Security vulnerabilities in your home router have been the story for years, with the responsibility being placed at the feet of users to keep their router firmware updated. But a damning report by Fraunhofer says that router manufacturers themselves have taken years to issue patches, with potentially dozens of critical vulnerabilities lurking within older routers.
The June report by Fraunhofer-Institut fur Kommunikation (FKIE) extracted firmware images from routers made by Asus, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel127 in all. The report (as noted by ZDNet) compared the firmware images to known vulnerabilities and exploit mitigation techniques, so that even if a vulnerability was exposed, the design of the router could mitigate it.
No matter how you slice it, Fraunhofers study pointed out basic lapses in security across several aspects. At the most basic level, 46 routers didnt receive any updatesat all in the last year. Many used outdated Linux kernels with their own, known vulnerabilities. Fifty routers used hard-coded credentials, where a known username and password was encoded into the router as a default credential that asked the user to change itbut would still be there, accessible, if they did not.
FKIE could not find a single router without flaws. Nor could the institute name a single router vendor that avoided the security issues.
AVM does [a] better job than the other vendors regarding most aspects, the report concluded. Asus and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link, and Zyxel. We contactedBelkin (Linksys) and D-Link, two vendors named in the report, for comment, but didnt hear back by press time.
In conclusion the update policy of router vendors is far behind the standards as we know it from desktop or server operating systems, FKIE said elsewhere in the report. However, routers are exposed to the internet 24 hours a day leading to an even higher risk of malware infection.
Fraunhofer broke down how router vendors have fallen short into several categories.
Days since the last firmware release:Although 81 routers were updated in the last 365 days before the FKIE gathered its results (March 27, 2019 to Match 27, 2020) the average number of days to the prior update, across all devices, was 378. FKIE said 27 of the devices had not been updated within two years, with the absolute worst stretching to 1,969 daysmore then five years.
Asus, AVM, and Netgear issued updates for all of their devices within a year and a half, at least. By comparison, most antivirus programs issue updates at least daily.
Age of the OS: Most routers run Linux, an open-source software model that offers researchers the ability to examine the basic Linux kernel code and apply patches. When the kernel itself is outdated, however, fundamental known vulnerabilities in the OS are ripe for exploitation. FKIE used the open-source Firmware Analysis and Comparison Tool (FACT) to extract the router firmware, finding that a third of the routers ran on top of the 2.6.36 Linux kernel, an older version. Thelast security update for kernel version 2.6.36 was provided nine years ago, the study found.
Critical vulnerabilities in the tested routers abounded. Theaverage number of critical vulnerabilities found for each router was 53, with even the best routers subject to 21 critical vulnerabilities (there were a whopping 348 high-rated vulnerabilities, too).
Exploit mitigation: Routers can be built to protect their kernel using a variety of exploit mitigation techniques, including the non-executable bit (NX) to mark a region of memory as non-executable. This was a common way of protecting the router, but FKIE found that the usage of exploit mitigation techniques was rare.
Private keys: We want to make it absolutely clear that there is no good reason to publish a private key, because a published private key does not provide any security at all! FKIE wrote. Publishing the private cryptographic key in the firmware allows an attacker to impersonate the device itself and do man in the middle attacks, an exploit that tries to fool the users PC and the server into believing that the attacker is the trusted router.
FKIE found that at least five private keys are published per firmware image. The Netgear R6800 provides a total number of 13 private keys in a single device. AVM was the only vendor FKIE found that did not publish private keys.
Hard-coded login credentials: You may already be familiar with hard-coded credentials: a router that uses admin and password as its default credentials. While that makes it easy to recover a lost password, it also makes it extremely easy for an attacker to take over your router. Furthermore, if the user cannot change a password, you might get a feeling that the password is related to a backdoor, FKIE wrote, implying that hard-coding credentials could have been added to allow monitoring of your device.
The good news is that more than 60% of the router firmware images do not have hard-coded login credentials, FKIE wrote. The bad news is that 50 routers do provide hard-coded credentials. Sixteen routers have well known or easy crackable credentials.
FKIEs report doesnt suggest choosing an open-source firmware replacement for your router, although that option is certainly available. Unfortunately, some of the firmware options are no longer maintained, or only work on a subset of (older) routers. Its disappointing that the easiest route for criminals to penetrate your home network appears to benot your PC, or your operating systembut the router youre using to connect to the rest of the world.
This story, "Revealed: How home router manufacturers dropped the ball on security" was originally published by PCWorld.
Go here to read the rest:
Revealed: How home router manufacturers dropped the ball on security - TechHive
- Amazon just slashed the price of our favorite budget home security camera - Tom's Guide - March 14th, 2024 [March 14th, 2024]
- Los Angeles Police Department warning home owners to hard-wire home security systems as organized theft rings ... - Notebookcheck.net - March 14th, 2024 [March 14th, 2024]
- Mesa family upping home security as burglaries increase - Yahoo! Voices - March 14th, 2024 [March 14th, 2024]
- An attempted kidnapping in Glendale is caught on camera - The Arizona Republic - March 14th, 2024 [March 14th, 2024]
- Best Security Systems For Apartments Of 2024 Forbes Home - Forbes - March 14th, 2024 [March 14th, 2024]
- Airbnb's Unexpected Home Security Ban Sets A New Standard For Rental Property Owners - House Digest - March 14th, 2024 [March 14th, 2024]
- Wayward 450-pound pig named Kevin Bacon hams it up for home security camera - The Associated Press - March 14th, 2024 [March 14th, 2024]
- The Best Home Security Cameras According To Rigorous, Hands-On Testing - Forbes - March 14th, 2024 [March 14th, 2024]
- Best home security deal: Get the Arlo Essential Wired Video Doorbell for just $49.99 at Amazon. - Mashable - March 14th, 2024 [March 14th, 2024]
- The 6 Hottest Outdoor Design Trends You'll See Everywhere This Spring and Summer - SFGATE - March 14th, 2024 [March 14th, 2024]
- This smart security camera impressed me in the most unexpected way - ZDNet - March 14th, 2024 [March 14th, 2024]
- Lithe Audio and Lilin integrate AI for home security - HiddenWires - March 14th, 2024 [March 14th, 2024]
- Why Airbnb Is Banning Cameras in Rentals - TIME - March 14th, 2024 [March 14th, 2024]
- PC students gift overnight security guard trip home to Nigeria - WPRI.com - March 14th, 2024 [March 14th, 2024]
- Influencer suing Tyreek Hill for 'breaking her leg' DEMANDS he hand over his private texts and home security f - Daily Mail - March 14th, 2024 [March 14th, 2024]
- Ring's Battery Doorbell Pro is one of the best security systems I've tested (but there's a catch) - ZDNet - March 14th, 2024 [March 14th, 2024]
- Ring Spotlight Cam Pro Review: Compact, Reliable And Long Battery Life - Forbes - March 14th, 2024 [March 14th, 2024]
- Home security video catch person taking mail that results in $8,000 worth of fraudulent checks - AOL - February 16th, 2024 [February 16th, 2024]
- Best Home Security Cameras of 2024 - CNET - February 16th, 2024 [February 16th, 2024]
- Ring sale: Save on Ring doorbells and home security cameras today - Digital Trends - February 16th, 2024 [February 16th, 2024]
- Blink's video doorbell just crashed to $44 and it doesn't require a subscription - Tom's Guide - February 16th, 2024 [February 16th, 2024]
- Snag Up to 43% off These Blink Security Cameras and Doorbells - CNET - February 16th, 2024 [February 16th, 2024]
- U.S. House Republicans impeach Homeland Security chief Mayorkas on second try Oregon Capital Chronicle - Oregon Capital Chronicle - February 16th, 2024 [February 16th, 2024]
- Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries -- smart security systems vulnerable as ... - Tom's Hardware - February 16th, 2024 [February 16th, 2024]
- The 4 Best Security Cameras for Your Home of 2024 | Reviews by Wirecutter - The New York Times - February 16th, 2024 [February 16th, 2024]
- Security guard shoots man allegedly trying to run people over in Home Depot parking lot - CBS Los Angeles - February 16th, 2024 [February 16th, 2024]
- The 4 Best Smart Doorbell Cameras of 2024 | Reviews by Wirecutter - The New York Times - February 16th, 2024 [February 16th, 2024]
- Everything you need to know about the Ring Protect price hike - Digital Trends - February 16th, 2024 [February 16th, 2024]
- Vory Threatens To 'Kill' Girlfriend In Alleged Footage Of Domestic Abuse - HipHopDX - February 16th, 2024 [February 16th, 2024]
- Angry Airbnb host sent guest's wife security photo of him with another woman, lawsuit claims - New York Post - February 16th, 2024 [February 16th, 2024]
- Best Smart Locks of 2024 - CNET - February 16th, 2024 [February 16th, 2024]
- Bear tries to enter Washington home through doggie door - UPI News - February 16th, 2024 [February 16th, 2024]
- The Ring Battery Doorbell Pro has 3D motion detection - Gadget Flow - February 16th, 2024 [February 16th, 2024]
- We test some of the latest home security cameras to see how far the technology has come - Nottinghamshire Live - February 16th, 2024 [February 16th, 2024]
- Ring Is Raising Rates on Some Plans by 25% in March - PCMag Middle East - February 16th, 2024 [February 16th, 2024]
- The 12 Best Home Security Cameras of 2023 - Security.org - December 11th, 2023 [December 11th, 2023]
- Traveling for the holidays? Keep an eye on your home with the Blink Mini security camera, now just $20 - Gwinnettdailypost.com - December 11th, 2023 [December 11th, 2023]
- Gangs from South America use security jammers to break in to expensive homes across country: police - WLS-TV - December 11th, 2023 [December 11th, 2023]
- Best Home Security Companies Of 2023 Forbes Home - Forbes - December 11th, 2023 [December 11th, 2023]
- Best Wireless Security Cameras Of December 2023 Forbes Home - Forbes - December 11th, 2023 [December 11th, 2023]
- Best Outdoor Security Lights With Cameras Of 2023 - Forbes - December 11th, 2023 [December 11th, 2023]
- Wireless CCTV camera for home security? Here are top 10 options to choose from | Mint - Mint - December 11th, 2023 [December 11th, 2023]
- Cougar struck and killed near Minneapolis likely the one seen in home security video, expert says - Drgnews - December 11th, 2023 [December 11th, 2023]
- Cougar living in Lowry Hill neighborhood of Minneapolis, city, DNR warn - Star Tribune - December 11th, 2023 [December 11th, 2023]
- FAIR Applauds Senate Republicans for Holding Firm and Demanding that National Security Starts at Home - StreetInsider.com - December 11th, 2023 [December 11th, 2023]
- Prevent Burglaries With ADT's Tips For Property Security | Security News - SecurityInformed - December 11th, 2023 [December 11th, 2023]
- Prince Harry Says His Security Removal Had One Glaring Error - Newsweek - December 11th, 2023 [December 11th, 2023]
- Save $50 on the Ring Alarm home security system from Amazon - SFGATE - September 13th, 2022 [September 13th, 2022]
- An Indian Security System That Is Being Transformed By Technology - Inventiva - September 13th, 2022 [September 13th, 2022]
- Home Security Systems Market | expected to reach $96.5 billion | growth of 9.1% CAGR | 200 pages report - Taiwan News - September 13th, 2022 [September 13th, 2022]
- VP Harris wishes lawmakers treated domestic threats as 'Americans' - Business Insider - September 13th, 2022 [September 13th, 2022]
- Axis Communications Unveils Latest Solutions for Integrating Sight, Sound, Analytics and More at the 2022 Global Security Exchange - Business Wire - September 13th, 2022 [September 13th, 2022]
- Tomorrow.io Delivers First Radar for Weather Satellite Constellation Backed by U.S. Air Force - Benzinga - September 13th, 2022 [September 13th, 2022]
- The 2 Stocks Everyone's Talking About Tuesday - The Motley Fool - September 13th, 2022 [September 13th, 2022]
- What To Do With Old Smartphones? 15 Genius Reuse Ideas - TechPP - September 13th, 2022 [September 13th, 2022]
- Broken Arrow Man Arrested, Accused Of Hiding Cameras To Record Minors - News On 6 - September 13th, 2022 [September 13th, 2022]
- Massacre in Pike County Suspect is escorted by security as they enter court on the first day of the trial. - TDPel Media - September 13th, 2022 [September 13th, 2022]
- Department of Homeland Security PAL-Home - November 4th, 2021 [November 4th, 2021]
- Native Sun Home Accents, Inc. - Arizona Security Doors ... - November 4th, 2021 [November 4th, 2021]
- Ring Alarm Pro review: A giant leap for home security - CNET - November 4th, 2021 [November 4th, 2021]
- The Top Reasons You Should Not Ignore Installing a Home Security System - Southeast Missourian - November 4th, 2021 [November 4th, 2021]
- Where is the best place to install my home security cameras? - TechRadar - November 4th, 2021 [November 4th, 2021]
- Wyze announces new camera features and a new Wyze Smart Switch and Smart Bulb - The Verge - November 4th, 2021 [November 4th, 2021]
- Connected Home Security Market 2021: Global Analysis, Share, Trends, Application Analysis and Forecast To 2027 Bolivar Commercial - Bolivar... - November 4th, 2021 [November 4th, 2021]
- Amazon Black Friday deal takes $250 off the Arlo Pro 3 Spotlight 4 camera system - T3 - November 4th, 2021 [November 4th, 2021]
- Frontpoint Security Expands Executive Team with the Announcement of its First Chief Commercial Officer - PRNewswire - November 4th, 2021 [November 4th, 2021]
- Xiaomi Smart Door Lock Xhome security with face recognition and a sleek design - Gadget Flow - November 4th, 2021 [November 4th, 2021]
- US Blacklists Israeli Spyware Companies Over Threat to National Security - The Daily Beast - November 4th, 2021 [November 4th, 2021]
- Remote Work Security: Handling Setbacks in the Time of COVID-19 - Security Intelligence - November 4th, 2021 [November 4th, 2021]
- World Series 2021 - The inside story of where Jorge Soler's home run went once it left Minute Maid Park - ESPN - November 4th, 2021 [November 4th, 2021]
- Ask a Broker: The importance of smart-home technology - Aspen Daily News - November 4th, 2021 [November 4th, 2021]
- Apple's Craig Federighi defends App Store in face of looming regulation - Mashable - November 4th, 2021 [November 4th, 2021]
- The eufy Floodlight Video Camera II provides 360 degrees of security coverage without breaking the bank - TechHive - November 4th, 2021 [November 4th, 2021]
- Worldwide Automotive Software Industry to 2026 - Safety and Security Software is Expected to Witness Faster Growth Rate - ResearchAndMarkets.com -... - November 4th, 2021 [November 4th, 2021]
- She would never just leave: Investigators look into if Mid-City moms disappearance related to financial investigation - KTLA Los Angeles - November 4th, 2021 [November 4th, 2021]
- Bring Alexa support to your home security with 54% off wansviews 1080p outdoor cam from $18 - 9to5Toys - July 2nd, 2021 [July 2nd, 2021]
- Members of Congress Are Spending More Than Ever on Security Mother Jones - Mother Jones - July 2nd, 2021 [July 2nd, 2021]
- Google Nest to Strengthen Its Commitment to Security by Testing Devices Against the ioXt Alliance's Global Security Standards - Business Wire - July 2nd, 2021 [July 2nd, 2021]
- Summer Wells investigators receive more than 700 tips about missing Tennessee girl - Fox News - July 2nd, 2021 [July 2nd, 2021]
- DIY Home Security Solutions Market Analytical Overview, Growth Factors, Demand and Trends Forecast to 2027 The Courier - The Courier - July 2nd, 2021 [July 2nd, 2021]