Based on an informal survey of my family and friends, I am the only person I know who has heeded the FBI’s recent warning to restart home routers in order to rid devices of the VPNFilter malware that has infected hundreds of thousands of routers. When I asked my mother, she responded, in the weary tone of a woman who has had too many cybersecurity demands placed on her by a paranoid daughter, “If you tell me what a router is and where ours is, I’ll go do it.” (She didn’t, though she did point out that if there was something wrong with it, then that was probably the fault of the person who set it up in the first place: me.)
It is true that I occasionally ask my parents to do unreasonable things like reformat their laptops after they come back from a trip to China. But this is absolutely the smallest security ask it is possible to make of the public. No one’s asking you to change any passwords, download any patches, or toggle any security settings. It’s literally just a question of whether you’re willing to unplug your router for a few seconds and then plug it back in to help remove malware that could potentially be used to monitor your online activity or even cut off your internet access. (Well, actually, while you’re at it—if you wouldn’t mind upgrading the router firmware and choosing a new password for it and disabling any remote management settings, the FBI would appreciate that, too. So would I.)
According to the Department of Justice, the VPNFilter malware that Cisco estimates has infected at least half a million routers across 54 countries is disseminated and controlled by the Sofacy Group, which is itself believed to be affiliated with Russian military intelligence. There’s no digital device you would want to have infected by operatives under the control of the Russian government, but your home router is a particularly vulnerable and important part of your network because it connects to every other device in your home and is so easily overlooked or forgotten by the average online user, like my mother.
That’s partly by design: If setting up and troubleshooting a home wireless network were a complicated, lengthy process, then no one would do it. So router manufacturers got very good at making it as easy as possible—so easy, in fact, that most people immediately stop thinking about their router the minute their wireless network is up and running and don’t worry about it again until the internet stops working. To some extent, that’s how a lot of our technology works. I’ve written in the past about the largely hidden infrastructure of digital certificates (the things that dictate which websites your browser trusts to load and which software updates your operating system installs) that goes unseen and ignored by most online users. And just as it would be foolish to expect most people to understand how digital certificates work, it would be equally unrealistic to demand that people understand how their home networks function.
Yet, when things go wrong with those types of technologies we’ve been so effectively shielded from—particularly when things go wrong with regard to security threats—the invisible ease with which they’ve been seamlessly integrated into our digital lives can backfire. Of course, you don’t need any very sophisticated technological know-how to comply with the FBI’s request to reboot your router. Even the agency’s slightly harder asks (changing the password, updating the firmware) require only a moderate level of technical competence. But routers are not devices that we routinely require people to learn how to use, restart, or adjust settings for, the way they do their phones or laptops or tablets. Routers often don’t feature any of the familiar interfaces like screens or keyboards that we instinctively know how to navigate.
As we purchase more and more connected smart devices that are similarly devoid of familiar user interfaces and obvious updating mechanisms, we may see more requests of the type made by the FBI last week. And along with those requests, it’s also very probably we’ll see correspondingly more uncertainty about how to comply with them and unwillingness to do so if it requires interacting with a typically low-maintenance home device.
Given end users’ reluctance to spend more time fiddling with their devices, our solutions to these problems tend to take the form of making it easier for the device manufacturers to control these tools from afar, even after they are set up inside your home. One solution to trying to cajole everyone into restarting their router would be to have all router manufacturers be able to remotely restart those devices, and even install firmware updates without your knowledge or involvement.
Taking security out of the hands of individual users in this way has pros and cons. On the one hand, it would mean the FBI doesn’t have to try to persuade my parents to go hunt for the router they’re not even sure they have. But on the other hand, it also exacerbates the larger problem of designing technology so invisible to end users, so completely hands-off and automated, that should the need arise for them to do something about it they may not be up to the task, even if that task is as simple as pulling a plug.
