According to analysis of 127 home routers by Germany’s Fraunhofer Institute for Communication (FKIE) there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects.
Much more effort is needed to make home routers as secure as current desktop or server systems. The FKIE analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which hasn’t been maintained for many years.
This leads to a high number of critical and high severity Common Vulnerabilities and Exposures (CVE) affecting these devices. Since Linux is the most used OS, exploit mitigation techniques could be enabled very easily. However disappointingly these are used quite rarely by most vendors.
A published private key provides no security at all. Nonetheless, all except one router vendor (AVM) was found to have several private keys stored in easy to access form in almost all firmware images.
The Mirai botnet used hard-coded login credentials to infect thousands of embedded devices during the last few years. However hard-coded login credentials can still be found in many of the routers tested and some of them are well known or at least easy crackable. FKIE does say though that some router vendors prioritise security differently.
AVM the makers of Fritzbox routers does the best job compared to the the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.
From Ausdroid’s perspective routers are something that all internet connected households rely on 24/7/365 so we’re disappointed that most manufacturers have achieved such poor security ratings across the board.
A good start for improvement would be if all router manufacturers:
- promised security firmware patch updates for at least 3 years and included the latest Linux (or other underlying OS) Kernal updates
- Made firmware updates automatic by default
- Had complex random generated passwords for their admin console and Wi-Fi passwords and didn’t allow the use of bad passwords eg those on the HIBP list.
How much security do you invest in with your router at home?