Home Routers: A Case for Updates and Replacement

Times are tough in the economy right now. Heck, they’re tough in general for many people. Reoccurring expenses are one that a lot of people will want to cut out of their life if possible. There’s a fee that individual homes should account for though that I believe many forget about – your networking hardware. I get it. If it a piece of hardware isn’t physically broken and does still work, why replace it? I want to make a case at why this is a bad idea and why you should monitor your home router for software updates and, if it’s end of life for those updates, replace it.

Your primary defense is your home router

The router you buy to provide WiFi to the rest of your home and connect to your cable modem (or other network access), is far more than just a mechanism to make sure you can connect your laptop to the Internet. Your home router is literally the mechanism blocking malicious traffic from the Internet from entering into your home. Home routers generally consist of three separate functions: a router that routes your devices out over the Internet, a WiFi access point providing WiFi to your home and a software firewall, preventing inbound connections to your network unless you asked for them. Whether it has “gaming” in the name, whether it is by ASUS or another brand, that one device is protecting your home devices.

The Internet is a malicious place. While we generally see the websites we visit, or the emails we get, unknown to many people is the fact that the Internet is constantly being scanned for vulnerabilities. Even now, your home Internet Protocol (IP) address is getting hammered with requests from countries like China, Brazil, Russia, Singapore and many others scanning to see what can be exploited. This isn’t meant to be a scare tactic though. This is the reality of anything that connects to the Internet. By connecting to the outside world, you inherently open yourself up to people connecting to you as well. The firewall aspect in your router, as an edge device in front of your laptops, TVs, gaming computers and other devices acts as a protective gateway. It makes sure you can connect to the outside world, but keeps them blocked at your front door. Think of it like the lock on your household front door. You can get out, but that lock blocks anyone else from being inside unless you want them there.

Software updates are critical

As with any other device, your home router has software installed on it called firmware. Just like Microsoft Windows gets software updates, that firmware is not always perfect. Sometimes there are vulnerabilities in the firmware itself. Manufacturers provide firmware updates for their devices as long as those devices are still considered supported by the manufacturer. For example, say you had a fancy ASUS ROG Rapture GT-AX11000 WiFi Router because your son or daughter loves gaming. ASUS provides a firmware update to that device that can be found on their page here. There are a total of 9, yes 9, security updates with that firmware update alone that was published just two days ago. If you own that device, you should be updating your firmware with the latest version.

The challenge with the above is that, unlike Windows, updating firmware for a router is a very manual process. You have to download the firmware, login to the router, manually go through an update process by selecting the downloaded file, and then confirm it worked. Some manufacturers may make things a bit easier by having the update process in the router download the update for you, but you still must initiate it. It is for this reason home routers are generally purchased, installed and then forgotten about as long as they continue to work.

End of life means end of support

Eventually, manufacturers will stop supporting their devices with software updates. Why? Well, it’s a business model. It takes time and effort to comb through the software of a device, find vulnerabilities, patch those vulnerabilities and then issue out a new version of firmware. And for devices that have been out for some time, the manufacturer is no longer making money off them from sales. So, they end support in order to focus on their newer hardware. When they do end support, sometimes bugs or vulnerabilities in that firmware remain.

Just take a moment and think about it. The one device, that sits at the edge of your network facing the Internet that acts as the lock on your door, might have a vulnerability where the lock can be opened by anyone. Sure, it’s not the same as someone breaking into your home, but allowing access into your home network can be just as scary. What if you have home cameras? Do you want someone watching you and your family from those cameras? There is an inherent trust we provide to devices inside our home networks. The bad guys stay out THERE (Internet), and we keep those we trust in HERE (home network). Having a fault at your home router could turn that on its head.

Would you pay for security?

Unfortunately, the only thing you can do once a company ends support on a device like a home router and no more software updates will be provided is buy a new home router. In fairness, only you can decide what risks you are willing to take. It is entirely possible that you can never upgrade your device again and nothing happens. Either no new vulnerability is disclosed or you hide among the noise of the billions of others on the Internet and you are not targeted. The idea here is just to make sure you are informed about that risk. Though, keep in mind, if you are targeting and exploited, you will likely not know it. The whole point of an attacker is to not get caught after all.

Go ahead and ask yourself, when was the last time you logged into your home router and checked the firmware version against what the manufacturer is at? If the answer is never, I recommend you do that. Firmware upgrades are free. If your device is end of life and no more updates exist, you should be asking yourself if you’re comfortable with that “lock” maybe having a way to open it, and if you should replace that “lock”.

Tracking in Plain Sight: The Hidden Web-to-App Surveillance You Never Agreed To

As one of the first posts associated with the new rollout out of ZNS, the following topic is so blatantly wrong that it would be impossible for me to avoid writing about it. The scary thing about this as well is that it seems largely absent from mainstream media. If you are one to pay attention to the privacy settings on your phone, how would you feel if a company just found away around them? Intentionally avoiding settings you dictated to collect your browsing history and tie that directly to an account you have with them. Unfortunately, I believe until there is some sort of stronger legal accountability for these types of actions, efforts like this to collect private data will continue. Let’s dive in.

Meta and Yandex are covertly tracking users by exploiting legitimate browser capabilities

Meta is the overarching company associated with Facebook, Instagram, Messenger and WhatsApp. Yandex on the other hand, is a Russian company that provides services such as a web browser, search engine, and online shopping among others. Both of these companies are fairly significant from the perspective of technology companies. As of today’s writing, Meta is worth an approximate $1.84 trillion dollars. Yandex is a bit harder to nail down as it is a Russian company but I would wager the valuation is also fairly high. Both of these companies used a technical workaround that allows JavaScript on websites to silently communicate with native Android applications like Facebook and Instagram on the same device, bypassing standard security and privacy settings. It is definitely a novel – and inappropriate – way of obtaining user data.

Linking anonymous web activity to real-world identities

Many people might be familiar with the word cookie these days when it comes to Internet use. If you’re not though, a cookie is simply a small piece of data created by a web server that is stored onto your device. When you login to a website, and come back to visit it later and it remembers you so you don’t have to login again, that is a cookie in action. Cookies have plenty of good uses behind them.

In this instance however, both Meta and Yandex were using an ability to transmit identifiers like a cookie from a web browser to their native application on the device. By doing so, both Meta and Yandex de-anonymize users and link browsing history directly to their logged-in application accounts. According to an article published last month by Ars Technica, “This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users.” Meta Pixel and Yandex Matrica are the actual analytics programming scripts that help advertisers. These scripts that were passing off browsing data to applications installed on a device “are estimated to be installed on 5.8 million and 3 million sites, respectively” (ArsTechnica).

To summarize, Android users who visited any one of 5.8 million websites and had Facebook or Instagram on their phone had their browsing data pulled and provided to those applications even if they had strict application privacy settings. Based on the reading I have done so far on the topic, it does not look like iOS users were impacted but the capability to implement something like this is there even for those with an iPhone.

It’s a misuse of legitimate browser capabilities, not a fixable bug

The technique takes advantage of an intentional, system-supported mechanism used for valid development and application communication. This is an important note with all this. Neither Meta nor Yandex hacked anything. The capability they used for this purpose has valid uses. What they did, however, was take a capability that many applications need to function right, and turn it into a spying mechanism on customers.

The technique circumvents all conventional privacy protections

The tracking method bypasses cookie deletion, Incognito Mode, Android permission systems, and browser anti-tracking tools designed to silo cookies and prevent cross-site profiling. This even bypasses using a VPN. There is no way, using a devices settings or permissions, to prevent this from occurring. One option would have been to delete apps like Facebook from a user’s phone, but in order to do so, a user would need to know this was happening in the first place. Given the way this was occurring, it would have been impossible to know as there was no “option” on a device to turn it on or off. Fortunately there are security researchers who are looking into applications and how they work supporting the public’s best interest.

The scale and stealth of this system raise serious ethical concerns

With tracking scripts deployed on millions of websites that provide this capability to Meta and Yandex applications, and no user visibility or consent, this approach represented a widespread and deliberate violation of user privacy and trust—designed to sidestep all modern safeguards. Supposedly, Meta paused this action while it worked with Google claiming it misunderstood policies once this activity was disclosed. Google for its part in looking over the Play Store noted that Meta and Yandex’s actions violate its policies.

Time will tell what will happen in the future but I believe this highlights that the public needs continued information on these types of actions. That way individuals can make informed decisions about the devices and applications they can trust (if any).

A Fresh Start

There is something refreshing to a sort of “Spring cleaning” even if it is done in the middle of summer. This project was actually born back in 2023. Over the last two years, I have put some additional thought into the direction I want this whole idea to head toward. Not only that, but a branding update was necessary due to wanting something more original. With that in mind, this is my fresh start.

The end goal of ZNS is the same though even two years later. I want to help people see through the technical complications of both digital security and privacy. The story started long ago for me when I was in Best Buy and overheard some shoppers trying to pick a new home wireless router. Hearing the father talk to his son, it was clear this was not their area of expertise. The different WiFi versions, buzzwords of “gaming” and “lightning fast” across the various options, none of it helped them. They did not really know what they needed or even should buy, so a Best Buy representative stepped in to help narrow down their search.

Tech is here to stay.

In today’s world, technology is a fact of life. From the little computers we carry everyday in our pockets that doubles as a phone, to so many home devices now connecting to the Internet to provide convenience. Our connectivity is here to stay. In fact, many would argue it will only get more and more involved. This got me thinking, how should normal people protect themselves and their families from those that would do them digital harm? There is already a lot to keep up with just living, right?

Security concepts are increasingly difficult things to keep on top of, not to mention master – if at all. Many security posts and articles, whether it is a recent hacker exploit or another business losing their data, are written in such a way that only a computer science student or someone in the industry would even understand it. What about the ordinary person? What about someone’s mother or father, or even their grandparents? Shouldn’t they also have the ability to more easily understand computer and network security? Or, if the article is directly from a news source like CNN or Fox News, it will lack actionable information. Neither perspective, super detailed or general news, might be particularly helpful for understanding.

The road ahead.

It is with those ideas in mind that this website was born. I wanted to find a place where I could provide information so that it just might help someone’s family be better protected in the digital age we live in. Clearly, to fully understand some things you need knowledge and experience in that field. But I hope I can provide a bit of a translation layer between the really detailed things and a solid foundation that an ordinary person can understand. If only one person reads an article on ZNS and becomes more informed and educated about digital security and privacy, then my effort was worth it.