My new router has just arrived. As is the case for most now, it was supplied FOC by my ISP. When configuring the router, I couldn't help but notice that in the re-configuration maintenance page it said this:<p>"We'll periodically update your router software automatically. There may be times when you will be advised to do this manually. Our Technical Support Team will assist you if this is the case."<p>Immediately I started to look for the option to disable this. However I could not find one. I then contacted their technical support in an attempt to turn it off. Their advisor informed me that they would not turn it off. I proceeded to state that would not, did not mean could not and probed for information which would enable me to turn it off. At this point the advisor informed that it was a secure line and that the upgrade process was infallible in terms of security; yet was unable to inform me of the security processes/practices applied. The advisor (getting infuriated at this point as I was clearly off-script) stated that they would try to find out from a higher technical body (internally). After being put on hold for a further 20 minutes I gave up and hung up the phone.<p>Next I resorted to a (quick) Google search in the hope that an answer would be reveal itself. I couldn't find an easy answer. Most answers I found focussed on some means of hacking the firmware on the device (based on the fact that the router was a re-brand of some other common make/model e.g. Netgear).<p>Given that my logs tell me I receive unsolicited connection attempts out of some countries in the East every 5 minutes or so, I feel I should be worried that I have little or no control over the firmware running my router. Have other people experienced this too? Is strikes me as a red flag in terms of security.
You might want to take a look at these pages and see if your router supports OpenWrt or Tomato firmware.<p><a href="http://wiki.openwrt.org/toh/start" rel="nofollow">http://wiki.openwrt.org/toh/start</a><p><a href="https://en.wikibooks.org/wiki/Tomato_Firmware/Supported_Devices" rel="nofollow">https://en.wikibooks.org/wiki/Tomato_Firmware/Supported_Devi...</a>
Hopefully, your ISP is using TR-069[1] to update your router. It's not perfect but it's not as bad as you might imagine. The router polls for updates and initiates a connection to the ISPs configuration server.<p>The servers are usually part of your ISP's infrastructure, not a third-party service on the public Internet.<p>I've seen TR-069 used very effectively to manage VOIP hardware (a lucrative target for hackers) however I was told that routers are more difficult.<p>The bottom line is, if you don't trust your ISP to update your router firmware, buy a different router. As others have said OpenWRT is awesome.<p>[1] <a href="http://en.wikipedia.org/wiki/TR-069#Security_and_authentication" rel="nofollow">http://en.wikipedia.org/wiki/TR-069#Security_and_authenticat...</a>
Is the router your hardware? If the router was provided by (aka is owned by) your ISP, then I don't understand why you would expect to be able to control the firmware (it's not your hardware). From your providers perspective, this would imply that they've lost configuration management control of their hardware (not good for them). In this scenario, the simple solution is to install something downstream, for example a security appliance (firewall/vpn) or your own router with similar capabilities (use your own router as the ingress). If this is not correct, and you provided the router (ISP provides only the fiber), then you do have a valid issue. (but it could still be solved with the above solution).
So your ISP has the capability to automatically provide you with updates to fix security issues on your router (thus helping keep out the 'countries in the East') and you want them to turn this off?<p>Smart.<p>If you're really that paranoid, I suggest you open your wallet and buy a firewall to put between the LAN port on your router and the rest of your internal devices.
> Given that my logs tell me I receive unsolicited connection attempts out of some countries in the East every 5 minutes or so,<p>Do you have a cut and paste of those logs? Often those connections are either noise and not worth bothering about, or they're your ISP and not worth bothering about.
If you router can run a decent version of OpenWRT then go for it. Otherwise buy a decent router, unfortunately they are not easy to find. I would say go for a carambola2, it's cheap runs OpenWRT out of the box and has FreeBSD support too, if you are good with CLI.