[Cryptography] "Home router warning: They're riddled with known flaws and run ancient, unpatched Linux"

[D. Hugh Redelmeier]

| From: Peter Gutmann <pgut001 at cs.auckland.ac.nz>

| You also have to go even further down the rabbit hole than Linksys, a lot, if
| not all of their gear is actually made by Gemtek, who also OEM for Buffalo,
| Zyxel, Fortinet, Cisco, Alcatel-Lucent, Belkin, 3Com, Dell, Intel, and many
| others, I've seen them described somewhere as "a prolific OEM".
| 
| https://deviwiki.com/wiki/List_of_Gemtek_Wireless_Devices

Nice resource!

I was part of the FreeS/WAN project.

In 2006, I read an ad for the Linksys WRV200.  It was marketed as a
Wireless G VPN Router.  I was intrigued and read the manual.  They
mentioned an IPSec feature that only FreeS/WAN had (bare RSA keys for
authentication).  So I knew that it was running our code.

<https://deviwiki.com/wiki/File:Linksys_WRV200_label.jpg>

I bought one.

It did not actually support bare RSA keys, even though it was
documented in their manual.  Support said that was a bug in the
manual, not in the router.

I went looking for the GPLed source.  For one thing, I wanted to
re-enable that feature.  The source was not available.

I asked Linksys, several ways, for a copy (as per the GPL).  None was
forthcoming.  I didn't sue them.  They eventually made source
downloadable (6 months later?  I don't remember).  It could not be
built and it didn't correspond to the binaries they shipped.

Meanwhile, the community was up in arms because the router was an
unreliable piece of junk, through multiple firmware releases.  And I
couldn't fix it.  (Mind you, the unreliability was probably not in
FreeS/WAN; it may even have been in the hardware.)

I did hear the excuse that the WRV200 was made by Gemtek and thus out
of control of Linksys.  But Linksys put their name on it.  I don't
remember whether Cisco owned Linksys at the start but they did during
the products lifetime.

Anyway, I have never used that router.  I barely ever turned it on.  Sad.