Popular home routers plagued by critical security flaws

A recent study of more than 100 consumer-grade routers from seven, mostly large vendors has found that nearly all tested routers are affected by scores of unpatched and often severe security flaws that leave the devices – and their users – at risk of cyberattacks.

“[T]here is not a single device without known critical vulnerabilities,” says the damning study, called Home Router Security Report 2020. It was conducted by Germany’s Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) and looked at 127 router models from ASUS, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel.

“Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely,” said the researchers, who tallied the average length of time since the latest update at 378 days. A total of 46 routers did not receive any security update within the last year.

The routers were found to be affected by 53 critical-rated vulnerabilities on average; even the device that came out top was affected “only” by 21 such CVEs. No specific vulnerabilities were listed, however.

At any rate, the issues don’t stop with vulnerabilities that are hardly ever patched. “Some routers have easily crackable or even well-known passwords that cannot be changed by the user,” reads the study. More precisely, 50 routers came with hardcoded admin credentials, including 16 with well-known or easy-to-guess login details.

RELATED READING: At least 15% of home routers are unsecured

The study rated some router models higher than the rest, although by no means is this to say that their owners have a reason to rejoice. “AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel,” said the researchers.

Unsurprisingly, 90 percent of the devices were running Linux, but often one of the operating system’s ancient versions. More than one-third of the routers was still powered with the 2.6.36 Linux kernel version, which received its latest update in 2011.

“Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should,” said the study’s co-author, Johannes vom Dorp from FKIE’s Cyber Analysis & Defense department.

The research used FKIE’s Firmware Analysis and Comparison Tool (FACT) to examine the devices’ latest firmware versions as available on March 27^th, 2020. The methodology and results are described in detail in the aforementioned paper. A full list of the tested models and their respective firmware versions is available on GitHub.

Overall, the study’s results are not too dissimilar from what other studies have found in recent years, including this test by Independent Security Evaluators last year and another review by the American Consumer Institute in 2018.

We’ve covered the subject of router security extensively in recent years, and especially in the work-from-home era this subject is even more important than ever. For starters, you may want to read our general article on how to boost your router security or peruse our tips for reviewing your router’s configuration settings. Another article – prompted by the FBI’s advice for everybody to reboot their routers following reports that hundreds of thousands of routers worldwide had fallen victim to VPNFilter malware – also offers practical guidance on this subject and might be best read in conjunction with this follow-up piece on the same topic.

9 Jul 2020 – 08:46PM