The German Fraunhofer Communication Institute (FKIE) conducted one research which included 127 home routers from seven different brands, in an effort to address the presence of security errors in the latest firmware. The results of the research are worrying. In particular, according to the survey, 46 routers have not received a single security update in the last year and run unpatched Linux, while many routers are affected by hundreds of known errors. In addition, suppliers ship updates firmware without correcting known bugs, which means that even if a consumer installs the latest firmware from a supplier, the router will still be vulnerable.
The results of the study showed that ASUS and Netgear do a better job of securing routers, compared to D-Link, Linksys, TP-Link and Zyxel. However, the industry needs to do more to strengthen and secure home routers.
The FKIE also found that AVM, a German router company, was the only supplier that did not publish private encryption keys on its router firmware. The Netgear R6800 router contained 13 private keys. In the worst cases of devices evaluated by the FKIE, the routers have been receiving updates for more than five years. About 90% of the routers included in the survey used operating system Linux. However, manufacturers do not update the operating system with corrections available from Linux kernel maintainers.
Johannes vom Dorp, a scientist at the FKIE Cyberspace Analysis and Defense Department, said Linux is constantly working to close security errors in its operating system and develop new ones. functions. He added that manufacturers will have to install the latest software, but do not incorporate it to the extent that they could and should. He also mentioned that they have many routers passwords which are very common or simple, and therefore can easily be "broken".
The survey looked at five key points in firmware images to evaluate each manufacturer's approach to cyber security. These included a) the days since the last firmware update, b) how old the operating system versions running these routers are, c) the use of utilization mitigation techniques, and d) the presence of hard-coded credentials connection.
According to the FKIE, router manufacturers are significantly slower to provide security updates than operating system manufacturers. The router's information policy is far behind the standards known by desktop or operating systems. server. Most of the devices are powered by Linux and security codes for Linux kernel and other open source software are released several times a year. This means that suppliers could distribute security updates to their devices much more often, but they do not, according to FKIE.
The results reflect the findings of a survey conducted in 2018 by the American Consumer Institute (ACI) in the United States, which analyzed 186 home routers from 14 different suppliers. According to its results, 155, 83% of the firmware sample had vulnerabilities in possible cyber attacks, while each router had an average of 172 vulnerabilities. In addition, ACI has criticized router manufacturers for not providing an automatic notification mechanism to update routers. Updates are usually made after serious attacks targeting a router, such as the Mirai IoT malware and state-funded VPNFilter malware.
FKIE's research found that more than a third of devices use version 2.6.36 or earlier, while the latest security update for 2.6.36 was released in February 2011. It also found a Linksys WRT54GL router with Linux version 2.4 core. 20 released in 2002. Finally, according to research, the worst case scenario for high-serious errors is the Linksys WRT54GL router powered by the oldest core found in the survey, while there are 579 high-serious errors affecting this product.