The Fraunhofer Communication Institute of Germany (FKIE) conducted a study with 127 seven-brand home routers to verify the presence of known security vulnerabilities in the latest firmware. The results are appalling.
The FKIE study found that 46 routers had not received a single security update in the past year, and that many routers are affected by hundreds of known vulnerabilities.
It also found that vendors send firmware updates without correcting known vulnerabilities, which means that even if a consumer installs the latest firmware from a vendor, the router would still be vulnerable.
Too: The best Wi-Fi routers for your home office in 2020: Google Wifi, ASUS ROG and more
FKIE evaluated that ASUS and Netgear do a better job on some aspects of router security than D-Link, Linksys, TP-Link, and Zyxel, but argues that the industry needs to do more to secure home routers.
FKIE discovered that AVM, a German manufacturer of routers, was the only provider that did not publish private cryptographic keys in the firmware of their router. The Netgear R6800 router contained 13 private keys.
In the worst cases of devices evaluated by FKIE, the routers had not been updated for more than five years.
About 90% of the routers in the study used a Linux operating system. However, manufacturers were not updating the operating system with fixes available from Linux kernel maintainers.
“Linux is continually working to close security vulnerabilities in its operating system and develop new functionality. Actually, all manufacturers would have to do is install the latest software, but they don’t integrate it to the extent that they could and should,” he said. Johannes vom Dorp, scientist in the FKIE Cyber Defense and Analysis department.
“Many routers have well-known or easy-to-crack passwords, or have encrypted credentials that users cannot change,” he added.
The study pointed to five key signals in the firmware images to assess each manufacturer’s approach to cybersecurity. These included the days since the last firmware update was released; How old are the versions of the operating system running these routers? the use of exploit mitigation techniques; if the private cryptographic key material is not private; and the presence of encrypted login credentials.
FKIE concludes that router manufacturers are significantly delayed in delivering security updates compared to operating system manufacturers.
“The router vendor upgrade policy is far behind the standards as we know it from desktop or server operating systems,” FKIE notes in the report.
“Most devices run on Linux, and security patches for the Linux kernel and other open source software are released several times a year. This means that vendors could distribute security patches to their devices much more frequently, but they don’t. ”
The results reflect the findings of a 2018 U.S. study by the American Consumer Institute (ACI), which analyzed 186 small / home office Wi-Fi routers from 14 different providers. It found that 155.83% of the sampled firmware had vulnerabilities to potential cyber attacks, and that each router had an average of 172 vulnerabilities.
ACI criticized router manufacturers for not providing an automatic update mechanism to keep routers up to date. Updates are often only done after high-profile attacks on routers like Mirai IoT malware and state sponsored VPNFilter malware.
As for exploit mitigation, a researcher who recently found 79 Netgear router models had a remotely exploitable flaw, also found that their web-based admin panel never applies the ASLR exploit mitigation technique (space design randomization). address), lowering the bar for remote attackers to take over an affected router.
The German study found that over a third of devices use a kernel version 2.6.36 or earlier, with the latest security update for 2.6.36 provided in February 2011. They also found a Linksys WRT54GL router running on the version 2.4 of the Linux kernel. 20, which was released in 2002.
“The worst case with respect to high-severity CVEs is the Linksys WRT54GL with the oldest core found in our study,” the report notes. “There are 579 high severity CVEs affecting this product.”
