Survey of 127 routers' vulnerabilities: Remote workers warned over security flaws

News by Rene Millman

Forty-six makes of router haven’t had a security update in a year leaving employees open to attack

Employees working from home could be exposed to hacking attempts following the revelation that many home routers contain hundreds of vulnerabilities that vendors have failed to fix.

The  Fraunhofer Institute for Communication (FKIE) in Germany looked at 127 routers from several vendors and discovered vulnerabilities in all of them.

According to the study, 46 routers did not get any security update within the last year.

“Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy crackable or even well known passwords that cannot be changed by the user,” said the report’s authors.

The report added that most firmware images provide private cryptographic key material. This means, whatever they try to secure with a public-private crypto mechanism is not secure at all.

“To sum it up, much more effort is needed to make home routers as secure as current desktop or server systems,” said the report.

Craig Young, senior security researcher at Tripwire, told SC Media UK that he was “absolutely stunned” that they would assess that Netgear and ASUS do a better job than others.

“Overall I have some questions about how they selected the ‘127 current routers’.  The research specifically cites Linksys WRT54GL despite that it’s been out of support for years. I’m not sure how relevant it is to be comparing this router to currently supported devices from other brands,” he said.

He said that the metrics used by the research included days since last update, use of outdated software, inclusion of private keys, hardcoded passwords, and exploit mitigations. While these are all interesting data points, there is a lot more that goes into security.

“A router vendor can keep their Linux kernel up to date and enable all the exploit mitigations they want, but it isn’t going to matter if the device still allows command injection by a cross-site request forgery. Similarly, a vendor can release updates on a regular basis but still ignore security researchers. A more complete picture of vendor security reliability should include aspects related to how well the vendor works with researchers and the typical response time for resolving externally reported issues,” he said.

James McQuiggan, security awareness advocate at KnowBe4, told SC Media UK that as with smartphones or computers, these devices need to be updated to reduce an opportunity for exploitation by cybercriminals.

“Unfortunately, with legacy devices, the products may no longer be supported, and therefore the router should be replaced. If the router is a later model, it's essential that people register their router with the manufacturer so they can receive notifications to update the device. If registration is a privacy concern for the person, then visiting the manufacturer's website on a regular basis for updates would be the best option,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews