Broadband Genie recently published survey results about router security that are both depressing and entirely unsurprising. The most alarming findings are that 86% of survey respondents have never updated their router’s firmware and 82% of respondents have never changed their administrator password.
Broadband Genie wrote that not changing the administrative password is risky, “as the default passwords are often insecure and shared across all routers of that brand or model range. A significant number have also never updated the firmware and could be vulnerable to known security exploits.”
They also commented: “Perhaps most concerning, 51% say they have never carried out any of the actions listed, potentially leaving them open to all manner of security and reliability issues affecting their broadband and any devices connected to the router.”
*Image source: Broadband Genie
Are any of these results surprising? No. But we’d like to assert that the problem isn’t the users and consumers; the problem lies with the technology vendors, who should be held responsible for the security of their technology. Are we really expecting the average user to go through a task list of updates and manage administrative settings in order to secure themselves?
We find ourselves asking this question often, not just of router security of course, but for almost all consumer-targeted technology, especially in the age of the Internet of Things (IoT). We all acknowledge that consumers shouldn’t be expected to be security experts, and yet not much has changed within the industry to safeguard them from security gaps. Rather than build products that are secure by default, we expect users to go through often poorly written technical documentation to apply best practices that they may not fully understand.
Best practices haven’t changed for decades, so why isn’t it just done by default? Hardcoded passwords are bad yet they are still plague Internet-connected devices on the market, setting the stage for another Mirai-like botnet. Instead, the tendency is to make a profit from the failings of unpatched, unsecured technology by selling yet more products to safeguard consumers from the unsecured devices the industry is selling them.
It’s time we stop telling millions of users to apply best practices and start holding technology vendors responsible for the products they sell. If their technology was any good, it should work “like magic” without user intervention.