Study of home routers shows many unpatched and affected by vulnerabilities

midian182

Posts: 5,882   +48
Staff member
Facepalm: Do you think your home router is secure? According to a new report, that belief might be far from accurate. It found that many popular devices are affected by hundreds of known vulnerabilities, and over a third have not received an update in the last year.

The study, carried out by Germany's Fraunhofer Institute for Communication (FKIE), involved 127 home routers from seven brands: AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd., Zyxel Communications Corp., and AVM Computersysteme Vertriebs GmbH. It compared the most recent firmware versions from each router with known security vulnerabilities and found not one of them was flawless.

Out of the 127 routers, 46 had not received a single security update within the last year, while 22 had not received any in the last two years. The worst case had gone 1,969 days, more than five years, without security patches. Asus, AVM, and Netgear came out top—all their devices had been updated within the last year and a half—but D-Link, Linksys, TP-Link, and Zyxel were lagging.

Despite around 90 percent of the routers using Linux, many manufacturers weren't updating the OS, with most still on kernel version 2.6 (or older), which last saw an update in February 2011. This leads to a high number of critical and high-severity CVEs affecting these devices.

Fifty of the routers were found to have hard-coded login credentials—default usernames and passwords embedded into the device—while 16 routers have well known or easily crackable credentials. Asus was the only company not storing any hard-coded credentials in its firmware images.

"Our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects," reads the study's conclusion. "Much more effort is needed to make home routers as secure as current desktop or server systems."

"Vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel."

Image credit: Korn

Permalink to story.

 

ddg4005

Posts: 424   +108
TechSpot Elite
I have Asus's ROG Rapture GT-AC5300, and its firmware was last updated in March. Though not perfect by any means, it is a reliable router, and I'm sure a new firmware is in the works.
 
  • Like
Reactions: Reehahs

MaestroIT

Posts: 14   +11
I am a proud owner of an AVM ADSL modem/router, been using them since at least 13-14 years, great products with many extra features than normal routers, and they keep them up to date to latest vulnerabilities.

I am always amazed by those other brand routers that need reboot at least once a week, my devices stays months online, it turns off only when there is a power shortage for a long time for the UPS to keep it on.
 
Last edited:

slamscaper

Posts: 272   +79
I can definitely say that my Netgear Nighthawk router is much more secure than the TP-Link Archer C8 it replaced. The TP-Link became completely compromised when I was hit with some seriously advanced cryptomining\data mining malware a long while back. This malware used some very advanced file-less techniques along with sandboxing to evade AV and also stay resident even after a reinstall of the OS. Only wiping the drive and reinstalling got rid of it, but I also had to wipe any slave drives attached as well because it stored droppers inside the "systemvolumeinfo" folders, which normally are not accessible or even seen in the basic config.

I'm so tired of all the people saying that ALL malware is installed by user-error and anyone with common sense doesn't need AV. When I hear that, I know I'm talking to a person that doesn't know what is out there today. It's not like the old days. Today you can get infected by simply being redirected to the wrong site or even by supply chain hacks.
 

Uncle Al

Posts: 7,232   +5,630
Have a LINKSYS Smart Wi-Fi Router a couple of years old. It automatically updates but I still check it monthly and so far it hasen't let me down. My only issue has been my lack of in-depth knowledge about it and their documentation leaves something to be desired. I'd love to see these companies give more in-depth training on all of their equipment so we could get the most out of it.
 

Burty117

Posts: 3,768   +1,635
Quite an interesting Study actually that I hope gets repeated at least once every few years with Router manufacturers being shamed each time.

I wonder if it's worth adding more router to the list as well, like ones ISP's send out (BT HomeHubs, Virgin Media Hubs etc...) as I'm pretty sure they're even worse than what they found here.

I'm full Ubiquiti UniFi at home and they're not the most secure out there but generally they keep up with firmware updates every few months.
 
Last edited:

wiyosaya

Posts: 5,321   +3,424
I'm so tired of all the people saying that ALL malware is installed by user-error and anyone with common sense doesn't need AV. When I hear that, I know I'm talking to a person that doesn't know what is out there today. It's not like the old days. Today you can get infected by simply being redirected to the wrong site or even by supply chain hacks.
As I see it, you can get infected whether you update or not. Hackers are constantly working to uncover previously undiscovered exploits. Some of those hackers are in the professional category such as those from Russia, NK, and other areas of the world. Not to mention, if a previously undiscovered exploit is exploited, it may not be patched quickly enough to prevent an outbreak of some sort.

For me, it comes down to user behavior. I've built my own router PC using Linux that I update regularly. I use name servers that have deny lists for known nefarious sites. I'm technically astute, and have, so far, anyway, never gotten any malware infections in over 20-years of online activity.

I certainly would not recommend that the less technically adept do what I do, though, as I have had first-hand experience with someone who was less technically adept. That person constantly had malware problems.
 

jobeard

Posts: 13,899   +1,763
My comments are located at
 

veLa

Posts: 985   +517
My question is, how long can we expect manufacturers to keep SOHO routers updated? My ASUS router is almost 7 years old, and hasn't been updated since 2017. Up to that point they did a great job of frequently updating its firmware.
 

brucek

Posts: 429   +493
I'm not sure what this article or the original study is saying about applied real world impact. I get the part that there are many unpatched routers with known security issues. What I'm unclear on is, are they in fact an attractive target for hackers? What adverse impacts are typical home consumers suffering as a result of these insecure routers? Or is it mostly moot with most hackers targeting other device types for superior results?
 

LeroN

Posts: 103   +50
My question is, how long can we expect manufacturers to keep SOHO routers updated? My ASUS router is almost 7 years old, and hasn't been updated since 2017. Up to that point they did a great job of frequently updating its firmware.
If you have an ASUS router that is compatible with Merlin then it's the best way to keep its software up to date. Even if your router supports only legacy versions it's not bad idea to update it anyway.
 

Polaris1983

Posts: 8   +0
I have Asus's ROG Rapture GT-AC5300, and its firmware was last updated in March. Though not perfect by any means, it is a reliable router, and I'm sure a new firmware is in the works.
nice colored wires. stares at my own black only wirwes in usb and usb-c.
 

slamscaper

Posts: 272   +79
As I see it, you can get infected whether you update or not. Hackers are constantly working to uncover previously undiscovered exploits. Some of those hackers are in the professional category such as those from Russia, NK, and other areas of the world. Not to mention, if a previously undiscovered exploit is exploited, it may not be patched quickly enough to prevent an outbreak of some sort.

For me, it comes down to user behavior. I've built my own router PC using Linux that I update regularly. I use name servers that have deny lists for known nefarious sites. I'm technically astute, and have, so far, anyway, never gotten any malware infections in over 20-years of online activity.

I certainly would not recommend that the less technically adept do what I do, though, as I have had first-hand experience with someone who was less technically adept. That person constantly had malware problems.
Totally agree with this. The people I'm referring to would say that you have done something that's entirely not required to stay safe, because all you need is "common sense" not to get infected. I even had a guy say that there are absolutely NO 0-day browser exploits out there and that anyone getting infected through a browser HAS to do it to themselves. I asked him how he could know such things when absolutely nobody really does. Perhaps there are no KNOWN 0-day vulnerabilities in the wild, but that doesn't mean they don't exist.

I just wish everyone would take security more serious today because I've seen some of the level of sophistication out there. I've had my machine targeted simply because I was running a 1080Ti and crytpomining malware loves powerful GPU's for the botnets.