Does your router auto update?

Topic

New Reply

Michael Horowitz has long opined that router security needs a LOT of work. He has often complained about the sad state of firmware and router software
[See the full post at: Does your router auto update?]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

Kathy Stevens, AlexEiffel, ve2mrx, Pepsiboy, wdburt1, JCpharm, Alex5723

Reply | Quote

Replies

Thank you for this imformative read. I upgraded my personal router based on Michael’s experience and professional recommendations. His website is favorite tagged.

Win10 Pro

Reply | Quote

I’ve never had one that auto-updated, neither Netgear nor Motorola. My current Motorola wi-fi router cable modem combination has DOCSIS 3.0 hardware version 3. I cannot find any page or setting or option in the modem’s gateway login website that says anything about checking for updates. I think I would have to purchase a new modem to get DOCSIS 3.1; and they’re all made in China now.

 

Reply | Quote

DOCSIS modems provided by ISPs are updated by the ISP once they approve the firmware. Customer-provided DOCSIS modems are under the responsibility of the customer.

Make sure you can update the modem before you choose to get a model that is different from what your ISP provides!

Reply | Quote

In the past I have had modems provided by my ISP, but this one is one I purchased myself. However, my ISP told me that if I purchase my own, customer provided modem and wi-fi router combination, it would have to be one of two Motorola models that they specified or they would not provide an internet connection to it (they would decline to agree to provision it on their system). So I was stuck with purchasing this wi-fi router/cable modem unit. Because they did not provide it (and therefore cannot charge me a monthly modem rental fee), they will not update any software or settings on it; and as far as I can see, there is no way to update this modem myself or cause it to update itself.

 

Reply | Quote

Bingo! DOCSIS modems are meant to be sold to ISPs who in turn will test firmware updates and verify the impact on their networks before distributing them to customer equipment.

Nowhere is the customer meant to update the firmware as it could cause network instability or, heavens forbid, bypass data caps.

In other words, the law forces the ISP to offer you the possibility to bring in a device not provided by them but never demanded they support devices they didn’t provide you. And you are unable to support your device without the ISP.

The law was written as if software vulnerabilities never existed because those  who wrote it don’t understand IT one bit. Please blame them!

Martin

Reply | Quote

No. But I wouldn’t want it to auto update.

Reply | Quote

No, thankfully. My router does not auto update. It is reasonably up to date (it uses DD-WRT, and they release a new build at least once a month… that’s too frequent for me to do them all), but the updates come when I apply them manually, just like my phone, my PCs (both in OS and firmware), and all of the software on those devices. Even my browser extensions are updated manually.

If anything goes wrong, I remember quite clearly having pulled the trigger on the update, so I can begin working backwards to figure out what the issue was. This seldom happens, but it’s always a possibility. Having that control also allows more fine-grained control of the coordination between backing up and updating. Wouldn’t have it any other way!

 

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

I’m using Ubiquiti gear with the controller /management software they provide to manage a fleet of routers and access points. The EDGErouter Lite has a button on the dashboard telling you an update is available and you are told in the management software if one is available very clearly.

From there, you check the changelogs and forum posts to see if you want/need it. Then, one click and the fleet can be updated

You don’t get this from most consumer devices! Some don’t warn you, some auto-update, some give you a mailing list to warn you… But your device will be supported for how long? Can you know it isn’t supported anymore? My rule is trash the device 18 months after the last update.

Martin

Reply | Quote

In theory, it looks great, but if you go read Michael’s thoughts on Ubiquiti, it is pretty depressing. They don’t deserve my trust.

It seems insanely difficult to find an easy to buy, well supported, well designed, secure consumer or even prosumer router model that uses pretty current wifi standards, has good range and pretty good performance and that you can buy directly from the company or a reputable authorized reseller.

Michael doesn’t seem to have that answer either, the only one he recommends being the Peplink Surf SOHO at 120Mbps 802.11ac which might be the closest to a pretty good router you can get, but might not make everyone happy.

https://routersecurity.org/SecureRouters.php

Still, voting with your wallet and buying”security” before anything else helps stir the boat in the right direction in the long term.

Reply | Quote

I agree with you Ubiquiti isn’t a unicorn in a green grass field with rainbows, but I don’t see why Ubiquiti should be completely ignored. Why should it be? Did I miss why while reading the link you provided? I’ve had worse experience with consumer devices silently going obsolete after ~2 years of updates

The last reference I found about insecurity on his website was bugs years ago? I know they fix security issues in firmware and they mention fixes to vulnerabilities more recent than M. Horowitz mentioned. They are far safer than Cisco, and much less expensive! As a bonus, you control them unlike ISP equipment (I use PPPoE pass-through to bypass required ISP modem/router/AP blob device).

In the past, I’ve used DD-WRT on an Asus router and I liked the wealth of features available in addition to the ability to customize the installed packages. After many years of stable, reliable service, an update was required (I don’t remember the exact reason) and finding “the” good, stable, performing image was a challenge. There were many to chose from but each had it’s flaw. One fixed bug “X” but introduced bug “Y”, then one had performance issues, another was unstable, another had Wi-Fi issues… Can’t someone fix bugs before adding new features? I gave up, my time was too valuable to mess with this anymore.

I switched my family and friends to Ubiquiti EdgeRouter Lites with UniFi APs because they were fine then. There are plenty of happy users on their forum today, although I never install a new firmware in the first 10 days. More often than not, the router firmwares are good. On the UniFi APs, however, the latest firmware might not be the best (I still run the 9 month old 4.3.21.11325 on many APs as some suggested others had various unresolved issues). Of course, I have a simple setup so maybe I won’t see some bugs others see.

Rolling back a router is fairly simple, you log in the shell and tell it to switch back to the previous boot image (it stores current and previous internally). Reboot and voila! For an AP, just tell the controller to load a different firmware (or use the shell and tell the AP directly). It will reconfigure from the controller after.

What would I use if not Ubiquiti? Maybe Netgear. The R7000 had fairly frequent updates, for many years, can self-update, has a security mailing list to warn you to update, and can run DD-WRT. I would miss the centralized management A LOT however!

I don’t know if I would miss features as I only used it as an AP. I bought it a few weeks before getting the EdgeRouter Lite and the R7000 never was used as a router. I’ve tried to find a buyer among friends but it kept serving as an AP until this spring when I swapped it for an UniFi AP I could remote-manage for my mother.

I, like most, am still searching for this unicorn router that is secure, inexpensive, has great performance, easy to use and flexible.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Thanks for sharing your thoughts and experience.

Did you click on the button “not recommended” on the link I provided to see what he had to say about the company? To me, the way things are handled at Ubiquiti doesn’t inspire trust. See the article he refers to also:

https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/

Reply | Quote

Sorry, somehow I had forgotten about that incident… Possibly because I was already careful about the information I was giving them and was also using TFA with an app (NEVER sms or phone).

I know I wouldn’t use Belkin (so no Linksys), Cisco, D-Link, Asus, Microtik and nothing vital with a forced online account (so many others eliminated). Nothing ISP either, too weak (I use PPPOE pass-through, so I guess I can still be spied on by the ISP modem/router/AP blob?).

What does that leave in the low cost/high performance networking equipment market? I’d say that I don’t know once I remove Ubiquiti.

In many ways, networking equipment is no different than all the IoT crap plugged into their ports.

Can someone name me a unicorn and throw me a rainbow? I would really appreciate it!

1 user thanked author for this post.

AlexEiffel

Reply | Quote

My Gbit Technicolor DGA2232 Fiber router is provided and managed by my ISP but I do check from time the firmware version .

Reply | Quote

Now I am feeling stupid.

We have an ASUS Wireless-AC 3100 RT-AC88U Dual Band Gigabit Router that is working perfectly.

When we go to the ASUS support website at https://www.asus.com/us/Networking-IoT-Servers/WiFi-Routers/ASUS-WiFi-Routers/RT-AC88U/HelpDesk_Download/ we see that there is a firmware update.

The update is:

Version 3.0.0.4.386.43129

2021/05/18        40.61 MBytes

And is described as,

“ASUS RT-AC88U Firmware version 3.0.0.4.386.43129

1.Fixed the FragAttack vulnerability.

2.Fixed DoS vulnerability. Thanks for Tsinghua University NISL’s contribution.

3.Improved system stability.

4.Fixed GUI bugs.

5.Security Fixed: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25687, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686

Please unzip the firmware file first then check the MD5 code.

MD5: 80f8d75eb4b23d60a65e1cdea052d5c8”

All is well so far.

Then we download the zipped file and try to extract it.

Problem – in the past all we needed to do was click the downloaded file in the download folder using Firefox and the file would unzip and install.

Not now.

Any suggestions on how to unzip a file under Windows 10 Pro, Version 20H2 OS Build 19042.1052, Windows Experience Pack 120.2212.2.2.0?

 

 

Reply | Quote

Right-click on the downloaded file and select extract? If extract is unavailable, first select open file location, then do it again from there?

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

Right-clicking the file does not work.

Reply | Quote

This is weird. I am not sure from where you click. It seems like you are not in file explorer. You need to reach your file in file explorer first. Maybe you have an icon on the right of the file in the download window of your browser to open the file location?

If you didn’t change your default download location, it might be stored in your Downloads folder accessible from Win+E shortcut to get to File Explorer and then you should have a shortcut to the Downloads folder there. Then, if your zipped file is there, right-clicking should give you an option to extract the file.

An alternative could be to install 7-zip, which is a well-know zip free utility that has been around forever.

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

The “zipped” file I was trying to open was a .TRX file.

After playing around a bit I found a .zip file containing the ASUS Wireless-AC 3100 RT-AC88U update. Windows blocked running the file when I tried to install the update.

See below for a the workaround that allowed me to update the router.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I have a Hitron CGNVM-3589  DOCSIS 3.0 cable gateway unit that’s provided by my cable company. It combines a cable modem, VoIP, ethernet router and WiFi router. I’ve always assumed any firmware updates would be handled by my provider.  I know..

I’ve signed in to the router and there is no option for firmware updates. I called their tech service to see if they actually handle firmware updates directly.

I was told that all the routing equipment they provide to cable customers are not only “not updated remotely” but that “none of the equipment they provide has the ability or need to be updated at all”. Also, they said there are “no security vulnerabilities” in this kind of equipment as all it does is “act as a pass-thru”. (By the way: it does have an integrated firewall… doh!)

Color me incredulous. Are they blowing smoke? Or am I wrong?

The Hitron support website has no reference to the unit.

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

They are blowing smoke.

You have a router with firewall as shown here. All routers should use current firmware.

If you are not happy with the support (lack of) and feel you need more / improved security, turn off the firewall in the unit and connect a new router between the unit and your network.

cheers, Paul

1 user thanked author for this post.

Steve S.

Reply | Quote

With over 14 million customers, Deutsche Telekom – formerly the national communications monopoly – is by far Germany’s biggest internet provider. Vodafone is next with about 11.

They’ve improved their service remarkably over the years and – though I’m sure many people in Germany wouldn’t agree – in my opinion nowadays deliver a pretty good experience across the board. They’re certainly not cheap, but in this case, you do get what you pay for.

Over the years, the Telekom has developed its own brand of router, called “Speedport”. You can buy or rent them when you sign up as a customer, or you can buy them on the open market – even on EBay and Amazon.de.

Over the years, the Speedports have been manufactured by various producers: At the beginning it was Siemens; nowadays it’s Arcadyan and I think some others, depending on the model.

Anyway, to the point, the routers have an auto-update function (called EasySupport) that’s on by default. Needless to say, a high-profile, close-to-the-government outfit like the Telekom is obliged to make a reasonable effort to make sure things are current, though I have no idea how successful they actually are. Of course, though, you can log into the router to check manually whether it’s up to date.

All I can say is I’ve been with them for about 25 years, and (by the grace of God?) have never been hacked  and have never suffered an insufferable break in service.

I’ll close by repeating something I mentioned in regard to the WD MyBook Live problem: The Speedport routers don’t have a UPnP function.

I dunno, sometimes not having a world of choices actually seems advantageous.

 

Reply | Quote

In a way, the fewer features offered, the smaller the attack surface is and in theory the easiest it is to maintain and to secure the code. Of course, you can still have great hardware with “barely works” code underneath and you will never know until hacked. Just like the WD networked disks.

Support is always the expensive part. And where quality greatly varies overall.

Martin

1 user thanked author for this post.

AlexEiffel

Reply | Quote

To update an ASUS Wireless-AC 3100 RT-AC88U Dual Band Gigabit Router:

• Open ASUS Device Discovery from Windows,
• Log in,
• Go to Administration,
• Go to Firmware Update, and
• Check for updates.

From the firmware update page you can also setup Auto Firmware Updates.

Reply | Quote

ve2mrx wrote:

Customer-provided DOCSIS modems are under the responsibility of the customer. Make sure you can update the modem before you choose to get a model that is different from what your ISP provides!

From what I have read on the Comcast\Xfinity support forum for internet, Comcast pushes out firmware updates to customer-provided DOCSIS modems as long as that modem is on Comcast’s approved list. I have even read posts from folks who installed a newer firmware than what Comcast has pushed out and Comcast then reverts the firmware back to what they last pushed out.

Of course all bets are off if a customer purchases and installs a modem that is not on Comcast’s approved list.

Reply | Quote

Of course all bets are off if a customer purchases and installs a modem that is not on Comcast’s approved list.

As anonymous wrote above,

…my ISP told me that if I purchase my own, customer provided modem and wi-fi router combination, it would have to be one of two Motorola models that they specified or they would not provide an internet connection to it (they would decline to agree to provision it on their system).

Same goes for most any DOCSIS (cable television-based) ISP in the US. If they don’t give you your gateway, you have to only buy one from their approved list, or they can (and most likely will) refuse to provision it (give it an Internet connection from their system).

There has been a discussion about this concept recently (within the last 6 months maybe?) here on AskWoody, but I’m not sure just where to find it at the moment.

Reply | Quote

Here is a link to search results from Comcast’s support forums for “modem firmware”:

https://forums.xfinity.com/conversations/search?q=modem%20firmware&page=1&sortKey=RELEVANCE&sortOrder=DESC

If you have your own customer provided modem and a separate standalone router, and your ISP is Comcast, Comcast is the one who updates your firmware, if and when they choose to do so. They don’t always pass along firmware updates to approved customer provided modems.

People who have managed to update their own customer provided modems themselves with firmware that is newer than what Comcast provides have reported that Comcast will restore the firmware back to what it was before the update.

Reply | Quote

This is why:

DOCSIS modems are meant to be sold to ISPs who in turn will test firmware updates and verify the impact on their networks before distributing them to customer equipment.

The newer update hasn’t been approved (yet?), so it was reverted to an approved version? I don’t use cable modems and haven’t since 2017, but if I was an ISP, I’d want to be sure an update doesn’t cause quality of service to my customers before releasing it to the masses!

I only manage a few small networks (5 networks and 11 machines) and I do test upgrades and updates before I update everyone. Just a few days ago, a test antivirus upgrade had issues and was reverted. I’d have a few unhappy customers if I’d pushed it to the 11 business machines! Imagine if I was an ISP with hundreds of thousands of customers!

Martin

Reply | Quote

The newer update hasn’t been approved (yet?),

Right. There are so many factors and nuances at play here that I decided it made more sense to provide the link to many posts that discuss these issues around modem firmware rather than to try to extract and condense them all down into one message. And of course the link I posted refers specifically to folks whose ISP is Comcast.

Reply | Quote

Just tried to update a NETGEAR modem.

The modem’s support webpage indicates that, NETGEAR firmware upgrades for Ultra-High Speed Cable Modems are pushed down by the user’s ISP and are not available directly from NETGEAR.

1 user thanked author for this post.

AlexEiffel

Reply | Quote