How Outdated Router Firmware Puts You at Risk

Generally speaking, the biggest interaction users have with their router is an occasional turn-it-on-and-off-again when a slowdown occurs. This neglect, however, could be putting their data and even their bank accounts at risk. It's important to regularly update router firmware to keep the security features up to date.

"All of your information is going to be passing through that router,” Craig Young, a researcher with Tripwire, a digital security company, says. “So if it’s compromised, it can really impact your privacy and the security of your devices."

Young has some serious router-hacking cred, having won two sections of the first-ever SOHOpelessly Broken competition at the DEF CON hacking conference in 2014 by quickly finding and exploiting vulnerabilities in wireless routers.

He says that users face several threats from hackers.

More From Consumer Reports

If your router is acting as a file server on your home network, a successful attack can give hackers access to private files. They may also be able to record the websites you visit and the searches you conduct, or even to re-route communications to a website. That could, for instance, allow a criminal to send a user to a fake bank site in order to collect user names and passwords.

Routers can also be taken over for criminal activities such as illegal downloads and attacks on websites. In March, the Remaiten Worm, or KTN-Remastered, spread to numerous Linux-based routers by connecting to random IP addresses and trying out commonly used login credentials. Once it gained entry to routers, they were used in distributed denial of service (or DDoS) attacks on commercial websites.

The Problem With Firmware Updates

Linksys sends out multiple updates each year for its most popular routers, according to a company spokesperson. Most of these improve performance and/or add new features, he says, but they often resolve security vulnerabilities as well. For instance, Linksys recently fixed a flaw that allowed a user on the local network to access the router’s administrator interface without the password.

But there's a major catch. Many routers we've tested, including the top rated Linksys EA8500, automatically download updates—and consumers may think they're protected. But you typically need to activate these updates manually. And even computer experts rarely do that. A study conducted by Tripwire found that fewer than half of IT professionals had recently updated the router firmware in their homes. Surprisingly, only 32 percent even knew how to do it.

That means that most home routers never get important security updates.

Instructions on how to update routers vary by brand, but for most models you need to log into your router through a browser using the devices IP address. Here are links on how to update popular routers: Apple, Asus, D-Link, Linksys and Netgear. Young's advice is to check for updates at least once per quarter. You should also check if there’s a way to get security notices via email from your router’s manufacturer.

Routers That Do It for You

There is, however, an alternative—you can replace your router. A number of models now entering the market remedy the situation with automatic updates. Google’s OnHub, Starry Station, the Amazon backed Luma Home WiFi System and Eero all take care of updates without the user being involved. “When it comes to security, if you have static software running a device, chances are it will be insecure,” Eero CEO and co-founder Nick Weaver says.

That feature could become increasingly important as the number of internet connected devices on home networks and the data they collect increases. According to the Cisco Internet Business Solutions Group, there may be close to 25 billion devices connected to the internet by 2015, and 50 billion by the year 2020.

Subscribers can access Consumer Reports' robust program of wireless router testing, which covers WiFi range, ease of setup, and security.

Copyright © 2005-2016 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.