There is a good chance the wireless router you are using is vulnerable to multiple attack vectors, even if you are running the latest firmware provided by the manufacturer. That’s according to results highlighted in a new report by the Fraunhofer Institute for Communication (FKIE). Researchers examined 127 home routers from seven different manufacturers, and not a single one was completely secure.
“Our results are alarming. There is no router without flaws,” the researchers said.
The report (via ZDNet) notes that several dozen of the routers tested did not receive a firmware update in the past year. And whether a particular model did or did not, the researchers said they found “hundreds of known vulnerabilities” in many of the ones they examined, including those that had been recently patched.
That is indeed alarming, particularly because routers normally stay running all the time. The researches also point out that routers are more important now than ever before, with the Coronavirus pandemic forcing more people to work from home.
Almost all of the routers examined were running some form of Linux, which is generally considered to be more secure than other operating systems. Even so, Linux is not impenetrable. It doesn’t help that more than a third of routers tested were running much older versions of Linux that haven’t seen any security patches in nearly a decade (and longer in some cases).
The oldest kernel version was found in the Linksys WRT54GL, which is based on a build of Linux that was released in 2002. To be fair, that model was released way back in 2005, though Linksys still sells the WRT54GL at its web store. Other routers tested, like Netgear’s R6800, are more current.
Researchers used the open-source Firmware Analysis and Comparison Tool (FACT) to yank firmware images from the routers tested. While results varied, the best of the bunch had at least 21 critical vulnerabilities or a staggering 328 high rated exploits.
As a bunch, researchers found, on average, 53 critical flaws in each router.
The report does not go into a whole lot of detail about what specific attacks these vulnerabilities leave users open to, though it does say more than a dozen models tested have “well known or easily crackable credentials” hard coded into the firmware. It also called into question why router makers use published private cryptographic keys that could allow a hacker to impersonate the device and perform man-in-the-middle attacks.
“To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems,” the report concludes.
That said, the researchers found some variation among manufacturers. Namely, they said Asus and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link, and Zyxel.