Mixed feelings about this one, but want to throw it out there and have the discussion rather than pretend it did not happen or does not happen.
I am NOT going to relive it (far too stressful), but I had a very bad week (and a bit) of networking trouble at my house mid February 2016. Long story short, we went through 5 different routers before we found one that a) worked and b) that I could live with.
The router I ended up with is an Asus RT-AC3100.
Not that long ago, there is no way anyone should have used an Asus router on any network…..
http://www.engadget.com/2016/02/23/asus-ftc-settlement-router/
the FTC found that the Taiwanese manufacturer’s routers had critical security flaws despite its promise to consumers that the devices can “protect computers from any unauthorized access, hacking and virus attacks.”
Hackers could easily exploit one of those bugs to access users’ web-based control panels and change their security settings. If the user isn’t exactly tech-savvy, someone with malicious intentions doesn’t even have to hack the device. He simply has to use ASUS’ default log-in credentials: username “admin” and password “admin.”
So, like most home router manufactures, they cut a LOT of corners on security and, well, pretty much ignored it.
They got caught. They got fined. And here is the interesting bit…..
Over the next two decades, ASUS’ routers and their firmware will undergo an independent security audit once every two years.
From here on, they have to hand over the code that runs on their (my) router and have someone poke under the covers.
If you are a regular reader, you will know that I am not running stock Asus firmware. This means that the code I am running has already been inspected three times. Once by Asus, once by the auditors and once by open source community that work on the firmware I use.
So yeah, mixed feelings. I wish all companies took security more seriously, but that is a hope wish dream…. So in the meantime, getting caught and having to show your cards every 2 years for the next 20 is better than nothing.
You said (presumably about AsusWRT) ‘This means that the code I am running has already been inspected three times’, but how does it follow that this 3rd party firmware has been inspected by Asus or the auditors? If it has nefarious (or vulnerable) code in it (introduced by the open source team), how would Asus or the auditor ever know or have responsibility to inspect?
Great question David. Glad that you are asking them… It will cause me to double check my assumption.
1. Asus team is checking their code a lot more carefully.
2. Auditors check Asus code.
3. AsusWRT is open source. Looked at by many different people.
So if 3rd party code had nefarious code inserted, entire open source community would have to be in on it.
Point three was my assumption. If the WRT code was closed source, I, for the very reason you mention, would not be using it.
Your question is going to pop it on my radar to double check just how much of the WRT code is open for inspection.