[netdog]

I think the widespread insecurity of home routers will not improve anytime soon.

Background: I work at a company which makes a "home router". It's not one you will find at a big box store, but internally it's not much different.

Most of these routers are built from a MIPS SoC manufactured by Broadcom, Atheros, or Marvell. Since their business is selling chips, not routers, these SoC companies need to make it easy for your LanWan Company startup to choose to use their chipset.

So these SoC companies will give you a reference hardware design. They will also give you a completely functional software package with Linux kernel, drivers for all the peripherals (Wi-Fi, ethernet, etc.), all the necessary user space utilities, a complete GCC cross-compiler toolchain binary which runs on Ubuntu, and a bad web app. You can literally unzip this package, run 'make', and end up with a functional filesystem image ready to flash onto the reference board.

So LanWan startup can start manufacturing routers with only one or two software devs who know some C and a part-time hardware engineer. Manufacturing is contracted out to China.

The vendor-supplied C code is not written by expert programmers. It's obvious when you (try to) read the source. It's also a huge and messy pile of code.

Where I work we use the vendor-supplied kernel but we wrote all the user space ourselves. All this stuff is written in C. The software devs here have more than a few years of experience writing C, but are very uneducated about how to write secure code. They don't think about it. And management does not think about it. The only thing that matters to management is that the box passes the tests.

I've been around long enough to have figured out that things are like this in most places. Whether small companies or big companies doesn't matter.

[AnthonyMouse]

I believe this is the premise behind EFF's open router project. Provide a higher quality base router distribution that can be used by anyone, including SoC and router manufacturers.

[netdog]

Every SoC has a different kernel, heavily patched, with drivers specific to the SoC. The SoC vendor has an army of paid programmers developing this software for every SoC they make.

These Soc vendors have to start working on a new kernel long before the chip is released, as they need working software by the time the chip goes to market (to offer the router makers). Broadcom's business depends on this. They will not simply hope some loose-knit group of volunteers will timely produce software which will help them sell their new chips.

And it's not realistic for the open router project to do this much work. It would require cooperation from the SoC vendors, providing free and early access to their kernel driver source and complete documentation for their chips. I don't see this happening.

At best the open router project could release software for hardware which is already a year or two old.

Sorry to be such a pessimist, but the incentives to make this work are just not there for the businesses involved.

[yuhong]

Fortunately, most of the important security bugs tends to be in userspace.