Credit: The Man-Machine
It is generally accepted in IT that the weakest link in the security chain is the fallible and frequently careless human.
But a close second, many experts say, is the router the device that connects people to the Web, sometimes called "the backbone of the Internet" which is dangerously vulnerable to skilled hackers.
Those experts have been issuing alarms for some time, but they say that, so far, things have not changed much.
Dan Geer, chief information security officer at the venture capital firm In-Q-Tel and an adviser to U.S. intelligence agencies, speaking to a conference in Cambridge, Mass., more than a year ago, said most routers are almost comically insecure, given that they have, "drivers and operating systems amounting to snapshots of the state of Linux, plus the lowest-end commodity chips extant at the time of the router's design."
The only way to fix the problem, he said, would be to, "unplug all the devices, throw them in the dumpster and install all new ones."
And that wouldn't fix it either, because the new ones are, "likely to have the same vulnerability spectrum that made this possible in the first place," he said.
Jim Gettys, a systems architect, said last year that he had inventoried the age of the packages inside a number of routers, "and they are three to four years old on Day One. And without an update stream, you start with existing vulnerabilities, and it just gets worse from there."
In an interview this past week, Gettys said he had, "seen little change in the market."
Bruce Schneier, encryption guru and CTO at Resilient Systems, wrote more than a year ago in a blog post that, "the computers in our routers and modems are much more powerful than the PCs of the mid-1990s," and warned that if security vulnerabilities in them are not fixed soon, "we're in for a security disaster, as hackers figure out that it's easier to hack routers than computers."
Such security holes can allow hackers to access files, install malware on a network or use a victim's security cameras to spy on him, without needing access to the computer hardware.
In a more recent interview with Network World this past April, Schneier said basically the same thing Geer had said a year earlier: "Do you know the way you patch your home router? You throw it away and buy a new one. And that is going to be a freakin' disaster ... Low cost, binary blobs, no one knows how they work, there's no one to update them, lots of vulnerabilities, and we're just stuck with it."
Sign up for CIO Asia eNewsletters.