Report: Most Popular Home Routers Have ‘Critical’ Flaws

Common devices from Netgear, Linksys, D-Link and others contain serious security vulnerabilities that even updates don’t fix.

A security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers.

The “Home Router Security Report” (PDF) by Peter Weidenbach and Johannes vom Dorp—both from the German think tank Fraunhofer Institute–found that not only did all of the routers they examined have flaws, many “are affected by hundreds of known vulnerabilities,” the researchers said.

On average, the routers analyzed–—by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel—were affected by 53 critical-rated vulnerabilities (CVE), with even the most “secure” device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.
Researchers examined the routers based on several key aspects: device updates, version of operating system and any known critical vulnerabilities affecting them; exploit mitigation techniques by vendors and how often they activate them; the existence of private cryptographic key material in the router’s firmware; and the existence of hard-coded login credentials.

“To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects,” Weidenbach and vom Dorp wrote. “Much more effort is needed to make home routers as secure as current desktop or server systems.”

While people make common mistakes when configuring home routers–thus leading to security issues–they are not the primary reasons for the lack of security found among the devices, researchers said.

Their analysis clearly shows that device vendors, despite knowing the security risks, are still doing a rather dismal job to ensure that routers are secure even before users take them out of the box.

Researchers used an automated approach to check the router’s most recent firmware versions for five security-related aspects. Of the 127, they managed to extract 117 completely, finding that 116, or 91 percent, were running Linux.

While Linux can be a very secure OS in theory, researchers found that many of the routers were powered by very old versions of Linux that lack support and thus are rife with issues, they said.

“Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years,” researchers wrote. “This leads to a high number of critical and high-severity CVEs affecting these devices.”

Another key problem affecting the security situation of the routers was the device firmware is not updated as often as it should be. However, even updates to the router’s firmware didn’t solve the problems in many cases.

Moreover, vendors rarely used common exploit mitigation techniques that serve to make a home device more secure, using passwords that can easily be cracked by threat actors or even well-known passwords that users can’t change even if they want to.

Providing hard-coded credentials is an especially vulnerable situation for a device, as evidenced by the destructive Mirai botnet, which used hard-coded telnet credentials to infect millions of embedded devices, researchers noted.

Most of the firmware images researchers analyzed also provided private cryptographic key material. “This means, whatever they try to secure with a public-private crypto mechanism is not secure at all,” researchers wrote.

Some vendors seem to prioritize security a bit more than others, according to the report. AVM International was the best of the bunch in terms of all the security aspects researchers examined, although the company’s routers also contained flaws, they said.

ASUS and Netgear also prioritized several aspects of device security more than some of the other vendors. Both update their routers more frequently than their rival companies, and use more current, supported versions of the Linux kernel for their firmware, researchers found.

Among the routers examined, those from D-Link, Linksys, TP-Linkand Zyxel fared the worst in terms of how well common security aspects were addressed out of the box, according to the report.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail. 

 

Suggested articles

Discussion

  • Steve on

    Is securing a home network then possible given that the devices we buy are de facto unsecurable?
  • Stephen on

    What modem/routers from ISPs? W/R/T my Verizon Fios device, how do I ensure VZ updates it so that I don't have any of the flaws as described?
  • Ben Carter on

    A big issue rarely mentioned is that for router/modem combos, even if an exploit is fixed for the router from the manufacturer, you likely still have to wait for your ISP to push it out.
  • tay on

    hm...
  • Joel on

    Is there evidence of these vulnerabilities being exploited in the real world? If so, how much is it happening?
  • gpb on

    It would be useful to know...are these "exploits" usable from the WAN side or LAN side. I would think most people by default will have their router management interface blocked from the internet so if a router has an exploit, but the requirement is they need to be sitting in your living room to hack it, then it would seem the risk of the "exploit" is near zero. I read that there's generally no need to update the linux version for SoC systems since they must match the SDK used for the device and most patches can be applied as needed.
  • ddWRTfan on

    Use open source firmwares like OpenWrt and DDWRT instead of factory stuff. Problem solved.
  • Chris on

    Is it I run freak tomato on an Asus I'm on the latest version.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.