[Chris_Newton]

As someone who has worked on firmware for network devices, including the UI/presentation aspect, I feel obliged to point out that there are people working in that part of the industry who take security seriously, and likewise there are people working in that part of the industry who take the presentation of both hardware and UIs seriously.

At the same time, I can’t really disagree with the general sentiment that a lot of firmware in embedded devices, router or otherwise, is very poor. The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too. The worst products I have ever had in my typical small-office work environments were the Cisco-branded “small business” range, which in specs and appearance did look like they were being pitched at that market, yet which never performed accordingly and mostly failed after an unreasonably short amount of time for equipment in this class.

To be blunt, a big part of the problem is money. Think about the kind of developer who has gained a few years of experience and has the skills and interest to do a good job solving challenging technical problems. Look at what that person can earn working for a FAANG or a financial services firm, or the potential upside for them at a startup if they get in early and there is a big exit. Look at the work environments they have in those roles. Now look at what a whole team of those people would earn collectively for writing router firmware and tell me which number is bigger, and look at their work environment and tell me where you’d rather be spending a significant fraction of your waking hours. In short, the people you find working in this area with real ability tend to be those who enjoy this kind of work enough to give up a lot of other benefits to do it. Obviously that restricts your talent pool and then manufacturers have to fill the gaps with whoever else they can find.

It comes down to the age-old reality that many customers prefer to buy junk as long as it’s cheap. Sadly, I doubt this will change any time soon, whether we’re talking about consumer routers or TVs or whatever IoT device someone decided would make their home smarter this week. Maybe if something really bad happens, the market will shift and/or governments will step in and regulate to try to force better standards for things like security and updates. In those cases, I would expect to see both significant consolidation in the consumer devices market and significant price increases follow quickly afterwards.

[dralley]

>The thing I’d add is that it’s not just consumer-grade products with this problem, there are plenty of supposedly professional-grade devices where the firmware is junk too.

Absolutely. An example: https://www.youtube.com/watch?v=B8DjTcANBx0

There are $5000 security cameras placed in very sensitive areas with security just as poor as the $50 trash you can buy from Office Depot (or at least it was the case 8 years ago).

[AndyMcConachie]

I mostly agree with your post. However, I must point out that some people get paid _very_ well to write router firmware. Just maybe not consumer grade router firmware. Where the margins are high on the hardware, typically the salaries are as well.

[javanaut]

I don't know much about networks and haven't worked on any on-device software - I mostly work on element management systems.

Even on the high end there is a race to commodification. Router manufacturers have some similarity to server manufacturers like Dell - they get hardware and software components from 3rd parties and put them together. Your main bespoke software contribution might be device drivers and a data model.

High pay may not automatically translate into quality because there are other forces in play.

[nonameiguess]

There are at least a few use cases that can never be commoditized. My wife's ex used to do work for Wood's Hole developing firmware for acoustic routers intended to network submarines. Somewhat ironically, he thought it was just for scientific use but the US Navy was actually funding the development. This paid reasonably well for 15 years ago.

[javanaut]

Interesting! I don't disagree with you, but to jump off this...

I think there are some parallels to metro fibre networks. You have devices/pluggables with xxxG throughput. MUX/DEMUXs, ROADMs and ILAs are expensive. High cost, high margin.

But you don't make the optics. You're buying them from the same supplier as your competitors and you can't buy that company because you'll kill the market because your competitors won't buy from you and all you'd be left with is an interop problem. The second problem is that the market is small. Few outfits build these networks and they are often monopolies in their geo. There is little growth.

Commoditization is not the only problem.