According to Germany’s Fraunhofer Institute for Communication (FKIE) study, almost all home routers contain known vulnerabilities in their firmware, some of which are severe but easy to fix. However, most router manufacturers failed to provide security updates for their products, leaving them vulnerable to attacks. Fraunhofer Institute analyzed 127 router models from seven of the leading brands. The shocking results found that 46 routers did not receive any security update within the past 12 months, despite having hundreds of known security flaws. Additionally, the study found that vendors were providing firmware updates without fixing the security issues. Consequently, a consumer who installs the latest version of the routers’ firmware would still be affected by the existing critical vulnerabilities.
The nature of the Fraunhofer Institute study
Fraunhofer institute considered five key security aspects regarding the vendors’ cybersecurity strategy. The researchers calculated the number of days since the release of the last firmware update, the age of the router OS version, the application of exploit mitigation techniques, the accessibility of the private cryptographic keys, and the presence of hardcoded security credentials in the router’s firmware. Some of the studied brands included Asus, AVM, D-Link, Linksys, Netgear, TP-Link, among others. The researchers tested the firmware of the devices using their analytical software. However, they did not physically test the hardware devices.
Known vulnerabilities affecting home routers
The FKIE found that while 90% of home routers used a Linux Kernel, they did not install the latest software updates provided by the Linux maintainers to fix known vulnerabilities. Additionally, they did not integrate it to the extent that allows them to provide frequent updates for known vulnerabilities. For example, half of AVM home routers run OS kernels that were no longer supported while Linksys WRT54GL used Linux kernel version 2.4.20 dated 2002. The WRT54GL model had 579 high-severity known vulnerabilities. Despite the many known vulnerabilities, WRT54GL remained to be one of the most popular home routers. This is because of its ability to run the opensource OpenWrt firmware, whose latest update was in 2016.
Johannes vom Dorp, FKIE’s Cyber Analysis & Defense expert, said that many home routers had common or simple passwords that are easy to crack.
He also pointed out that some home routers had hard-coded security credentials, which could not be changed by the consumers. Among the analyzed home routers, AVM was the only manufacturer that did not publish private cryptographic keys in its router firmware. Others, such as Netgear R6800, had 13 keys hardcoded in the router’s firmware.
Having hardcoded credentials is very risky because once the router is compromised, the criminals have permanent access to the device. Similarly, some models, such as Netgear, shared the same private key for all the routers of the same model. Consequently, similar devices were at the risk of the Man-in-the-Middle (MiTM) attacks if intruders compromised a single router. Among the known vulnerabilities, this would make any individual who uses the model to become a known target for cybercriminals.
ASUS and Netgear performed better in securing their home routers compared to D-Link, Linksys, TP-Link, and Zyxel. However, their security practices still fell short of best practices.
Craig Young, a computer security researcher for Tripwire’s vulnerability and exposure research team (VERT), was dissatisfied with the outcome of the study.
“I’m absolutely stunned that they would assess that Netgear and ASUS do a better job than others. Overall, I have some questions about how they selected the ‘127 current routers’. The research specifically cites Linksys WRT54GL despite that it’s been out of support for years. I’m not sure how relevant it is to be comparing this router to currently supported devices from other brands.”
FKIE found that some home routers had not provided any firmware updates for more than half a decade. For example, D-Link DSL-321B Z’s last update was in 2014. The study concluded that router vendors lagged the operating system makers in providing security updates for known vulnerabilities.