IoT Security Vulnerabilities are Ubiquitous: How To Secure Your Router and Your Linux System Now

The Internet of Things (IoT) is rapidly growing, connecting more devices each day. It is projected that by 2025, the world will have an astounding 64 billion IoT devices.

IoT expansion offers significant benefits - for instance, connected healthcare devices provide people with better insight into their health than ever before and switching to smart lighting can reduce energy consumption and lower your electric bill. However, with this increased connectivity also comes increased digital risk, as malicious hackers and cyber criminals have more entry points to exploit than in the past. And not only are cyber attackers’ methods and tactics evolving to become more advanced and difficult to combat, web crawlers like Shodan and BinaryEdge - which are intended to aid in security research - make it easy for threat actors to identify vulnerable systems on the Internet that they can compromise with a known exploit (and add them to a botnet they control, for instance).

Furthermore, the IoT introduces some serious privacy concerns. After all, if so much of our lives are now connected, then what is truly off limits and how much of our personal information is accessible to the government, manufacturers, threat actors and other unauthorized parties?

While all IoT devices carry security and privacy concerns, new Fraunhofer Institute for Communication (FKIE) research, which we examine in a recent feature article, reveals that your wireless router could very well be the biggest security hole in your Linux system. The fact that routers are exposed to the Internet 24 hours a day, compounded with poor industry security standards and update policies, leaves these devices at a heightened risk of malware infection and other dangerous exploits. 

Luckily, there are various measures that Linux users can take to secure their wireless routers and protect their systems - most notably, conducting a Linux firmware replacement. This article will explore the benefits of “flashing” your wireless router with alternative open-source firmware, and will introduce some great alternative firmwares and single-purpose OSes that you may wish to look into.

Benefits of Flashing Your Router with Open-Source Firmware

Replacing (or “flashing”) the stock router firmware in your wireless router with open-source firmware is fundamental in securing your network against malware and other exploits. Stock router firmware offers limited functionalities, is generally unreliable and is most likely riddled with dangerous vulnerabilities that can leave your network susceptible to attack. Wireless router manufacturers frequently fail to patch critical security flaws, leaving devices exposed and defenseless. 

Luckily, conducting a firmware replacement can mitigate this risk. Unlike stock router firmware, alternative open-source firmware is vetted and tested by a vibrant global community to detect and eliminate security bugs and potential backdoors and implement the latest security upgrades. The “many eyes” that open-source firmware has on it at any given time results in exceptional security and product quality.

However, improved security is not the only advantage associated with an open-source firmware replacement. Flashing the firmware in your wireless router often also results in superior performance and network stability and a wider range of advanced features including VPN integration, bandwidth monitoring, VLAN Support, Advanced Wireless Setups and much more.

It should be noted that while flashing your wireless router with open-source firmware can help mitigate the risk that firmware vulnerabilities pose to your system, a firmware replacement doesn’t make your router completely immune to vulnerabilities - and certainly isn’t a substitute for engaging in general security best practices such as changing default passwords and keeping on top of firmware upgrades. 

Five Great Open-Source Router Firmware Alternatives to Consider

With flashing wireless routers becoming an increasingly common practice, there is currently a fairly extensive selection of open-source router firmware alternatives available for users to choose from. While the majority of these alternative firmwares provide similar advantages over default router firmware, each open-source firmware offers a set of unique characteristics and benefits as well - making different firmwares ideal for different users depending on their needs and priorities. Here are five great open-source router firmware options that you may wish to look into.

DD-WRT

DD-WRT is the most popular Linux-based alternative open-source firmware, and is well-suited for a variety of wireless routers and embedded systems. The firmware, which is available for free, supports a wide range of functionalities including IPv6, DNS caching and adblocking - while providing easy handling.

DD-WRT is a highly reliable firmware, and often reduces the number of aggravating router connectivity issues that users experience significantly. This is in part due to the fact that DD-WRT is a Linux-based program, and the transparency of its source code enables developers worldwide to collaborate in continually updating its code. Moreover, no corporation has the ability to modify the firmware to increase profits.

DD-WRT is also highly customizable, providing users with increased control over their router - and their privacy and security online. Other key benefits of flashing your WLAN router with DD-WRT firmware include increased power from your router through overclocking, improved Quality of Service (QoS), more insight into your router’s performance, faster connection speeds and better VPN support.

Learn how to install DD-WRT on your router in this detailed tutorial.

What Makes DD-WRT So Great:

• Supports over 200 wireless routers and IoT devices 
• Highly reliable and customizable 
• Provides easy handling
• Supports all current WLAN standards
• Offers a wide range of advanced functionalities including bandwidth management IPv6, DNS caching and adblocking
• Improved VPN support and QoS
• Increased power from your router and faster connection speeds

Helpful Resources:

Explore DD-WRT

Supported Devices

Learn how to install DD-WRT on your router in this informative YouTube video

OpenWrt

OpenWrt is a single-purpose Linux OS targeting embedded devices (most commonly wireless routers). OpenWrt provides a fully writable filesystem with package management as opposed to attempting to create a single, static firmware. The OS is built from the ground up to be stable and full-featured.

OpenWrt is secure by default. Besides the fact that it is closely monitored by the open-source community, the OS keeps software components up-to-date - a task that is often neglected in the industry, resulting in serious security issues. 

One of the most attractive features of OpenWrt is the level of customization that it offers through the use of packages. For developers, OpenWrt provides the framework to build an application without having to develop a complete firmware around it. For users, the OS makes it possible to use IoT devices in ways that they may have previously written off as unthinkable! 

Another key benefit of flashing your router with OpenWrt is the ability to use its SSH server for SSH tunneling. By exposing the SSH server to the Internet, users can access it remotely and use SSH tunneling to securely access websites from public Wi-Fi. This feature also makes it possible to visit websites that can typically only be accessed in your home country while traveling abroad.

Finally, if you’re already using a router, why not have that same router also function as a server? OpenWrt makes this possible - the OS can function as a web server, an IRC server, a BitTorrent tracker, and more.

What Makes OpenWrt So Great:

• Provides a fully writable filesystem with package management 
• Offers a high level of customization through the use of packages
• Eliminates the need for application selection and configuration 
• Enables developers to build applications without needing to build firmware around them
• Allows users to securely access websites over public wi-fi and abroad by using its SSH server for SSH tunneling 
• Makes it possible to perform traffic-shaping and QoS on the packets traveling through a router, prioritizing certain types of traffic
• Offers increased stability and improved performance

Helpful Resources:

Explore OpenWrt

Supported Devices

Connect with OpenWrt on Facebook

Learn how to install OpenWrt on a x86 router in this brief YouTube video

AdvancedTomato

AdvancedTomato is a small, lean, open-source alternative firmware for Broadcom-based routers. The firmware features a user-friendly GUI, making it ideal for users who have never flashed their router before.

As its name suggests, AdvancedTomato offers a selection of advanced features including QoS, a new bandwidth usage monitor, a wireless distribution system (WDS) and wireless client modes, along with an increased P2P maximum connections limit. The firmware also provides users with the ability to run custom scripts, reprogram the SES/AOSS button and perform a wireless site survey.

What Makes AdvancedTomato So Great:

• Has a user-friendly GUI
• Offers new and improved features including a bandwidth usage monitor, WDS and wireless client modes
• Provides advanced QoS and password access restrictions
• Increases the P2P maximum connections limit
• Gives users the ability to run custom scripts, connect via Telnet/SSH, reprogram the SES/AOSS button and perform a wireless site survey
• Configurable buttons and LEDs

Helpful Resources:

Explore AdvancedTomato

Supported Devices

Learn how to install AdvancedTomato on your wireless router in this YouTube video

FreshTomato

FreshTomato, a fork of the AdvancedTomato firmware, is another alternative open-source firmware for Broadcom-based routers. Like AdvancedTomato, this firmware offers a particularly user-friendly interface, making it another great option for inexperienced users.

FreshTomato is ideal for privacy-conscious users - as protecting privacy online is where the firmware truly shines. FreshTomato features a built-in OpenVPN server and client, a built-in Tor client and built-in Ad-block. 

The firmware also provides bandwidth and IPTraffic monitoring and support for a selection of wireless modes, among a plethora of other useful features.

FreshTomato version 2020.5 - the latest stable version - was just recently released on July 17, 2020.

What Makes FreshTomato So Great:

• Offers built-in privacy-protecting features including an OpenVPN server and client, a Tor client and Ad-block
• Very user-friendly interface makes the firmware ideal for inexperienced users
• Provides IPTraffic and bandwidth monitoring
• Support for various wireless modes
• Advanced QoS is accompanied by the ability to configure labels for QoS classes
• Enabled SSH/Telnet protocols 

Helpful Resources: 

Explore FreshTomato

Supported Devices

Learn how to install FreshTomato on a Linksys E1200 router in this informative YouTube video

Gargoyle

Gargoyle is a free open-source firmware upgrade for wireless routers based on the OpenWRT firmware. Like AdvancedTomato, Gargoyle is heralded for its ease-of-use and reliability. 

Gargoyle offers a multitude of benefits including the ability to monitor bandwidth usage for every computer in your system, configure a wireless bridge connecting two networks and block forbidden websites - or, for especially security-conscious users, block everything except for a list of allowed addresses. With Gargoyle, users are also able to set quotas and throttles to ensure that network resources are allocated fairly.

What Makes Gargoyle So Great:

• Reliable and easy to use
• Gives users the ability to monitor bandwidth usage for each computer in their system
• Simplifies configuring a wireless bridge between two networks
• Allows users to block forbidden websites, or restrict access to only a list of allowed addresses if they wish to do so
• Quotas and throttles can be set to ensure that network resources are allocated fairly 

Helpful Resources: 

Explore Gargoyle

Supported Devices

Learn how to install Gargoyle on a TP-Link TL-WR1043ND V2 router in under three minutes on YouTube

The Bottom Line

Recent security research has made it clear that router manufacturers are dropping the ball on security - a discouraging trend in the industry that needs to change. However, given this unfortunate reality, it is imperative that users assume responsibility for securing their wireless routers.

I recently had the privilege of speaking with LinuxSecurity.com Founder Dave Wreski, who was able to provide some valuable insight on the topic drawing on his open-source security expertise and decades of experience working with wireless routers: “Engaging in general router security best practices such as keeping firmware updated, changing default passwords and doing adequate research prior to purchasing a router can help mitigate the risk that your wireless router poses to your system and protect your security and privacy online. That being said, flashing the likely-vulnerable stock firmware in your router with alternative open-source firmware is the single most effective way to secure your router against the prevalent and serious firmware vulnerabilities present in many leading wireless router brands.”

Are you using any of the alternative open-source firmwares profiled in this article? If so, we’d love to hear about your experience.