Almost all home routers are not up to date and contain vulnerabilities. German security researchers investigated 127 routers and found missing security patches, outdated software and many security flaws.
The research by the German Fraunhofer Institute for Communication looked at 127 routers from seven different manufacturers: AVM, AsusTek Computer, Netgear, D-Link, Linksys, TP-Link and Zyxel.
Many routers contained up to hundreds of known vulnerabilities. According to the researchers, there was not a single router without a vulnerability of some kind. Of the tested routers, 46 did not receive an update in the past year, 22 routers did not receive an update in the past two years, while one router has not been updated for five years.
Vulnerabilities with Linux
Many unresolved obvious vulnerabilities are related to outdated versions of Linux. Ninety percent of the routers run on Linux, with the majority powered by the 2.6 Linux kernel. This version has not received any updates for quite some time. This results in many critical and severe vulnerabilities.
In addition, 50 routers have been found that still use hard-coded passwords that are easy to crack, allowing attackers easy access. The Mirai-botnet, for example, exploits this vulnerability to hack IoT devices. In addition, 16 routers contained basic and commonly used passwords. Only in Asus’ firmware images no hard-coded passwords were found. Private keys were found on the AVM routers.
“In summary, our research shows that there is no router without vulnerabilities, and no vendor performs perfectly on all security levels. Much more work needs to be done to make home routers as secure as current desktops and servers,” the researchers conclude.