[German]Security researchers at German Fraunhofer Institute looked at 127 common routers for home use. The had the latest firmware installed, but the researchers came to some frightening results. Almost all devices had alarming security flaws.
Almost all of the 127 routers tested for private users from seven major manufacturers had security flaws, some of them quite significant. These range from missing security updates, to easy-to-decrypt hard-coded passwords, to already known vulnerabilities that should have been fixed long ago.
127 home routers tested with latest firmware
The security experts of the Fraunhofer Institute write in a German press release, that the team of Peter Weidenbach and Johannes vom Dorp from the “Cyber Analysis & Defense” department of the Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) had downloaded the latest available software of various routers as of March 27, 2020. This firmware is also offered by the manufacturers to customers who use one of these 127 tested routers (from Asus, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel) at home as a private user.
Analysis of the router firmware
With the help of the “Firmware Analysis and Comparison Tools” (FACT) developed by Fraunhofer FKIE, the security flaws were decoded and revealed: “The evaluation showed that not a single router was without flaws. Some were even affected by hundreds of known vulnerabilities. 46 routers had not received a security update in the last twelve months,” reports IT security expert and FKIE scientist Peter Weidenbach. The extreme case among the tested devices had not even received a security update for 2,000 days.
The base is often (an outdated) Linux
Various security aspects were the focus of the FKIE scientists for their report, including not only security updates but also the question of which operating system versions are used and to what extent critical security vulnerabilities influence these versions. More than 90 percent of the tested home routers use Linux as operating system, but often very old versions are used.
At this point, the Dorp also accuses the manufacturers the most. “Linux is constantly working on closing security issues in its operating system and developing new functionalities. The manufacturers would actually only have to install the latest software, but they do not integrate it to the extent that they could and should. “
The passwords dilemma
The FKIE scientists were also surprised by the way passwords are handled: “Several routers have easy to crack or known passwords or hard-coded login data which cannot be changed by the user either. At the same time, they discovered numerous security issues that have been known for a long time and the manufacturers should have eliminated them long ago.”
Fail of the manufacturers
For Weidenbach, it is completely incomprehensible that the manufacturers of home routers no longer clearly focus on the security aspects dealt with by him and his team. “You can see immediately that the providers deal with existing security issues and their elimination in completely different ways. AVM places more emphasis on security aspects than the other providers, even though AVM routers are not without security flaws either. At the same time, ASUS and Netgear are more reliable in some respects than D-Link, Linksys, TP-Link and Zyxel. Huawei was probably not tested.
Vom Dorp: “Our test has shown that a large-scale automated security analysis of home routers is quite possible. And the large number of listed vulnerabilities shows that the manufacturers must make much more effort to make the devices significantly more secure”.
Home Router Security Report 2020 (PDF, English)