended by your own device running open source firmware and still use the device the ISP has provided mostly as a modem. I use a DHCP WAN on my router which outputs to the ISPs provided router which is just a modem at this point and not a lot else. It still runs DHCP and DNS and all that other junk but my home network doesn't use any of it. I use Virtual LANs internally for some development services I use so the default ISP routers are useless to me and after issues with various routers with VDSL modems I gave up and have used openWRT ever since. I also use separate access points for wifi since its another area openWRT is a little behind just due to how long drivers take to come out.
And then you have fun with the fact the ISP resets all the devices back to defaults once a week... And if you have to live with it in its default config you have double-NAT and games and web conferencing stuff doesn't work properly.
I wrote this up the other day. Mine is still super flaky, but I am going to be trying closer servers. I think, ideally, you want your game console on the DMZ of the router with wireguard.
Just don't NAT again, but simply firewall. That's what I do. Luckily the days of routers crashing when there are more than 15 TCP sessions are over, even with the cheap ISP routers. But Wifi usually still sucks with those, plus security concerns, so I like to isolate it from the rest of my network with OpenWRT.
You could do what I do and run your own router on PC hardware and get a separate DSL modem. There aren't a lot to choose from, but you should be able to find one at least.
Given they are all continuously updating its unlikely such a list would exist. The way this usually works for open source software is that the vulnerability isn't made public until the software patch has already been issued and its very rare to get anything other than "security issue fixed" in the changelogs anyway. The answer should be on the latest version of the firmware no outstanding known vulnerabilities or very few.
The entire problem is that most of these routers haven't received updates in years from the manufacturers, they are abandoned. The open source firmware's are not abandoned and are continuously getting updates for their underlying packages from Linux/NetBSD even if they aren't doing substantial development themselves. What vulnerabilities that do exist and are not getting fixed will be in the hardware binaries for wifi for the FreshTomato supported routers and those usually listed as poor or no wifi support in openWRT, that is about it.
The last release of Gargoyle was last year, and Shibby Tomato went silent several years ago, probably taking a lot of older routers out of 3rd-party ROM updates.
Many router ROMS don't come out as often as is necessary to address exploits in a timely manner.
Most router ROMs are developed in the same haphazard fashion as phone ROMs on xda-developers. Only a few like OpenWRT are actually run like a desktop Linux distro, with a well-defined and managed release process and stable branches.
Gargoyle is based on OpenWRT, but has extensive options for bandwidth control of individual devices/MACs, plus the ability to force everything to use Tor.
I don't know how UDP would work over that routing, and if QUIC would work (at all).
I imagine that this can be done with OpenWRT, but many plugins and custom configuration would be required to achieve equivalent functionality.
Last time I checked, Gargoyle's QoS system consisted almost entirely of obsolete 1990s-style manual classification and prioritization. The only interesting capability it offered was a feature to try to estimate the actual bandwidth you were getting from your ISP in realtime, to tune the overall bandwidth limits of the QoS system.
Unless it's been overhauled to incorporate the lessons of CoDel, fq_codel, CAKE and modern active queue management in general, the QoS portions of Gargoyle can be ignored as a time-wasting anachronism. You'll be better off with vanilla OpenWRT and its SQM package.
I already have little hope for consumer networking equipment, this just seems like a big old list of scraped CVE's.
One has to remember that the majority of the development ends up being by the SoC vendor, usually a horribly out of date fork of OpenWrt with weird looking proprietary kernel modules to support wifi, accelerated nat, etc.
Quite a few of the older devices lack some pretty basic mitigations as well; ASLR, Position Independent Executables, Stack Canaries, etc. Either they get forgotten or they're off because of they can't be bothered getting the drivers up to scratch. (Assuming they haven't just been handed a binary)
Sure, 1200 routers. Except someone listed single Synology applications as router models for some reason. Synology only has a couple routers, not 32 different models. If the quality of the rest of the data is similar, this list isn't very useful.
Interesting to not see Mikrotik on the list, though I'm not sure how far back you'd need to go to find hardware that's not still receiving firmware updates - certainly well over 10 years.
I have a Ubee cable modem with integrated wireless, and this manufacturer is not on the list either.
It would also be helpful to see how many vulnerabilities are in the latest release of Gargoyle.
I have heard that the best countermeasure for router vendor abandonware is to avoid the 192.168 network entirely, so I configured mine on a random 10. subnet.
Satisfied Omnia customer here. It’s a decent router with enough performance to host a small website and Logitech media server in lxc containers as well.
Somewhat satisfied customer here. Omnia is great as a wired router but I offloaded wifi to another device (eero in my case). Mox I was less satisfied with, has some strange bugs that have never been fixed. I probably wouldn’t pre-buy a new Turris device, but if the reviews are good I would go for it again.
Not the previous poster but the WiFi range on the Omnia is pretty poor so I’d imagine that’s the reason.
Works fine in a small apartment like mine but I think you would need something else in a house.
I have the first omnia version (of three). Will buy the next version.
Really pleasant experience. Great all in one home router. It took my one minute to setup up and nowadays I got bird on mine for BGP LB with a home k8s cluster. One of the very few open products that is nice to use.
They have a series of routers designed to support OpenWRT (which IMO is better then DD-WRT but preferences of course). If it supports OpenWRT then others shouldn't be difficult to load on it either.
Also, it ships with their proprietary "Smart Wi-Fi", not OpenWRT.
> While the Linksys WRT1200AC provides an outstanding experience via Smart Wi-Fi immediately out of the box, advanced users can further modify the router with open source firmware. Developed for use with OpenWRT, an open source Linux-based... [0]
No one, to my knowledge, makes the appropriate Gigabit Ethernet (ideally Dual Gigabit Ethernet) + Wifi Open-Source Hardware SBC that could be used as a router. There are a lot of SBCs with open-source software and mostly-accurate PDFs of their schematics, but very few (the Olimex OLinuXino project, maybe?) that are actually open hardware.
I do understand that truly open-source hardware is a tough sell, as Jay pointed out in his amazing piece "So you want to build an Embedded Linux system" [1]
> People forget that these EVKs are built at substantially higher volumes than prototype hardware is; I often have to explain to inexperienced project managers why it’s going to cost nearly $4000 [2] to manufacture 5 prototypes of something you can buy for $56 [3] each.
And an EVK is likely built at a lower volume than a consumer SBC. The idea that someone can download your hardware design, modify it, and respin it for their desired open-source router but now with a piezo buzzer added might work for Arduino-scale hardware projects but simply isn't reasonable for something that reaches the performance required of a router.
I apologize I misread OP's question. I incorrectly interpreted it as "hardware that supports opensource firmware such as DD-WRT/Tomato".
In terms of hardware like you mentioned there's few open source SBC's at all. Even fairly open hardware like the raspberry pi have a proprietary firmware blob. I guess it will come down to how strictly you define "open source". If you define it as "we have firmware/schematics for every chip on the board" then we'll likely never have that (I don't think even Linksys has that type of access).
I tried OpenWRT a few years ago on my WRT3200acm and the wireless quality was severely lacking. Has a lot changed since then? Do you think it's worth giving another go?
It hasn't been updated since Jan of 2020 but I also don't see any vulns listed for it.
IIRC, the WRT3200ACM had other large issues in regards to wifi... (WPA3 was off the cards because the firmware blob just does not support protected management frames, for example.)
I haven't stayed up to date with them to be honest. I've switched to ubiquiti access points with my WRT1200AC as just a switch/router. My plan is to upgrade to a x86 box with openwrt or something similar.
So if you had issues with the WRT3200acm I'd go a different route
I just tried the wrt3200acm with openwrt for about a month and it wasn’t nearly stable enough. The wifi issue is pretty well know and people seem to be working on it but I’d stay away.
dd-wrt has worked fine for me on this, but I'm a pretty casual user. Couple of video streams and phones, pi-hole, a couple laptops, all of which are idle most of the time.
Also very happy with openwrt on this device. Really quite a decent gui tui and config. Setting up always on open vpn and wireguard was reasonably painless and works well.
These are my next to investigate if my current Eero network gets replaced. The ability to put Wireguard on the router and not behind it, is the thing I need.
Why would it matter where wireguard is? The gl.inet does have the nifty internet kill switch which forces everything through VPN, which is useful I guess.
I say "used" because my main router has been updated to an AC1900 solution, but it's still kicking, I'm just running it as an access point. Unfortunately, both it and their updated AC1200 solution:
Buffalo does this as well, and there's a variety of PFSense hardware available.
In PFSense hardware you can even find things with atom processors or laptop tier processors - which are going to be more power-hungry than ARM but also a lot faster, and x86 means everything is bog-standard drivers/etc and Just Works. Although I suppose with the world we live in, perhaps not having your web-facing device have speculative execution would be better.
At that level of cost, many people also go to standalone WAPs (although of course there's no reason you can't use DD-WRT/OpenWrt/Tomato to turn an old router into a WAP as well).
Some hardware I've seen recommended for PFsense before:
Asus' routers essentially run a skinned version of Tomato with some Asus-specific enhancements. The stock firmware is open source and there's a popular enhanced fork of it, asuswrt-merlin, that's a drop in replacement.
device makers should be forced to support their devices and if they don't they must have something like 6 month period where if they don't push a security check flag to their devices they initiate code to nag the user telling them this devices is not secure anymore because manufacture is not supporting it anymore, in this case they should also be forced to release way to load 3rd party code etc to allow others to fix their crap.
This is a serious issue because many people use old devices without knowing anything is wrong.
Shouldn’t that be up to the user to update their device or replace as they see fit? Also the manufacturer has no obligation to open up a device for 3rd party software installs.
At the most they should let their users know of the expected life cycle of the devices and warn them even the life cycle it’s end or has ended but in no way nag the user.
It would be nice for the manufacturer to allow 3rd party software but they don’t have too and shouldn’t be forced to do so. You as a consumer have the choice to choose a manufacturer that allows you to install 3rd party software.
It should be much simpler to make changes to the manufacturers software, since they all come with the GPL notice.
It’s so silly things that don’t work, e.g. the guest network not really being separated.
I’ve found it very hard to get a decent solution, especially given that I can’t really change much on the canceling, now considering getting a pfsense/opnsense router in front of a consumer mesh Wi-Fi, though that still isn’t ideal, won’t be able to really do much for the Wi-Fi devices.
I think I’ve posted this once, what’s also missing out there is a guide for the home user to set up networking with typical scenarios, along with hardware recommendations (apart from companies producing better products, would consider paying the premium for ubiquity but here again it seems to require too mutant cables to be laid).
This just further emphasizes to me that we need a microkernel OS for internet facing things. Followed with a memory safe or at least security audited network layer.
A) Shortly: Automation. Long: "Every month, We evaluate 17000 routers for security Vulnerabilities using the national vulnerability database and publish the list with the remediation steps" from the website
Back in the day we did an industry project with a customer with lots of early Symbol Wi-Fi access points and it had some weird non-IEEE 802.11-standard behaviors, some of the FW was probably written before 802.11 was done. WPA was added at some point during the project but kept crashing.
I didn't see them on the list but of course for entirely different reasons, the business was bought by Motorola and then petered out, I think.
Huh, some of the Huawei and Nokia vulnerabilities are not related to their routers at all (a Symbian bug was even included). Maybe for other brands it's easy because of their networking equipment specialty, but Huawei's and Nokia's list needs to be manually filtered to see only the router vulnerabilities rather than an Android or Symbian bug.
Fair. But if the site doesn't list vulnerabilities in older firmware, then someone stumbling upon it that hasn't kept their router up to date won't see their actual vulnerabilities listed.
OP here: There is a misunderstanding. The affected firmware versions are always shown in the description text. Its just that in some cases we are not able to show them at the "header" level due to parsing failures
My experience with DD-WRT is that it took tons of tweaks and fiddling to get the same router to perform not quite as well as it did pre-flash, including manually tweaking the power outputs of the antenna to get a signal one room away. Recently I bought a new router with failover support and it's so nice that the basic (and advanced) things I want to use just work. Clean UI, sensible organization of settings, actually reliable documentation... all wonderful things. So unless you are okay with lots of fiddling and restarting your router 10-30 times over a weekend, maybe don't use DD-WRT. I have no experience with the others.
Perhaps your router just wasn't quite the fit for it. "Lots of fiddling and restarting your router 10-30 times over a weekend" sounds nothing at all like my experience with OpenWRT and DD-WRT.
So 80% of these vulnerabilities are on Netgear routers, and nearly all of them are rated as High severity. That's really impressive. I don't think I'll buy a Netgear router ever again.
Skirting a discussion on how relatively good or bad Netgear are, the results seem to be vague as to whether they're resolved, how bad each vulnerability is, and it seems to list a device for each firmware version. I don't think the front-page numbers are necessarily particularly helpful.
