According to a study by Germany’s Fraunhofer Institute for Communication (FKIE), vendors have failed to fix hundreds of vulnerabilities in their consumer-grade routers, leaving people exposed to a wide range of attacks.
The FKIE examined 127 routers spanning seven large vendors and found security flaws in all of them, it said in a report released in late June. It called its results “alarming.
“Many routers are affected by hundreds of known vulnerabilities,” it warned. “Even if the routers got recent updates, many of these known vulnerabilities were not fixed.”
The routers usually failed to use exploit mitigation techniques, it said, adding that some had passwords that users could not change, and which were either well-known or easy to crack. “Most firmware images provide private cryptographic key material,” it continued. “This means, whatever they try to secure with a public-private crypto mechanism is not secure at all.”
The Institute used a firmware analysis and comparison tool to extract and analyze the routers’ most recent firmware. It found that 46 of them had received no security updates within the last year. At least 90% of the routers used Linux, but over a third of them used version 2.6.36 of the Linux kernel or even older. At the time of writing, the current Linux kernel is 5.7.7. The last security update for version 2.6.36 was in February 2011.
Even the best devices had at least 21 critical vulnerabilities and at least 348 rated with high severity, the study found. On average, routers had 53 critical vulnerabilities, it said.
COVID-19 makes the results particularly worrying because so many more people are now working from home, the Institute said. That means many more of them could be exchanging sensitive data with their employers via these devices.
In total, 50 routers provided hard-coded credentials, including 16 with well-known or easily credible credentials, the study found.
According to the study, AVM did a better job than the other vendors in most respects. “ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel,” it concluded.