83% of Routers Contain Severe Security Issues

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
The American Consumer Institute tested nearly 200 types of routers and found that fewer than 20% of them were free from vulnerabilities. 155 models were found to have security issues, with the average router containing 186 vulnerabilities. 28% of the 32,003 vulnerabilities found were “high-risk and critical.”

“On average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample. The most common vulnerabilities were medium-risk, with an average of 103 vulnerabilities per router,” the researchers write in their report. Simply resetting your router is not enough,” the study warns. “Automated updates are by far the most feasible option to keep IoT devices and consumer data safe.”
 
This is all factory firmwares with software vulnerabilities, right? They did not check updated custom firmware issues?
 
I have not purchased a router since the R7000 a few years ago. But for me to purchase any off-the-shelf AP/router it HAS to be able to be flashed to 3rd party firmware, and it will never be the front end router since I will always use pfSense or whatever capable, powerfull, OSS firewall. I feel sort of sorry for people that do or cannot do such (q.v. Verizon Fios with TV).
 
Few consumers update their router or the firmware on it if performance isnt an issue. I don't work much with consumer grade routers nowadays, so I'm not sure if this trend is changing. What im sure wont change is a product's firmware development getting abandoned after the succeeding generation launches.
 
Now they're classifying consumer routers as IoT? I thought that was light bulbs and security cameras, not routers. Is my mouse IoT too? It's plugged into the internet and it's a thing.
 
Now heres the real question, wheres the TLDR these routers suck and these routers dont.

This is all factory firmwares with software vulnerabilities, right? They did not check updated custom firmware issues?

They didn't actually "test" or check anything specific. They ran a 3rd party software that is sold/marketed as a vulnerabilities tester for firmware, that flags things it thinks are an issue in the code it self, and flags them on a scale of bad to worse. They did not test if the flags were really issues, they did not test the router it self, they only downloaded the firmware from the mfgs site and ran it through the program. You have to pay for the program to get the detailed info, which is why you don't see it in the paper. It's like one of those ads "you have 2,945 registry errors, pay now and we will fix them!!".

Not saying they don't have issues or that isn't the real number of them, just giving perspective on the "testing" that was done.

Link to the testing page.
 
This is all factory firmwares with software vulnerabilities, right? They did not check updated custom firmware issues?

That's the real question, since there is no such thing as a router without a vulnerability. Security is relative and a very intense arms race, and getting down to who is patching what better is perhaps more important than who ships with the most vulnerabilities.

And by 'patching better' both vulnerability addressment and patch distribution should be considered, and poor distribution is the reason that release vulnerabilities are still relevant because many routers never receive patches released for them.
 
Few consumers update their router or the firmware on it if performance isnt an issue. I don't work much with consumer grade routers nowadays, so I'm not sure if this trend is changing. What im sure wont change is a product's firmware development getting abandoned after the succeeding generation launches.

Well, there's two things here that are happening that I've seen-

First, we're seeing vendors push 'cloud' services for home routers. I'll complain about the extra attack vector, but firmware updates can be automated this way without end user involvement. Again, something I'm not totally fine with but for the general consumer something that I understand and something that could potentially do more good than harm.

Second, we're seeing companies like ASUS pushing -WRT spins for their firmware, which to me comes off as kind of like running Linux, where the vendor can rely on community FOSS development to keep things up to date on the development side.

Beyond that, we're seeing Microsoft's IoT initiative, which uses a Linux kernel with minimum-grade ARM SoCs and a hard focus on security, which might push up into the router space or otherwise influence it. And given Microsoft's often frustrating consumer patching initiatives, they may start pushing their influence into that space as well.
 
Asus has to be loving their router and company logo being singled out and used in headlines like this, lol...
 
This is one of the key features I like about the Google WIFI system (and a few other WIFI routers at this point). For the general consumer, having a router / WIFI access point that takes care of it's self if of utmost importance because most people NEVER login to check for an update (assuming the router even has a firmware updater built in and you don't just have to look on the manufacturer's website and upload the file to update...). It's just not realistic for the average consumer.

Also, we are increasingly seeing providers using all in one modem / gateway / WIFI AP solutions because they want to offer cable internet, TV, phone all from one box... Who knows how well they are taking care of the security side of such devices... And if a severe vulnerability is found, there will be a large number of people with the same equipment who will be affected, most likely faster than the provider can roll out firmware updates.... A scary situation...
 
It may be a while before many router vendors implement any kind of auto update. Imagine the support chaos that will happen if Asus pushed an update that bricked 250,000 routers to the point the end users totally lost Internet access. Then imagine the 5 support folks trying to talk those 250,000 pissed off customers through the manual process of resetting the router back to base factory specs, assuming such a function was included in the router in the first place. Much easier and safer for the vendor to EOL a router a few months after release, end support having never released a patch and push out a new model. Even if the only difference between EOL router and new shiny router is the antennas are now red instead of blue.
 
Some of these APs.. like the Zyxel ones, are just crap firmware APs.. It's no surprise that there's so many vulnerabilities, but also, consider that you're not a totally tech dummy, you won't be buying or configuring your AP to have vulnerabilities.
 
Now they're classifying consumer routers as IoT? I thought that was light bulbs and security cameras, not routers. Is my mouse IoT too? It's plugged into the internet and it's a thing.

As a security researcher I dont care what the device actually does. I only care if it's an internet connected embedded device running some form of an OS (usually *nix) that I can interact with. An IP camera, Amazon Alexa, or a wifi router are all small ARM or MIPS based linux computers to me. You'd be surprised what you find in these things. I'm trying to remember correctly, but I believe it was a linksys router I was working on an exploit for last year that had netcat installed from the factory that could be triggered to open a backdoor shell remotely. Fun stuff.
 
It may be a while before many router vendors implement any kind of auto update. Imagine the support chaos that will happen if Asus pushed an update that bricked 250,000 routers to the point the end users totally lost Internet access. Then imagine the 5 support folks trying to talk those 250,000 pissed off customers through the manual process of resetting the router back to base factory specs, assuming such a function was included in the router in the first place. Much easier and safer for the vendor to EOL a router a few months after release, end support having never released a patch and push out a new model. Even if the only difference between EOL router and new shiny router is the antennas are now red instead of blue.

THAT would be shitty support... and would drive my business elsewhere
 
I've had a Linksys EA9500 since launch, feels like 2 years now and THEY haven't released a single firmware update.
 
Back
Top