ThreatList: 83% of Routers Contain Vulnerable Code

Five out of six name brand routers, such as Linksys, NETGEAR and D-Link, contain known open-source vulnerabilities.

A staggering 83 percent of home and office routers have vulnerabilities that could be exploited by attackers. Of those vulnerable, over a quarter harbor high-risk and critical vulnerabilities, according to a report released this week by American Consumer Institute on router safety (PDF).

The study examined 186 WiFi routers from 13 different manufacturers, including market-share leaders Linksys, Belkin, NETGEAR and D-Link. “Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud and espionage,” according the report.

Researchers blamed open-source libraries as the main reason for security flaws in router firmware. “Hackers target hardware devices such as routers, because they are usually left on and their accompanying software, called firmware, are infrequently updated,” the report stated.

Also contributing to systemic security issues with routers is a lackluster patching regiment by most consumers and vendors.

“Fixing vulnerabilities lies partly in the hands of consumers who must do their homework and install firmware (software) updates,” the report stated. “In addition, manufacturers often do not provide user-friendly ways for consumers to update firmware or may even view building security protocols into their devices as an unnecessary expense.”

The American Consumer Institute report suggests router vendors create a litany of hoops for consumers to jump through to even be eligible or reminded of firmware updates. “Sometimes accessing firmware updates requires consumers to have registered their products with the manufacturers, while other times these updates are not readily available online, and still other times somewhat older routers are not supported at all,” it said.

According to the report, of the 186 routers examined, only 17 percent contained no vulnerabilities. On average, researchers stated each router examined had an average of 172 vulnerabilities. It said seven percent of the vulnerabilities were classified as critical, based on the National Institute of Standards and Technology’s National Vulnerability Database classification. The report found 21 percent of router vulnerabilities were rated high and 60 percent medium, and 12 percent low.

Taken in the larger context of all internet-connected devices, such as CCTV cameras, DVRs, printers and network-attached (NAS) devices, researchers say vendors are failing consumers and need to do a better job at not just patching but adopting secure-by-design initiatives.

“We want these electronic devices to be free from intrusion, and we want the data to be secure, not corruptible and certainly not distributable without the owner’s authorization. Yet, our results show that these devices are highly vulnerable, and are becoming an increasingly attractive target for cyberattacks,” according to the report.

The American Consumer Institute report lists all vulnerable router models it found.

Suggested articles

Discussion

  • Anonymous on

    Misleading articles, The problem is not the open source vulnerability but the fact that producer don't update old firmware to sell new products. All this firms must be boycotted.
  • Reginald Watson on

    Your article stated which name brand routers have vulnerability but it did not mention the ones that had no vulnerabilities. Naming the routers that did not have vulnerabilities would be helpful to Consumers when purchasing routers for their networks.
    • Tom Spring on

      I agree. I'll reach out to find out. Good point!
  • Paolo on

    Why don't they highlight all routers that do NOT have vulnerabilities??? How can consumers buy safe(r) routers and thereby also support companies that care about security if they don't know what they are? Are they protecting the other companies instead of highlighting the good ones?
  • Justin Chung on

    Can you please give a list of all tested routers and the ones who passed please?
  • aze on

    And no Synology routers tested ?
  • Paul Saunders on

    The report does NOT list vulnerable routers found but the 186 routers tested..
  • Anonymous on

    Good article but again, as others say, vague. My solution is to route an extender/router through our cable company's provided router, which is inaccessible to us. The inexpensive extender, though, is easily managed by us with frequent SSID and password changes, and firmware updates very simple to accomplish. Of course it logged in via our provider's ID either via LAN or WiFi. We have taken it along traveling as well to route through a motel and an AirB&B.
  • JSLIM on

    everything has vulnerabilities
  • Bob Kinney on

    Unbelievable.....but I keep my router updated. Netgear is pretty good at notifying you to update.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.