The Federal Communications Commission is set to vote on a proposed rule that would require cable companies to offer consumers more choices about whether they use a rented cable box or home router or their own. More choice is good, and one could make a strong argument that lack of consumer choice has retarded development of home routers. However, this decision may come with a few pitfalls from a security perspective.
Home routers were recently a component of the attack against krebsonsecurity.com. There are many reasons that this would be the case. Some routers have as a blank password with user name “admin” that allows anyone to access them. Others have well-known vulnerabilities in their software that has gone unpatched for years. If the service provider is providing the router, then we can say that it is responsible for the device’s maintenance. On the other hand, the consumer has a particularly bad track record of doing a good job protecting the device.
Second, because most consumers do not employ security professionals to protect devices in their homes, the service provider is in a good position to offer that protection. It does require that the service provider have access to the home router to identify threats within the home itself. By having some control over that device and having access to logging information, the home router is in a position to identify potential attacks within the home itself. But the router itself needs some guidance to perform that task, and the router itself typically cannot retain all of the necessary knowledge. Cloud services are useful for this purpose, whether managed by the SP or by some other entity.
Regardless of what the FCC orders, SPs are in the position of setting the standards necessary to connect a router to the Internet. CableLabs has set several standards, one known as DOCSIS. While the current specification has a limited security section, one could easily envision additional capabilities that would protect device within the home. As new entrants such as Google and Ubiquiti develop additional capabilities, they may have more to say about security in the home. If home users are to have a choice, one choice they should have is to allow service providers to protect them.