> Boy am I glad I replaced stock firmware with OpenWRT the moment my router came out of box last week.
I have had an Asus for years and use the vendor firmware, and update it semi-regularly when I remember to, and have never had an issue.
I bought an Asus because they have decent capabilities out-of-box, but also because there is the option of using third-party firmware (which I've never bothered to do).
Even with this event I'll probably stick with the OEM firmware.
I'm like you, Asus router on stock firmware and happy. In my case I set that up after a bad experience with openwrt.
Years ago I bought a $100 gigabit Linksys router, immediately flashed it with openwrt, and set it up. I assumed my isp was the reason my download speeds were struggling to hit 100mbps (new house and network all at once), and later when I bought my first NAS I assumed hdds are just inherently slow.
I had abysmal network performance for over a year before I figured out my gigabit router was the performance bottleneck, my isp was giving me 3x what the router could handle. The reason for the terrible performance was that openwrt doesn't have the closed source binary blobs to run hardware accelerated routing, instead everything gets squeezed through the cpu, and my router couldn't do it.
So basically, many routers lose performance, in my case I got a 10x performance drop, and openwrts website is all but useless for telling you which routers to buy.
All I can say is be careful blindly installing openwrt unless your router has a CPU that's complete overkill for what you want to do...and none of the mid range consumer combined routers/access points meet that criteria.
If you read the article it was not a firmware issue, it was one of the security features it has downloaded an invalid config due to ASUS staff errors, the config caused the router to run out of available storage space and soft-brick. There was no firmware issue, any device will start crapping out when it runs out of available storage.
Even if it turns out (once this event has been fully understood) that the vendor-installed firmware "phoned home" to collect an update of sorts that led to this?
Looking at it in a shallow way I suppose one could say that. But to me there's a great distinction between a switch/router and e.g. a smartphone or desktop browser.
Switch/Router, IMO, is a bigger reason to have automatic pull/updates.
You're looking at your phone on a day to day basis. Using your desktop. The router/switch/lightbulb/etc? All stuff that sits in the background and gets forgotten. Those things should do self maintenance - especially with zero days and issues that require updates to not be pwned the instant you connect to the www.
I think it's an entirely acceptable solution for non-technical users who don't know how or cannot be bothered to improve the scenario. Personally I would never run Asus/Netgear/Zyxel/etc's all-in-one router firmware on the network's edge. Probably not even on the inside of the network.
Well depending on how you roll, I've had 2 routers - inside/outside. Guest network, IoTs, etc on the outside. Computers, Phones, Printers on the inside. Don't currently - but I also don't have many IoTs currently. Will probably return to this at some point but moved and haven't went out of my way to set it up "fancy" like.
But realistically, it's definitely better for the "masses" to have stuff that just takes care of itself. Grandma don't know how to update router firmware and people like that are why stuff like Apple's "appliance" model is better than Androids more hands on approach.
Even some of us software developers get tired of managing all of these devices. I am not opposed to “appliances“, nor do I view it in someway diminishes my or anyone else’s elite status because we don’t want to manage and optimize eight computers for life.
I do prefer Android for streaming devices, there’s just too much value added from using Android there. But I use an iPhone because I just want my phone to work. And I limit my desktop computer count to exactly one. For networking, I use Asus Merlin. I don’t use it for its flexibility or features, just for the stability which this recent news confirmed was a good idea. The only special features I even use are an OpenVPN server, and secure DNS over TLS to cover my devices that don’t support DNS over HTTPS.
The convenience of having a device that can phone home and update itself is far more valuable than the risk that occasionally one of those updates might cause a problem.
Aside from the risk of breaking things, there's the risk of data leaks and enabling surveillance through negligence or intentional back doors.
Hardware and software companies have a story of implementing anti-user features in very shady ways (ie silent update to T&C allowing the org to track and share data with third parties and/or brokers).
I don't care if my smart Philips light bulb shares all its data with god knows who. My router? that's the device that manages all connections including critical ones. I want it to be impeccable and transparent.
That's why I refuse to buy from manufactures that require a could account like Eeroo or that require weird connections to work properly like Tenda (a friend had a Tenda mesh and it wouldn't work if we blocked connections to Baidu, Weibo and others)
We're definitely two different kinds of people. When it comes to network equipment I value control and security over that sort of convenience any day.
(add.: and I don't mean "different kinds of people" in a condescending way, but that we value different aspects and have different methods for going about these things)
> So, you want to manually download an update, install it and brick your device on your own schedule?
Yes, because I can plan for it. I can do it on a weekend or a local holiday. I can do it in the evening after work, or in the morning so that I have the whole day to go out and buy a replacement. If it's not critical, it can wait until my vacation.
And even without any risk of bricking, it should still be done on my schedule. I don't want the connection to glitch while I'm in the middle of a live stream, or an online multiplayer game, or a call with a distant relative.
I (home user) like to delay updates that aren't reported as 'critical security updates' in order to allow others to brick their devices, then I can decide if the risk is worth it. Yes, manual control.
Now you're just taking a silly defensive position by trivializing what I said using stupid rhetoric... I prefer to be in control over updates for network equipment, even the router in my home, reviewing changes and feedback, and to be "on the ready" in case the update does not work. I leave automatic updates for things like browsers.
It's actually not too bad in my case. All in all not that many minutes of pre-emptive effort even across a whole year. The hassle of a surprise Internet outage and having to find what/where the problem is would cost me more.
Yes. Bricking the network in the middle of a voip call, or meeting is unpleasant. Waking up to a broken network is also unpleasant, when I need to do my job, an instead have to go fixing some underdocummented mess of a gadget.
Let's assume the update is bad and (soft)bricks routers like yesterday's update.
Is it better to be part of the auto-update pool of users (who definitely got their routers bricked), or be a manual updater?
Normal case: You lose some features / quality of life / stability improvements for a day / week / month (whenever you get around to updating it).
Best case is that you aren't in general population of bricked routers like everyone else today.
Worst case scenario is that you're late to a zero-day exploit. Although, the tech news cycle tends to report those stories pretty well, so you'd be aware of it.
The pros definitely outweight the cons in my opinion, especially on something critical like my internet access.
Okay, but these asus routers have also silently successfully updated themselves hundreds of times.
So against the one time you win by manually updating, you are weighing hundreds of times you had to research before clicking ‘update’ to see if there were any reports of this update bricking routers?
Because if you don’t do that, you just click the update button whenever you get round to it, you are running your router in a ‘vulnerable to zero days’ configuration, AND you’re going to brick your router the one time they ship an update that goes bad.
I think automatic updates for a typical all-in-one home router is totally OK, and preferrable, for people who don't have the know-how to improve on it (because I'm not an opsec professional or hobbyist). It's unfortunate that these are also the people who face extended outage when something like this does go wrong. They can't fix it themselves, and the nephew that can might not be available for days.
> Even if it turns out (once this event has been fully understood) that the vendor-installed firmware "phoned home" to collect an update of sorts that led to this?
Asus, the company that makes routers with paid monthly subscriptions whose trial you cannot opt out of? Go out a buy one of their newer nightshade whatever routers and see what I’m talking about. You literally cannot stop that thing from nmap’ing your home network for the first month.
I have had an Asus for years and use the vendor firmware, and update it semi-regularly when I remember to, and have never had an issue.
I bought an Asus because they have decent capabilities out-of-box, but also because there is the option of using third-party firmware (which I've never bothered to do).
Even with this event I'll probably stick with the OEM firmware.