A staggering 83 percent of home and office routers have vulnerabilities that could be exploited by attackers. Of those vulnerable, over a quarter harbor high-risk and critical vulnerabilities, according to a report released this week by American Consumer Institute on router safety (PDF).
The study examined 186 WiFi routers from 13 different manufacturers, including market-share leaders Linksys, Belkin, NETGEAR and D-Link. “Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud and espionage,” according the report.
Researchers blamed open-source libraries as the main reason for security flaws in router firmware. “Hackers target hardware devices such as routers, because they are usually left on and their accompanying software, called firmware, are infrequently updated,” the report stated.
Also contributing to systemic security issues with routers is a lackluster patching regiment by most consumers and vendors.
“Fixing vulnerabilities lies partly in the hands of consumers who must do their homework and install firmware (software) updates,” the report stated. “In addition, manufacturers often do not provide user-friendly ways for consumers to update firmware or may even view building security protocols into their devices as an unnecessary expense.”
The American Consumer Institute report suggests router vendors create a litany of hoops for consumers to jump through to even be eligible or reminded of firmware updates. “Sometimes accessing firmware updates requires consumers to have registered their products with the manufacturers, while other times these updates are not readily available online, and still other times somewhat older routers are not supported at all,” it said.
According to the report, of the 186 routers examined, only 17 percent contained no vulnerabilities. On average, researchers stated each router examined had an average of 172 vulnerabilities. It said seven percent of the vulnerabilities were classified as critical, based on the National Institute of Standards and Technology’s National Vulnerability Database classification. The report found 21 percent of router vulnerabilities were rated high and 60 percent medium, and 12 percent low.
Taken in the larger context of all internet-connected devices, such as CCTV cameras, DVRs, printers and network-attached (NAS) devices, researchers say vendors are failing consumers and need to do a better job at not just patching but adopting secure-by-design initiatives.
“We want these electronic devices to be free from intrusion, and we want the data to be secure, not corruptible and certainly not distributable without the owner’s authorization. Yet, our results show that these devices are highly vulnerable, and are becoming an increasingly attractive target for cyberattacks,” according to the report.
The American Consumer Institute report lists all vulnerable router models it found.