An article in yesterday's USA Today by Kim Komando, How to keep hackers out of your router, claims that updating the firmware in a router will keep out hackers. This is not even close to being true and, in another context, would be considered malpractice.
I'll illustrate how flawed her premise is with an analogy. Suppose you went to a doctor seeking advice on being as healthy as possible and were told that simply taking a vitamin pill is all that's necessary to live to 100. Obviously, there's more to it.
The article as it appears on USAtoday.com
Not only is the advice terribly incomplete, but Ms. Komando seems to be living in a fantasy world where router manufacturers always fix security flaws. Often, they do not.
Komando also engages in scare mongering, writing that
Hackers are continually looking for targets. Armed with just a few details that are readily available online, your personal files and devices are at risk. It only takes knowing a router’s IP address and administrative password to get on a network. A simple Google search is all it takes to find both for just about any router make and model.
To hack into a router, a bad guy needs more than just an IP address and a router password. Most routers do not respond to commands issued to them over the Internet. If a router does, then chances are that it was configured that way by an Internet Service Provider (ISP).
This leads to one of the first recommendations I make on my RouterSecurity.org site - don't use a router provided by your Internet Service Provider. ISPs are notorious for the security failings in the way they configure routers.
Perhaps the best thing you can do for router security is to buy one from a company that cares about the software it runs. That means avoiding consumer routers too. Manufacturers of consumer routers want the software to be cheap, not secure. There is no reward in the consumer marketplace for router security.
As for the actual configuration changes that can make a router more secure, I have a list of 13 items on the RouterSecurity.org home page. This is not a complete list, but it would make any router far more secure. Updating the router firmware is the last item on the list.
CHANGES ARE COMING
Interestingly, the router world is changing. More and more routers are dumping the web interface with 312 options and replacing it with a mobile app with very few configuration options. It can be thought of as Routers for Dummies.
My fear with these new consumer-focused routers is that security features may get thrown overboard.
I don't know for sure, because no router review ever discusses the security of the router, other than to recommend WPA2. Anyone can read a multitude of reviews of the Eero, Luma, Starry Station and OnHub routers and come away with no clue whether they can disable UPnP, Telnet, SSH, SMNP, WPS, IPv6 or how isolated their Guest networks really are. Reviewers care about Wi-Fi speed, Wi-Fi range and little else.
Another change, as Ms. Komando mentioned, is that some new routers can self-update. That is, they download and install new firmware on their own, much like a Chromebook. Among the self-updating routers are Google's OnHub, Eero, Luma, the Synology RT1900ac, Starry Station and the upcoming Turris Omnia, if it ever ships.
However, self-updating is not necessarily nirvana. For example, if a network starts mis-behaving on a Wednesday, was it because the router was updated Tuesday? Can you even tell the last time a self-updating router was updated? Does the vendor document the changes in each update?
Item 16 on my Router Security Checklist has fifteen considerations for self-updating routers. I hope to get my first self-updating model soon, and I will report how well it does when measured against these criteria.
ADVICE FROM REAL EXPERTS
USA Today claims that "Tech columnist Kim Komando offers the best advice for keeping your Internet router secure." This could not be further from the truth.
The best advice is available, without ads, on my RouterSecurity.org site.
But, you don't need to believe me. Excellent advice is also available from Lucian Constantin of IDG News Service (July 2016), Kevin Dearing at Ghacks.net (March 2015), Leo Notenboom of AskLeo.com (May 2016) and Craig Young of Tripwire (Feb. 2014 and again in April 2015). Much of the advice overlaps, the list of security tweaks is only so long.
Banner from Komando.com
Ms. Komando describes herself as America's digital goddess. I see her as unqualified.
