2.Motherboard

Is your home router leaving your network vulnerable to attack? New research suggests that this worrisome scenario is more likely than you may have thought.

A Fraunhofer Institute for Communication (FKIE) report reveals that the firmware used in a large number of popular home routers is susceptible to malware and other serious exploits. We explored the importance of prioritizing network security in a recent LinuxSecurity.com feature article: Top Tips for Securing Your Linux System in 2020, and thought it was important to dive deeper into the topic given these critical new findings.

After examining 127 home routers from seven leading brands (Netgear, Linksys, D-Link, ASUS, AVM, TP-Link and Zyxel), FKIE security researchers discovered that, on average, these routers contained 53 critical security vulnerabilities - and none of the routers were fully protected. The study revealed that an alarming number of routers have not received a single firmware update in their lifetime, and are susceptible to hundreds of notorious security issues as a result. To make matters worse, certain vendors have been shipping firmware updates without fixing known security bugs. Fifty of the routers examined in the study used hard-coded credentials, where a known username and password was encoded into the router by default, and many published at least five private keys per firmware image. FKIE concluded: “The update policy of router vendors is far behind the standards as we know it from desktop or server operating systems. However, routers are exposed to the Internet 24 hours a day, leading to an even higher risk of malware infection.” The organization emphasizes the need for industry-wide improvements in router security.

Ninety percent of the routers involved in FKIE’s recent study were powered by Linux. This could be a major security win - that is, if router manufacturers were staying on top of software updates and applying the latest patches and fixes. Unfortunately, the researchers found that the majority of manufacturers were falling down on the job, leaving the devices they sold vulnerable to a multitude of exploits.

Because of the transparency of its source code, Linux has the potential to be a highly secure OS - much more so than proprietary alternatives like Windows or MacOS - but misconfigurations and poor administration often leave Linux systems vulnerable to attack. In this case, Linux and the attentive, conscientious global community behind it have made router vendors’ job easy. Johannes vom Dorp, a member of FKIE's Cyber Analysis & Defense department, explains: "Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should." Vom Dorp elaborates on this widespread negligence: “Most of the devices are powered by Linux and security patches for the Linux kernel and other open-source software are released several times a year. This means the vendors could distribute security patches to their devices far more often, but they do not." 

The first step in solving a problem is admitting there is a problem - and FKIE’s research confirms that router security is a paramount concern. A system is only as secure as its weakest link, and the widespread vulnerabilities present in home routers are leaving systems worldwide susceptible to compromise. A little effort in this industry would go a long way - it’s time for router manufacturers to do better.

Next Steps

When it comes to remedying this industry-wide fiasco, the majority of the responsibility lies in the hands of router manufacturers and vendors. However, here are some tips and recommendations for users looking to improve the security of their home router in light of the current situation:

  • Update firmware frequently. Staying on top of firmware updates is crucial in preventing attacks exploiting firmware vulnerabilities from compromising your system. 
  • Change your router password. A known password comes encoded into your router by default. Replacing this password is imperative in protecting your privacy and maintaining a secure system.
  • Do your research before purchasing a router. While none of the routers that FKIE studied were without flaws, some brands fared far better than others security-wise. FKIE concludes: “AVM does a better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.”

Replacing the Linux firmware in your home router is also a great option for mitigating the risk that security vulnerabilities in your router pose to your entire system. Stay tuned for an upcoming feature article covering this topic in more depth.