Vulnerabilities found in more than 100 home router products

This article is a re-edited version of "Known Serious Vulnerabilities Found in Over 100 Types of Home Routers" published in the "Malware Information Bureau" provided by Canon Marketing Japan.

A recent study of over 100 home routers from seven companies, including major vendors, found that nearly all routers were poorly patched and had serious security issues. It became clear that they could be affected by the flaw, putting the device and its users at risk of cyberattacks.

The research report, titled "Home Router Security Report 2020," reports that "all routers have known critical vulnerabilities found." The study was conducted by the Fraunhofer Institute for Communications, Information Processing and Ergonomics (FKIE) in Germany, examining 127 router models from ASUS, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel. carried out on the target.

"Many routers are affected by hundreds of known vulnerabilities. Even with the latest updates to these routers, many of these known vulnerabilities remain unfixed." To make matters worse, very little technology is being used to mitigate the effects of exploits,” said the researchers conducting the study. These researchers tallied the average length of time that had passed since the previous update was applied, which was 378 days. 46 routers had not received a security update in the last year.

These routers were found to be affected by an average of 53 critical vulnerabilities. Even devices that didn't rank high are affected by 21 such critical-level CVEs. However, detailed vulnerabilities were not posted.

In any event, these issues will not be resolved unless the vulnerabilities are patched first. "Some routers are easily hackable, and may use simple passwords that anyone can think of and cannot be changed by the user," the study reports. Specifically, 50 routers had hard-coded administrator credentials, and 16 of them used common or easy-to-guess login credentials.

Related reading: "At least 15% of home routers are unsecured." It's rated as more secure than our router model, but the vendor with that rating wouldn't be happy with it either. "AVM outperforms other vendors in most aspects, and ASUS and Netgear outperform D-Link, Linksys, TP-Link and Zyxel in some respects," the researchers said. increase.

90% of the devices were powered by Linux, often running one of the older versions of the Linux operating system. Over a third of routers are powered by Linux kernel version 2.6.36, and this version last received an update back in 2011.

"Linux is making continuous efforts to eliminate security vulnerabilities and develop new features in the operating system. In fact, all manufacturers must install the latest software. However, they do not integrate the latest software to the extent that they can or should,” said Johannes vom Dorp of FKIE’s cyberattack analysis and defense division, who co-authored the study.

This research uses FKIE's Firmware Analysis and Comparison Tool (FACT) to validate the latest available firmware versions for devices as of March 27, 2020. The methodology and results are detailed in the aforementioned research report. A detailed list of tested models and firmware versions for each model is available on GitHub.

Overall, the findings are not significantly different from those from other studies conducted in recent years, including a test conducted by the Independent Security Evaluators last year and another study conducted by the American Consumer Institute in 2018. not deviated.

At ESET, we have covered router security extensively over the last few years. Especially in the era of telework, router security is more important than ever. The English version of WeLivesecurity has several articles on router security.

・How to dramatically increase router security

・5 ways to increase the security of your router (Japanese)

・In response to reports that hundreds of thousands of routers around the world were damaged by the VPNFilter malware, the FBI recommended that all routers be restarted.

・Follow-up article that follows the previous article