Executive Summary

  •  Securing home routers is a key requirement for curbing the infestation of infected endpoints and malicious traffic on the Internet.
  • Responsibility for home router security is shared between government, router vendors, ISPs, Internet companies and consumers. Perspectives on where the ‘buck’ finally stops is shifting but doesn’t seem to be converging.
  • ISPs and governments are best placed to enforce comprehensive home router security. ISPs can just comply with regulations or they can commit and differentiate.
  • New network based capabilities like blocking unauthorized access and restricting
    the tasks that home routers can perform can help ISPs lead in this area.

Home routers that are optimized for lowest cost, maximum convenience and
rapid time to market continue to win high market share.

Home Router Attacks Pose Increased Risk

It’s just over two years since a high profile attack enabled by the MIRAI botnet disrupted the service of 900,000 of Deutsche Telekom’s home routers over two days. As shown in Figure 1, however, vulnerabilities in home and Small Office Home Office (SOHO) routers continue to expose their owners – and Internet users world-wide – to damaging attacks.

These vulnerabilities continue to arise due to the automated and distributed nature of many of these attacks and the lack of awareness – or care - of so many consumers. Home routers that are optimized for lowest cost, maximum convenience and rapid time to market rather than security continue to win high market share in many markets.

Such devices are susceptible to vulnerabilities that take very little sophistication to exploit. Look at the installed base of home routers in even the most advanced countries and you’ll find a sizable share suffering from one or more characteristics ranging from inadequate hardening; use of default passwords; use of unencrypted protocols like Telnet; support of unauthenticated services like Structure of Management Information (SMI); and lack of vendor support for security and other software updates.

An attacker that gains access to a router can potentially see any traffic  running across that network and execute any number of different attacks. These include eavesdropping;

High Profile Home Router Attacks Table

altering DNS settings to send users to a rogue imitation of a familiar website;
downloading malware-infected versions of legitimate software; serving up unwanted ads; and corrupting the integrity of messages between devices in the network.

The threat posed is rising with the gathering momentum of IoT. Most IoT ‘things’ are nowhere near as secure as PCs and smartphones. The so-called ‘Smart Home’ may be smart in terms of convenience but it’s often anything but smart in terms of security. As demonstrated by the huge outages impacting the world’s most popular websites arising from the attacks on Dyn in October 2016, botnets like Mirai and Reaper can enslave millions of insecure IoT things in homes and business environments and leverage them
in coordinated attacks on any IP endpoint. This poses a grave risk to the Internet on which so many services that are critical to human life depend now.

In the past, issues around home router security could be viewed as a largely closed one between end users, their router vendor and their ISP. But the rise in the automation of attacks and the proliferation of IoT is changing the balance of externalities arising from home and business Internet usage. If the home router or other devices in the home network are taken over by a botnet, that consumer poses an indirect but substantial risk not just to themselves but to any endpoint on the planet.

Only a small segment of tech-savvy consumers is able and willing to take charge of their own personal risk management.

Changing Motivations among some Stakeholders

Once someone understands the risk, both to themselves and others, of vulnerabilities in their home network – and many, perhaps most, consumers still don’t – it’s easy enough to conclude that ‘something needs to be done about it. But defining what that something is – and implementing the right market incentives to support it – continues to elude industry stakeholders and government alike.

The perspectives of some stakeholders on home Internet security may be changing but they don’t appear to be converging towards a consensus that can be easily understood by all parties. As an example, and often without any associated change in legislation or regulations, some banks, telcos and other organizations have become more likely to make compensation for consumer fraud conditional upon a user’s own behaviour whereas in the past compensation was more likely to go unquestioned. Also, liability for the Confidentiality, Integrity and Availability (CIA) of a home router product continues to be very complex, potentially touching on the ISP, the router vendor, and the user themselves.

In many countries, most consumers don’t care much about cyber security risk in their own home. The minority that do break down into two types. Only a small segment of tech-savvy consumers is able and willing to take charge of their own personal risk management. These individuals should be celebrated for their self-reliance and their positive impact on everyone else’s Internet experience. The far larger segment among those that do care don’t have the aptitude to take charge of their own home router security, though. Nor can they reasonably be expected to.

As the younger generation of digital natives gets older, the share of consumers willing and able to take personal responsibility will increase. However this rebalancing will take place over many years, if not decades. Those who are incapable of mastering their own home security will be with us in volume well into the future. And, as will be shown, there remain some aspects of home router security that even the most diligent and savvy consumer can’t configure or manage themselves.

The rich and diverse market in home routers is a problem

The rich and diverse market that exists in home router products today is undoubtedly part of the problem. This is because some of the greatest diversity you see when comparing different products is in their security features. In many markets there are large installed bases of low end home router products with remarkably weak security. Even today, many products that are available to buy in stores or on line still suffer from major security flaws.

There are certainly premium home routers with excellent security features available. And there are recent, high profile, examples of leading home router vendors partnering leading antivirus vendors to deliver integrated solutions directly to consumers and via ISPs. But the mere fact that these are positioned as high end products means that in most markets, they only account for a minority share of new sales (and an even smaller share of the total installed base). The home router market is going to continue generating hundreds of millions of new units per year. The same is true of IoT devices
only on a very much larger scale. From an Internet security perspective, without major changes in regulation, an unacceptably high share of these devices will continue to make the problem of Internet security worse rather than better.

The German government is introducing a new security labelling regime for home routers sold in Germany.

Governments in leading countries recognize the need for action

Leading countries recognize the convening power of government and the need to apply that to raising the bar to strengthen cyber security, including in the home. A number of examples are profiled in Figure 2. Governments are taking a variety of different approaches. At the relatively ‘light touch’ end of the spectrum, the Federal Trade Commission (FTC) in the US has an ongoing legal action against D-Link, one of the world’s largest suppliers of home routers. The goal is to require that D-Link adhere to minimum security standards in the design of its products.

Also at the light-touch end, the German government is introducing a new security labelling regime for all home routers sold in Germany. Products that meet high security standards will be labelled accordingly. Rather than imposing mandatory high security standards on all products sold, this approach at least gives consumers the means to make informed choices about the risk they want to take in their homes. At the other end of the spectrum, the Japanese government has assumed significant new powers with the stated goal of hardening the country’s vulnerabilities against home and enterprise-borne IoT security threats. Ahead of the 2020 Olympic Games in Tokyo, Japan’s government is preparing to run penetration tests against 200 million IoT devices deployed in Japanese homes and businesses. Presumably, the plan of action will also provide remediation for the many vulnerabilities that will no doubt be found.

Across the ICT ecosystem, current market incentives for taking the steps needed to materially reduce the risk of incoming and outgoing attacks from home networks are inadequate. As shown in Figure 2, many leading governments recognize this. But far

Government Requirement for Home Router

greater urgency is needed now to create the right incentives for all the relevant stakeholders to step up and take their share of responsibility.

Obligations and Opportunities for ISPs

Probably more than any other stakeholder, ISPs have wrestled with the question of how far they should commit to home Internet security for many years. Three very different principles present themselves to ISPs, all pointing in conflicting directions.

  1. ISPs are not responsible for cleaning up the Internet. If there is to be a major clean-up operation, which necessarily requires investment, ISPs tend to believe that those costs should be shared across different stakeholders.
  2. Irrespective of the exact cause, ISPs usually get blamed for home network security breaches because they often supply a large share of the routers. Incidents impact an ISP’s brand, churn rates and Net Promoter Score (NPS).
  3. The worse home Internet security gets, greater awareness will create better opportunities for ISPs to differentiate with security as a trusted provider. Business cases then turn on whether the ISP can make enough additional revenue and margin from the required investment (and if so, for how long).

Far greater urgency is needed to create the right incentives for all stakeholders to step up and take their share of responsibility.

In most countries, the law doesn’t clearly tell ISPs where their responsibility for home router security begins and ends. Nor will it any time soon. Where they re-badge a router vendor’s product with their own brand, the chances are that the ISP is liable for that product’s performance. Where they don’t, they’re probably not.

The truth is, though, that the detailed legalese is usually too nuanced and too blurred, and ultimately not relevant enough, for the ISP’s strategy to be driven by it. If an ISP decides to pursue a strategy of leadership in home Internet security, then being seen to discriminate between those among its customers that it will stand by and protect, and those it won’t, is inconsistent with that market positioning. ISPs need to be binary about this. If they want to lead in consumer Internet security, they need to take a universal, all-embracing, stance across all the consumers they serve or not bother at all.

As shown in Figure 3, ISPs are unique in being able to take responsibility at every layer of home router security. Even when it comes to the user’s own cyber hygiene, the ISP can be active not just in educating them but in providing on-line tools and mobile apps so users can monitor and improve their home security posture.

Key Measures for Home Routers

Most ISPs already engage very actively in preventing, detecting and remediating network attacks, notably at major peering points where they can protect against the greatest threats to the greatest numbers of customers. They do this mainly to protect themselves. They can also combine their unique network-wide visibility and footprint in the home to protect the home networks of individual consumers. Security is always about layers. In home router security, AV software is very important but it doesn’t protect against unauthorized access. Firmware updates are very important but they can also represent a vulnerability in their own right.

New tools for ISPs to Differentiate with

Network level white-listing and authentication capabilities provide additional protections that ISPs can bring to bear in addition to those depicted in Figure 3. These include:

  • Blocking unauthorized access to the router. White-listing here can ensure that only specifically authorized servers are able to communicate with the home router. Unauthorized access is automatically blocked.
  • Prescribing only those binaries that are allowed to run on the home router. This enables ISPs to ensure that unauthorized – potentially malicious - binaries are unable to run.
  • Two factor authentication (2FA) to limit the use of permitted
    communications. While legitimate access to the management interface has to be allowed, another security layer can be added by means of 2FA such as a message to a mobile app to ensure only authorized users are accessing the home router.

White-listing and authentication capabilities provide additional protections that ISPs can bring to bear.

The above measures can provide additional protection against many of the most straightforward attack vectors. As has been shown, these continue to cause high levels of harm to Internet users. Moreover these capabilities have the unique advantage that they can be applied across an ISP’s entire installed base. It can therefore protect all the different home routers in the ISP’s network including the substantial share of different devices that tend to be highly insecure.

If ISPs don’t choose to lead, they may face new regulations anyway

Stakeholder pressure for home router security is greater now than it was. The potential risk to an ISP from its security capabilities falling behind those of its competitors is also greater. That said, the fundamental decision for the ISP remains essentially the same. It can lead in home router security. Alternatively it can wait for government to impose new regulations which may be less effective, more burdensome, or both.

About Allot Communications

Allot is a leading provider of innovative network intelligence and security solutions that empower communications service providers (CSPs) and enterprises worldwide to enhance the value they bring to their customers.

Allot Secure network-based security disrupts the security industry. It positions CSPs as leading Security-as-a-Service providers able to capture market penetration exceeding 50% and generate value-added-service revenue of 10-15% on top of connectivity revenue. Allot Secure enables CSPs to deliver security services that protect mobile devices and the broader connected home environment, as well as improving the security posture of the home router itself.

The Allot Smart solution suite, powered by inline DPI technology, generates insightful intelligence that empowers customers to optimize, innovate, and capitalize on every service opportunity. By analyzing every packet of network, user, application and security data, Allot Smart cost-effectively enables the highest Quality of Experience (QoE) for their users. Use of Allot Smart has lowered access bandwidth costs by 10%, deferred capacity expansions by 1-2 years and reduced revenue leakage by 15%.

Allot’s multi-service platforms are deployed globally, in the most demanding
environments, by over 500 mobile, fixed and cloud service providers and over a thousand enterprises. We support evolving network architectures by offering the most flexible platforms in the market, including COTS hardware, software only and fieldproven, fully NFV compliant solutions.

With over 20 years of proven success, Allot solutions make customers’ networks smarter and their users more secure. For more information, visit www.allot.com

About HardenStance

HardenStance is a leading independent industry analyst firm delivering trusted research, analysis and insight in IT and telecom security. www.hardenstance.com