The homespot – a home WiFi router with a second SSID which is left open for passers-by to use – is becoming an important part of the broadband wireless landscape. Originally conceived by pioneers like FON as a community WiFi approach, the idea was quickly embraced by carriers as a way to improve wireless availability for their customers at low cost. It has been deployed to disruptive effect by companies like Comcast in the US and Free in France, which see ubiquitous WiFi as a way to offer wireless services without having to rely heavily on mobile operators’ expensive MVNO deals.
However, security question marks still hang over some homespot platforms and most experts believe the code maturity in home routers and gateways is very poor from a safety viewpoint. The latest initiative to address this, and so increase user confidence in opening up their routers to strangers, comes not from an operator or vendor, but from US consumer advocacy group Electronic Frontier Foundation (EFF). Harking back to the open, community-oriented efforts of early public WiFi, the EFF has launched a firmware project to address home routers’ poor track record on security.
The firmware, called Open Wireless Router (OWR), is designed to help users to set up guest networks for passers-by to use, while keeping their own access and data secure. Experimental at this stage, it was published at the weekend as a ‘hacker alpha release’ to developers and hackers, who will now work on improving it and finding bugs.
The EFF’s main motivation is to improve affordable wireless access for consumers while using unlicensed spectrum more efficiently. It is a significant lobbyist for increased availability of licence-exempt spectrum in the US to enable new services and business benefits, and to lower the cost of access by introducing new sources of competition for traditional carriers.
The group also says its firmware should also improve the overall security of home routers which run it, even if they are not opened up for public sharing; and general network stability and performance. It “will provide state-of-the-art network queuing, so most users can expect an improved internet experience, especially with latency-sensitive applications, compared to what commonly available consumer grade routers are delivering today,” the EFF said in a blog post to announce its latest initiative to protect consumers in the digital world.
However, security is the main focus. “Most or all existing router software is full of XSS [cross-site scripting] and CSRF [cross-site request forgery] vulnerabilities, and we want to change that,” the blog continued.
However, by opening it up to the developer community, it will hope to address other, even more critical flaws. As the IDG news service points out, while XSS and CSRF allow hackers to hijack authenticated sessions, other flaws can give them full control of the device, using backdoors, hard-coded credentials, command injection vulnerabilities in the web administrative interface, or implementation errors in third party components such as UPnP libraries.
Once implemented, the Open Wireless Router firmware will have an automatic update mechanism which will work over HTTPS and will use digital signatures to prevent upstream tampering with the updates, the EFF said.
The first router to host the firmware, in its alpha form, is the Netgear WNDR3800. But as OWR is based on the OpenWrt community-built router software, it will soon be available to the wide range of models and manufacturers which support that. The OWR actually employs a custom implementation of OpenWrt, called CeroWrt, which is focused on network performance and security, as well as full support for IPv6.
The EFF will sponsor a router hacking contest at next month’s Defcon 22 security conference in Las Vegas, in partnership with security consultancy firm Independent Security Evaluators. Hackers will be invited to expose vulnerabilities in any home routers, including those running OWR.