'There Is No Router Without Flaws' Said Researchers From Germany


Routers are networking devices that forward data packets between computer networks. In other words, they are the devices that perform the traffic directing functions on the internet, allowing connected devices to browse the web.

Most of thethese devices are plugged in and undergone setup just once in their lifetime. Users tend to forget about the presence of these devices, up until the internet stops working for them.

Routers are simply the gateway to the internet, and researchers at Germany's Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE) found that they are riddled with flaws due to manufacturers neglecting the security of the devices.

Making things worse, some of the flaws are alarming.

"Our results are alarming," the researchers at Germany's Fraunhofer Institute write in a report pointing to security holes in common internet routers for private users.

"There is no router without flaws and there is no vendor who does a perfect job regarding all security aspects."
Days Since Last Release Before 27th March 2020.
Days since last release before 27th March 2020. (Credit: FKIE)

On a Fraunhofer Institute's web page, the researchers said that:

"Of the 127 home routers tested from seven major manufacturers, nearly all were found to have security flaws, some of them very severe. The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago."

The team tested popular models from Asus, AVM, D-Link, Linksys, NETGEAR, TP-Link and Zyxel.

Not a single router among the devices examined from those brands was without faults.

"81 routers got an updated within the last 365 days before 27th March 2020. However, the average number of days since the last update before 27th March 2020 is 378 days. That means in average devices did not get any security fixes within one year. 22 of 127 devices were not updated within in the last two years. The worst case was not updated since 1969 days, which means more than five years without security patches."

AVM, a German router manufacturer, was the only vendor that didn't publish private cryptographic keys in its router firmware. The researchers noted that AVM performed better than others in most areas, while Asus and NETGEAR did well in some other areas.

From hundreds of long-known vulnerabilities, 46 of the tested routers have not received a single security update in the last twelve months.

In the worst of the devices FKIE assessed, one Linksys router model hadn't been updated for more than five years.

"The oldest kernel version was found in the Linksys WRT54GL which is powered by a 2.4.20 Linux Kernel released in 2002," the report reads.

90% of the routers use the free operating system Linux, but often in very old versions.

Linux is known for its ability to quickly close security flaws. But unfortunately, manufacturers of the routers have neglected the frequent software updates, making their products literally vulnerable to hacks.

"Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should," explained Johannes vom Dorp, a scientist at FKIE's Cyber Analysis & Defense department.

"Most of the devices are powered by Linux and security patches for Linux kernel and other open-source software are released several times a year. This means the vendors could distribute security patches to their devices far more often, but they do not."

And again making things worse, some of the manufacturers that do ship firmware updates, didn't fix known vulnerabilities. What this means, even if a consumer installs the latest firmware from the manufacturer, the router would still be vulnerable.

"Numerous routers have passwords that are either well known or simple to crack – or else they have hard-coded credentials that users cannot change," he added.

Mean of Enabled Exploit Mitigations.
Mean of Enabled Exploit Mitigations. (Credit: FKIE)

The study that was led by Peter Weidenbach and Johannes vom Dorp in the Fraunhofer FKIE’s Cyber Analysis & Defense department, targeted five key signals in firmware images to assess each manufacturer's approach to cybersecurity. They include:

  1. Days Since Last Firmware Update Release. Does the vendor maintain all of their products regularly? Or in other words, how often do they fix issues?
  2. Operating System. How old are the OS versions powering the devices? How many well-known critical vulnerabilities do these versions provide?
  3. Exploit Mitigation. Do the vendors activate exploit mitigation techniques?
  4. Private Cryptographic Key Material. Do they publish keys that should stay private for security reasons?
  5. Hard-coded Login Credentials. Are there any hard-coded credentials that might allow unintended access to the device?

After running and testing the 127 routers, the researchers were able to detect and identify the flaws using the Fraunhofer FKIE's Firmware Analysis and Comparison Tool (FACT).

FKIE concluded that router manufacturers are significantly lagging in the delivery of security updates compared with operating system makers.

"The update policy of router vendors is far behind the standards as we know it from desktop or server operating systems," noted FKIE.