The Internet of Compromised Things

An anonymous reader writes: Jeff Atwood has a post about a security threat that's becoming more prevalent every day: spreading malware through a compromised router. "Router malware is the ultimate man-in-the-middle attack. For all meaningful traffic sent through a compromised router that isn't HTTPS encrypted, it is 100% game over." He links to a thorough technical analysis of how even HTTPS encrypted traffic can be subverted. Atwood provides a list of suggestions for keeping your router safe that probably won't be any surprise to people reading this site, and he further recommends only browsing on an unknown router if encryption is available. What I'm curious about are the long-term implications — is there a way forward to re-establish trust in our router infrastructure? What can the open source community do to speed this along?

Re:Don't routers already run BSD?

[TWX]

Mine runs Linux, compiled for MIPS. It's actually going to be replaced soon anyway so I haven't bothered to do much with it.

Either way, the average person is only going to use the web interface or the software that the manufacturer provided that runs on the computer, if any. They won't be in position to fix anything that's broken if the manufacturer does not provide either an automatic means or a simple means to do so.

I think it'll eventually come down to a regulatory issue. Tech companies and those companies that use consumer-facing electronics (like car companies and their infotainment and body-control computers) have proven that they're not interested in maintaining their arguably defective products. Don't mince words, bugs are defects. Companies need to be taken to task over both this and over the increasingly rapid discontinuation of support (like factory-shipped apps on cell phones that stop working and can't be updated because new versions require OS updates that aren't provided) such that companies end up with mandatory windows of support until the last product ships, where all bugs and changes in communications protocols and services are maintained, such that devices that consumers have paid good money for actually last as long as their pricetags indicate that they should. For smartphones I think that window should be five years. For things line broadband routers, it should be at least five years, and I'd argue that it's not unreasonable to demand closer to a decade. For cars, where the average age of cars on the road is now something like twelve or thirteen years, it should be at least a decade for basic feature maintenance and probably another ten years for critical bugs that compromise the security of the vehicle's systems, like these easily unlocked cars we're hearing about.

Yeah, it sucks to have to maintain old code, but I'm very tired of having to pay for defective products whose features begin to stop working when the companies that wrote those features decide to change directions.