A new study into commonly used home routers has discovered a range of known security vulnerabilities with manufacturers failing to issue security updates to patch them.

The study recently released by the Fraunhofer Institute for Communication involved 127 routers from seven manufacturers: AsusTek Computer Inc., Netgear Inc., D-Link Corp., Linksys, TP-Link Technologies Co. Ltd., Zyxel Communications Corp. and AVM Computersysteme Vertriebs GmbH which are sold in Europe. The researchers compared the firmware images from each tested router with known vulnerabilities and exploits, and the findings being disturbing.

Many of the routers were found to be affected by hundreds of known vulnerabilities. Not a single router tested found to be without at least one known vulnerability, and 46 of the routers tested had not received an update in the last year –22 not updated in the last two years. In the worse case, some routers were found to have not been updated in five years.

Even when routers had received updates, 50 were found to used hard-coded qualifications: The username and password were encoded into the router as a default, meaning that attackers could easily gain access.

Some router manufacturers were found in the study to be better than others in providing updates, with AVM said to do a better job than the others. ASUS and Netgear were also rated as doing a better job on some aspects versus D-Link, LinkSys, TP-Link and Zyxel.

Some of the more obvious vulnerabilities found that remain unaddressed included issues with older versions of Linux. More than 90% of the routers were found to be running Linux, with most powered by the 2.6 Linux kernel, which is no longer maintained. That leads to a high number of critical and high severity vulnerabilities.

“Our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects,” the study concludes. “Much more effort is needed to make home routers as secure as current desktop or server systems.”

Craig Young, computer security researcher for Tripwire Inc.’s vulnerability and exposure research team told SiliconANGLE that he’s “absolutely stunned,” especially about the assessment that Netgear and ASUS do a better job than others.

“Overall I have some questions about how they selected the ‘127 current routers,’” Young said. “The research specifically cites Linksys WRT54GL despite that it’s been out of support for years. I’m not sure how relevant it is to be comparing this router to currently supported devices from other brands.”

Moreover, he said, the metrics used by the research included days since last update, use of outdated software, inclusion of private keys, hardcoded passwords and exploit mitigations.

“While these are all interesting data points, there is a lot more that goes into security,” he said. “A router vendor can keep their Linux kernel up to date and enable all the exploit mitigations they want, but it isn’t going to matter if the device still allows command injection by a cross-site request forgery. A more complete picture of vendor security reliability should include aspects related to how well the vendor works with researchers and the typical response time for resolving externally reported issues.”

Photo: Wallpaper Flare