A study has found security flaws in more than one-hundred internet routers, calling its results “alarming”, signaling the importance of information security while working remotely.
The revelation of the inherent flaws of consumer internet routers comes from Germany’s Fraunhofer Institute for Communication (FKIE), who published its ‘Home Router Security Report 2020’.
Authors Peter Weidenbach and Johannes vom Dorp made it clear from the outset that “our results were alarming,” adding that “there is no router without flaws.”
“Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely,” they noted.
The team at FKIE took 127 internet routers from seven manufacturers, and found that not a single manufacturer offered adequate protection for its home users.
“Most firmware images provide private cryptographic key material,” the authors say, adding that “this means, whatever they try to secure with a public-private crypto mechanism is not secure at all.”
Authors of the report also analysed the router’s firmware to determine when the routers received a security update. The results showed that 46 of the 127 had received no security update within the past 12-months.
Even the best performing routers were riddled with potential security flaws. On average, each router possessed 53 critical security vulnerabilities, while the highest-ranking routers still possessed 21 critical vulnerabilities.
“ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel,” they say.
Researchers have signalled their alarm over the number of flaws in home routers, which in recent months has been compounded by the large number of individuals working remotely for their organisation.
The researchers pointed out that “the good news is that more than 60% of router firmware images do not have hard-coded login credentials. The bad news is that 50 routers do provide hard-coded credentials. 16 routers have well known or easily crackable credentials. The worst device is the Netgear RAX40 with the following three well-known credentials: amazon, password & password.”
Even if they’re using one of the most sophisticated and secure routers, researchers say these critical vulnerabilities still offer hackers a means of accessing the personal data of the individual, as well as a gateway for accessing the information of their employer.
The team at the Fraunhofer Institute for Communication are advocating for anyone, whether or not they’re working from home, to update their router’s firmware settings for any potential security patches available.
“To sum it up,” the authors write, “our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems.”