Home router warning: They’re riddled with known flaws and run ancient, unpatched Linux
Germany’s Fraunhofer Institute for Communication (FKIE) has carried out a study involving 127 home routers from seven brands to check for the presence of known security vulnerabilities in the latest firmware. The results are appalling.
The FKIE study found that 46 routers hadn’t got a single security update within the past year and that many routers are affected by hundreds of known vulnerabilities.
It also found that vendors are shipping firmware updates without fixing known vulnerabilities, meaning that even if a consumer installs the latest firmware from a vendor, the router would still be vulnerable.
FKIE assessed that ASUS and Netgear do a better job on some aspects of securing routers than D-Link, Linksys, TP-Link and Zyxel, but it argues the industry needs to do more to secure home routers.
FKIE found that AVM, a German router manufacturer, was the only vendor that didn’t publish private cryptographic keys in its router firmware. The Netgear R6800 router contained 13 private keys.
In the worst cases of devices FKIE assessed, the routers hadn’t been updated for more than five years.
About 90% of the routers in the study used a Linux operating system. However, manufacturers weren’t updating the OS with fixes made available from Linux kernel maintainers.
“Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should,” said Johannes vom Dorp, a scientist at FKIE’s Cyber Analysis & Defense department.
“Numerous routers have passwords that are either well known or simple to crack – or else they have hard-coded credentials that users cannot change,” he added.
The study targeted five key signals in firmware images to assess each manufacturer’s approach to cybersecurity. These included the days since the last firmware update was released; how old are the OS versions running these routers; the use of exploit mitigation techniques; whether private cryptographic key material isn’t private; and the presence of hard-coded login credentials.
FKIE concludes that router makers are significantly lagging in the delivery of security updates compared with operating system makers.
“The update policy of router vendors is far behind the standards as we know it from desktop or server operating systems,” FKIE notes in the report.
“Most of the devices are powered by Linux and security patches for Linux kernel and other open-source software are released several times a year. This means the vendors could distribute security patches to their devices far more often, but they do not.”
The results mirror findings from a 2018 US study by American Consumer Institute (ACI), which analyzed 186 small office/home office Wi-Fi routers from 14 different vendors. It found 155, 83%, of the firmware sampled had vulnerabilities to potential cyberattacks, and that each router had an average of 172 vulnerabilities.
ACI criticized router makers for not providing an auto-update mechanism to keep routers updated. Often updates are only made after high-profile attacks on routers, such as Mirai IoT malware, and the state-sponsored VPNFilter malware.
As for exploit mitigation, a researcher who recently found 79 Netgear router models had a remotely exploitable flaw also found that its web-based administration panel never applies the exploit mitigation technique ASLR (address space layout randomization), lowering the bar for remote attackers to take over an affected router.
The German study found that more than a third of the devices use a kernel version 2.6.36 or older, with the latest security update for 2.6.36 provided in February 2011. It also found a Linksys WRT54GL router running on Linux kernel version 2.4.20, which was released in 2002.
“The worst case regarding high-severity CVEs is the Linksys WRT54GL powered by the oldest kernel found in our study,” the report notes. “There are 579 high-severity CVEs affecting this product.”