How I've wound up being one of the people who don't update IoT firmware

October 24, 2016

The security of various assorted devices that make up the broad Internet of Things have been in the news recently, both for direct IoT devices like thermostats and fridges, but also for the more broad category of Internet-related boxes like DSL routers and wireless access points (often these are the same device, of course). In the spirit of this I tweeted this admission:

True story: I have no idea how to get firmware updates for my DSL modem/router. The actual maker (Smart/RG) doesn't seem to distribute them.

Twitter isn't the right place for long explanations, so let's cover how a sysadmin who knows something about security wound up in this potential mess.

When I moved from plain DSL to VDSL, I needed a new VDSL-capable modem, so I did the obvious thing; I asked the little boutique ISP what they recommended for this. They said 'we recommend the Smart/RG SR505N, but we don't sell them so you'll have to find a reseller'. Smart/RG apparently makes well regarded products but they don't try to sell them directly to end users like me. Instead Smart/RG focus on distributing products through (large) ISPs, where the ISP either sells or rents you the DSL router or whatever. There are a number of ISPs in Canada and even in Ontario that distribute them to customers, but of course you have to be a customer of the ISP. Well, no matter, I found a reseller on Amazon, ordered a unit, and got it. Since my SR505N comes straight from a reseller, its firmware is unbranded, unrestricted and unlocked, and configured generically (to the point where making it work with the local VDSL took some flailing around).

Since Smart/RG's focus is on distributing through ISPs, they don't seem to make any sort of firmware updates available on their website. This is perfectly sensible from Smart/RG's perspective, and in fact for an average customer it's entirely the right answer; it could be a disaster for a customer to overwrite a carefully set up and configured ISP-specific firmware image with a generic one pulled from Smart/RG's site. Since the SR505N seems to be popular with ISPs, various ISPs make various firmware update images generally available on their websites (eg, and, and).

You'll notice that all of those ISPs I linked to have different firmware versions. That's one of the problems with just grabbing one of them and trying a firmware update; which version is the right version to use? Is Teksavvy still on the older version because they've determined that there is some problem with the newer one, or because they haven't gotten around to testing anything more recent (perhaps because they consider the fixes unimportant)? The other problem is the inverse of Smart/RG's problem, namely that if I update to an ISP's firmware image I presumably get their branding, their embedded configuration, and perhaps their restrictions (if any). This could easily cause havoc (or at least annoyance) with my perfectly fine current setup.

In theory perhaps the reseller I got my SR505N from should be providing me with firmware updates. In practice, no, this is not happening. The reseller is an Amazon storefront and their business is getting things from companies that don't normally deal with end users and selling said things to end users. This is a useful service and it certainly involves devices with firmware updates, but asking them to test, qualify, and distribute firmware updates is well beyond what you can expect for customer support. For a start, there's no (additional) money in it, unlike with an ISP dealing with a customer.

So there I am. I have a perfectly good VDSL router (which I mostly use as a VDSL modem), but I can't feasibly get firmware updates for it unless it's a dire emergency (at which point I'd have to try firmware updates from random ISPs). And I don't feel that anyone involved in this entire chain of circumstances did anything wrong; we all made completely rational decisions. We just collectively wound up with my Smart/RG SR505N VSDL router being another little piece in the Internet of potentially vulnerable and not being updated Things.

(I maintain my decision was rational; my actual goal was upgrading to VDSL service and the VDSL router was and is a tool to get there. I wanted an appliance and I got an appliance. I definitely did not want to spend weeks trying to research and order an open source friendly VDSL router/modem, presuming such a thing even exists in the first place.)

Comments on this page:

By Anon at 2016-10-24 02:15:57:

An entirely open source *DSL modem + router packaged into a single (working) embedded device is extremely difficult to find (cobbling something together from a laptop or some x86 device bigger than a pair of DVDs doesn't count ;-). The recommendation always seems to be "get one device to do the modem bit and get another open source supported device to do the routing".

By cks at 2016-10-24 02:25:30:

What I actually need is just a VDSL modem. I got a full-bore router (with wifi included) because that was what was readily available, but I don't use the routing functionality; I turned it all off and just use the SR505N as a VDSL modem.

(These days it also gets used as a wireless access point, still with the actual routing and PPPoE handled on my Linux machine.)

Written on 24 October 2016.
« I should keep a released version of the Go compiler suite
On classifying phish spam as malware, an update »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 24 01:20:07 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.