Many of the most popular home routers available to buy today feature a worrying number of security flaws and vulnerabilities, new research has found.

A report from Fraunhofer Institute for Communication (FKIE) discovered that the firmware present in a large number of leading routers was susceptible to hugely damaging security issues.

Many routers were found to never have received a single security firmware update in their lifetime, despite the risk that this could pose to users at home and at work, and were vulnerable to hundreds of well-known security issues.

Linux security

The FKIE study looked at 127 home routers from seven brands (Netgear, ASUS, AVM, D-Link, Linksys, TP-Link and Zyxel), examining the product firmware for any known security vulnerabilities.

46 of the products it tested had not received any kind of security update within the past 12 months, with some vendors shipping firmware updates without fixing known vulnerabilities, and one set of products not seeing a firmware update for more than five years.

“The update policy of router vendors is far behind the standards as we know it from desktop or server operating systems,” the FKIE noted in its report, calling for an industry-wide push to improve router security as a whole.

“Numerous routers have passwords that are either well known or simple to crack – or else they have hard-coded credentials that users cannot change.” 

FKIE found that almost all (90%) of the routers were running some form of Linux operating system, however the manufacturers were failing to update this software with the latest patches and fixes, leaving the devices open to attack.

“Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should,” Johannes vom Dorp, part of the team at FKIE’s Cyber Analysis & Defense department said.  

“Most of the devices are powered by Linux and security patches for Linux kernel and other open-source software are released several times a year. This means the vendors could distribute security patches to their devices far more often, but they do not.”

Via ZDNet

Source Article