Home routers largely unpatched, raising risk during Covid-19 WFH

Employers who have suddenly shifted a large percentage of their workforce to remote due to Covid-19 no doubt will shudder by the findings of a new Fraunhofer Institute for Communication, Information Processing and Ergonomics study that concluded no home router was without security vulnerabilities.

The German tech think tank analyzed 127 home routers from seven manufacturers sold in Europe and found that 46 of them hadn’t a security update within 12 months, and some hadn’t been updated for more than five years.

The lion’s share (91 percent) of the routers use Linux OS, but many manufacturers don’t integrate fixes when they’re available from Linux kernel maintainers. Vendors can distribute security patches to their devices far more often, but do not, Fraunhofer found, and to make matters even worse, many of the routers are powered by very old version of Linux.

“Our results are alarming,” the report stated, noting no router is without flaws. “Many routers are affected by hundreds of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely.

Some routers provide easy crackable or even well known passwords that cannot be changed by the user. Most firmware images provide private cryptographic key material, meaning an attempt to secure with a public-private crypto mechanism “is not secure at all.”

What makes this development especially problematic is that routers are typically connected to the internet 24/7, making them extremely as an easy target for a botnet attack, “leading to an ever high risk of malware infection.”

Some brands, such as ASUS and Netgear, fared better when compared to D-Link, Linksys, TP-Link, and Zyxel, under Fraunhofer’s scrutiny, which used the open-source Firmware Analysis and Comparison Tool (FACT) to automatically extract the most recent firmware from the routers.

The report, which admits there could be some false negatives and positives, analyzes five security aspects:

• When were the devices updated last time?

• Which operating system versions are used and how many known critical vulnerabilities affect these operating system versions?

• Which exploit mitigation techniques do the vendors use?

• How often do they activate these techniques?

• Do the firmware images contain private cryptographic key material?

Metrics used by the research included days since last update, use of outdated software, inclusion of private keys, hardcoded passwords, and exploit mitigations.

“While these are all interesting data points, there is a lot more that goes into security,” said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team.

“A router vendor can keep their Linux kernel up to date and enable all the exploit mitigations they want, but it isn’t going to matter if the device still allows command injection by a cross-site request forgery,” Young said.  

Similarly, a vendor can release updates on a regular basis, but it would be remiss, according to Young, if it still ignored security researchers.

“A more complete picture of vendor security reliability should include aspects related to how well the vendor works with researchers and the typical response time for resolving externally reported issues,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.