Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there’s little incentive to update their “board support package” until absolutely necessary.
The system manufacturers — usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product — choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.
The problem with this process is that no one entity has any incentive, expertise, or even ability to patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the ODM is busy upgrading its product to work with this next chip. Maintaining the older chips and products just isn’t a priority.Bruce Schneirer
I'm very concerned about this. While the Apple router in my home isn't subject to any known vulnerabilities, I have very little visibility into the device and I am completely at the mercy of Apple's engineers when it comes to patching. This one device separates the other components of my computing network from the wild wild Internet. It's the my main line of defense. I used to have a basement full of servers that I controlled -- firewall, network attached storage, web server etc. Now I'm dependent on the cloud for services and limited control of my network security. It's time for change.
