Verizon FIOS is a fiber-optic system capable of delivering very fast internet feeds to residential consumers, in addition to its TV service. With upload speeds in excess of 25Mb, and download speeds in excess of 50Mb (its currently capable of 150Mb), you would think that this service beats cable internet and DSL internet hands down.

Well, speed-wise it does.  But there are quite a few gotchas, including some not so apparent security risks. If you are not a casual residential user of the service and take the time to login to the router , you’ll quickly discover the Actiontec router provided by Verizon is a flashy, poorly designed child’s toy.  While the hardware is solid, the choice of firmware is dismal and, in my opinion, more than a bit dangerous.  It looks and behaves like someone’s abandoned science project, which was picked up and finished by the marketing department at Verizon.  There is no common sense whatsoever in its design or user-experience.

And worse, the firmware also initiates strange connections to Verizon servers, which make me question the router’s security and integrity.  Since I am engineer, I find it appalling what Verizon gives out as a core piece of the network in a user’s home–especially in light of the recently-revealed NSA eavesdropping and network penetration efforts and, before that, the years of black-ops efforts on the net to seize control of networks for bot armies, industrial espionage, monetary theft, etc, etc.

The real test of a good internet connection is not only the speed and how much your network can do for you, but more importantly how much people outside of your home network don’t have a chance to compromise it and, even worse, take control of it. Verizon FiOS architecture fails, quite frankly, very miserably on both of these accounts. Here’s a specific set of reasons why, broken down by the level of importance.

Security and Network Ownership/Management

The Actiontec router has two network interfaces for the WAN (Internet-facing) connection. One is coax, and one is ethernet.  The box is setup by the installer with the coax connection, because the box is designed to work with the DVR unit to access the network for TV program information, etc. And, surprise surprise, the DVR only has a coax connection to access the internet.

This is a very subtle, and very dirty trick to dissuade users from disconnecting the Actiontec router and putting in their own router. Publicly-available routers are known to use standard Cat 5 network connections, so a standard router won’t directly support a connection to the DVR. So this quagmire of giving up your onscreen programming guide to use your own router is created.  Most average users will give-in to using Verizon’s router because they don’t want to give up the programming guide on the TV, and don’t have the knowledge of how to work around that with their own router.

Verizon, for any number of reasons, would love to control the traffic on their network–even to the extent of managing their company assigned router inside your house to enforce their corporate policy and thinking.  This is a very dangerous way of looking at the internet, which is designed for a free-flow of information.  I have documented a legal move made by Verizon in the past in this related post here, written a few months back, which demonstrates why this is their motive.

In addition to the business trick of discouraging alternate router usage, there are also some additional, open ports on the Actiontec router which indicate that it is/can be centrally managed.  Centrally managed means the router can be exposing its settings. logs or even receive remote firmware upgrades at the will of Verizon.  This would violate the cardinal rule I have for any piece of electronic equipment which I own: updates allowed only when I am notified and approve.

While some people will argue that this means a security hole can be patched quickly across the network, the converse is also true.  Because a large set of routers are available to a central management system, an intruder with ill-intent could potentially put a compromised firmware into that system for distribution.  Less aggressively, a release of firmware which has an undiscovered problem could potentially take thousands, if not millions of households offline at one time.

And worse, because Verizon is a publicly traded company, the problem could be concealed, or described in a more generic form as a “network issue we are working to resolve” to mask the real cause of the problem in an attempt to protect stock values.  In the open source world, which DD-WRT is a part of, many people contribute, test, openly write about and scrutinize the software.  Because of the openness, the user has enough information to decide if an upgrade to their router is appropriate.  And if they decide an upgrade is appropriate, they decide upon the time.

Even if DD-WRT were compromised, the chances of it being discovered and exposed are far greater due to its very open, public nature.  Not so with Verizon’s approach.

The Awful User Experience of the Actiontec Router’s web management interface.

In some ways, there are too many pain points in this browser interface to list.  But I will list the ones that stand out to me.

  • Trying to get the user lost the moment they attempt to login.  The very first one starts with the login screen for the router management.  As keystrokes are entered into the password text box of the dialog, the router will actually change the number of asterisks that appear to a larger or smaller number than actually typed.  This is so dumb.  Not only does it confuse the person who might be looking over the operator’s shoulder (the intent), but it royally confuses the operator as well.  When the feedback of what is being typed is not displayed, the only measure of accuracy the person typing has is cadence–a count that can match where the operator expects to be in the sequence.  And Verizon’s interface even screws that up.  I can not emphasize how asinine this is.  Most modern username/password dialogs today have an option to unmask (i.e. don’t hide) the password.  After all, if you’re the only one in the room, what’s there to protect?
  •  Locking yourself out of your own router.  Want to have fun?  Enter a bad password in the password text box, and click the login button several times.  The box will actually lock you out, of your own network in your own house.  Every other router on the market will give you infinite chances to login to the router, if you are connecting from something that originates in the house (Wireless or LAN connections).  It is only the WAN origination points (somewhere from the outside to the network in the house) where a certain amount of consecutive failures will cause a lockout to occur. I was just stunned when I saw this.  Make me get up and recycle the power on my own router to try again, because you (Verizon) threw off my cadence when entering the password–come on !
  • Extraordinarily poor navigation.  The items are all over the place, poorly grouped, inconsistent, and diving down to a menu item often requires you to go back to the top and navigate all the way back down again for another action in that same area.
  • No attempt to memorize any recurring answer the user gave.  Certain areas are labeled as for advanced users only, requiring a click-through to approve going into them.  But each successive time you go into another “advanced users” area, you get asked again.  Add this in to the continuous deep-dives needed in the entire menu system, and the amount of time wasted for simple activity is astonishing.
  • Advertising right on the home page.  This is the most laughable to me.  Once you login, and every time you cycle back to the home page (which it does force you to do a lot), Verizon’s router displays advertising links on the right panel–of an equipment configuration page on the local router!  For those of you who wrote this site and let Verizon make this a requirement of you, super glue a brown paper bag of shame over your head.
  • A mysterious port which you can not disable.   The router has NAT, but has a port authoriztion (TCP 4567) that is untouchable by the user.  This should be an automatic red flag that something is going on with an outside server, which Verizon will not allow you to turn off.  The port is known to be a point-of-access for Verizon to enter the router for their purposes.  They will call it customer support, but both the Actiontec and Westell boxes have been attacked and compromised on these ports. http://forums.verizon.com/t5/FiOS-Internet/Guy-accessed-remote-administration-port-4567-on-my-router-Thanks/td-p/241017

Despite all of this, I still have Verizon FIOS as my ISP provider.  As long as my router is the main entry point to the home network, I can manage and protect it as I need.  I do find the path that Verizon has taken with this architecture very concerning.  It would also not be completely fair to say that Verizon is definitely the only one doing this, but be aware of the implications of using the company provided equipment for your home network.

 

No Comments
Politics and Public Policy, Technology.Networking, Technology.Thoughts