Virtual Patching Home Routers Before before Manufacturers Is the Way Forward

Home routers are among the most overlooked pieces of hardware in modern homes. People don’t really put much effort into choosing a good one, changing them when they reach end-of-life, or keeping them up to date. It turns out that securing these devices without their manufacturers’ intervention is now possible, making them a lot more reliable.

According to Bitdefender telemetry, routers are the fourth-most-vulnerable device in smart homes. That alone should be enough to always think of them when securing our networks. Unfortunately, routers are rarely taken into consideration, which helps explain why they are among the most vulnerable.

In an ideal situation, users know what smart devices they have in their homes, regularly check if the manufacturers have issued new security patches, and make sure to quickly replace it if some device reaches end-of-life. The reality is almost the opposite of this scenario.

Ignoring our most prized security measure

An audit of our smart devices would quickly reach an obvious conclusion. Routers are the gateways to our private life and the guardians of our homes. It would be foolish to ignore their role, yet this is exactly what’s happening.

People buy a router, plug it in, and forget about it for years on end. Never mind that the manufacturer abandoned the device a couple of years after release or that security patches await an installation that never happens. In most cases, new users won’t even change the default login credentials. The reality is that routers are mostly ignored, despite the critical role they provide.

On the other side of the equation sit the routers manufacturers. While we can imagine why consumers are not quick to keep their devices up to date or why they don’t pay as much attention as they should, the same reasons don’t apply to manufacturers.

A study revealed that many router manufacturers don’t actually support the devices they sell. In some cases, they didn’t release even a single patch during the lifetime of a device — even if researchers have reported vulnerabilities.

Fine, we’ll do it ourselves

Since most routers run some proprietary OS and the code is not available, other companies can’t issue security patches. This is where Bitdefender comes in, with a new technology named Live Virtual Patching that allows users to protect their devices even if the manufacturer hasn’t issued security updates or if the consumers haven’t installed them.

Security researchers determined that most attacks use command injection, local file inclusion or directory traversal exploits to cause overflows and gain persistent privileges. Which means that, if Live Virtual Patching can cover these problems, most security issue would be dealt with. To be clear, this isn’t meant to replace official patching, only to provide extra protection when patches are not available.

The technology checks for commands on the router against CVEs in the Bitdefender Global Protection Network to determine what vulnerabilities attackers could use against it, then blocks these types of commands.

Live Virtual Patching is part of Bitdefender Router Protection, a new IoT security platform available for Internet Service Providers (ISP). This is a two-way street, which means that it’s up to ISPs to implement this technology in the routers they offer to consumers, and it’s up to consumers to look for ISPs that implement Bitdefender Router Protection in their routers.

The security problem in the IoT ecosystem is not going to disappear anytime soon. Based on this technology niche’s growth projection, the issues are likely to grow as well. It’s past time we wait for manufacturers to secure their devices and take matters into our hands.