Firmware Frustrations

by | Feb 14, 2018 | Security | 0 comments

KRACK, a WiFi WPA2 vulnerability, opened the IT world’s eyes to a vulnerability of almost universal impact: WPA2 being ubiquitous in implementation.   But as Tae-Jin Kang, CEO of Insignary has indicated, it “appears to be just the tip of the iceberg, compared to what currently exists in router firmware.”

What would lead Kang to such an ominous assertion?

His firm has been monitoring WiFi router issues since the infamous 2015 botnet attack that brought down a significant portion of the internet.  An attack carried out by 300,000 IoT devices, not PCs; something many experts had long theorized and warned of.

Unfortunately, as Insignary has found, many of the vulnerabilities discovered in 2016 remained in scans performed in November 2017.  More disturbing, many vendors seemingly continue to ignore the problems, which can be relatively easily fixed through firmware updates.   Insignary’s team scanned 32 WiFi firmware products by the most popular home, SMB and enterprise-class WiFi router manufacturers: Asus, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link.   The researchers concluded router vendors were not making use of the correct, up-to-date versions of the affected software components.   More disturbing, most of the firmware contained “Severity High” and “Severity Middle” security vulnerabilities.   Here is a link to the story at

So, where does this leave the average SMB?  If the SMB has a dedicated IT team, it means the team needs to regularly check for firmware updates for their WiFi routers; automatic updates are not yet the norm.  For those SMBs without dedicated IT teams, it’s another cautionary tale regarding the importance of having qualified IT and security expertise engaged with the organization on a regular basis.

What can an SMB do, besides replacing a WiFi router?  What can an SMB do when a vendor doesn’t address a known vulnerability – a vulnerability the bad actors almost certainly are aware of?

The simple truth is this: as the CPU vulnerabilities ‘Meltdown’ and ‘Spectre’ also demonstrate, organizations need the ability to become resilient, independent of assuming hardware and software manufacturer’s products are secure, and update according to best practice expectations.

This is why the Detection function of NIST’s CyberSecurity Framework has ascended in importance, followed very closely behind by the Identify function.  The activities of these two functions form the foundation of an organization’s ability to Respond and Recover.  These shifts have taken place precisely because the Protection function has proven to be, as demonstrated above, unreliable.

The activities and requirements for establishing robust Identification, Detection, Response, and Recovery capabilities are far too numerous to layout in this short blog.  But like many things in business and life, the critically important thing is to take the first step on the journeys one must take.

Peters & Associates has a team of security architects and engineers that can help your organization begin the journey correctly and guide it – with a business risk focus – throughout the journey.  Contact us at to set up a conversation with one of our security architects to discover how.