More than 100 Wi-Fi Routers Fail Major Security Tests - Protect Yourself Now

More than 100 Wi-Fi Routers Fail Major Security Tests - Protect Yourself Now

Almost all home Wi-Fi routers tested in a mass survey by the renowned Fraunhofer Institute in Germany had serious security vulnerabilities that router manufacturers could easily fix.According to a recently released report, the vulnerability could be fixed by the router manufacturer.

"Almost everything has been found to have security flaws, but some of them are very serious," the Fraunhofer Institute said in a press release. "Issues range from missing security updates to hard-coded passwords that are easily decrypted, and known vulnerabilities that should have been patched long ago," he said."

Using proprietary analytical software, the institute tested the recently available firmware for 117 home Wi-Fi models currently sold in Europe, including routers from ASUS, D-Link, Linksys, Netgear, TP-Link, Zyxel and the small German brand AVM. The model itself was not physically tested.

A complete list of tested models and firmware can be found on GitHub. The institute could not examine the firmware of more than 10 models, mainly from Linksys. The report notes that many firmware updates have been issued without fixing known defects.

The investigation began in late May and examined the available firmware on 3/27, so dozens of files Netgear issued in late May 6 to correct a series of flaws.

Meanwhile, Huawei routers were not investigated because the company did not publish the router firmware, and the Isp did not make a lot of firmware development. The Internet Service provider (ISP) did not investigate the routers and gateways issued by the Isp because they were outsourced to third parties.

This is not like being the first survey of its kind. Another study on router security published a similar disastrous report in 2018/12, but little improvement in the 18 months that followed.

So, what can you do? When you purchase the next router, you can make sure that the firmware update is installed automatically. You can check if your current router is doing so, or if it's pretty easy to install firmware updates manually.

You must also ensure that the router management password has been changed from the factory default password. (https://www.routerpasswords.com.)でデフォルトのパスワードのリストを確認してくださいまた、UPnPとリモートアクセスが無効になっていることを確認するために、その管理インターフ

Also, if the router was first released more than 5 years ago, consider buying a new model unless it meets all the above criteria (here's our pick for the best Wi-Fi router.

Alternatively, you can try to "flush" your old router to run more secure open source router firmware such as OpenWRT, DD-WRT, Tomato, etc.

The AVM was not without flaws, but it came out by far the best of the 7 manufacturers we examined. ASUS and Netgear did not work, but nothing more terrible than D-Link, Linksys, TP-Link and Zyxel.

Defects included older firmware (the D-Link DSL-321B Z has not been updated since 2014) and older Linux kernels (the Linksys WRT54GL has been using the kernel since 2002).; Failing to implement common security technologies (AVM was better than the rest here), a pair of firmware so that anyone can find them

"There are no routers without flaws, no vendors doing the perfect job with all the security aspects," Fraunhofer said. Farr's report concluded. "It takes much more effort to make a home router as secure as a current desktop or server system."

some of the names in the study that you should definitely not use, even though you are shown you can still buy them

"The worst case scenario for high-severity CVEs [widely known defects] is the oldest kernel found in our study. "It's a Linksys WRT54GL with a 2.4.20 kernel," the report said, noting that the model has been using the 2002 kernel since. "There are 579 high-severity Cves affecting this product.

That particular model was last updated with its firmware in 2016. The Linksys WRT54GL was first released in 2005 and handles Wi-Fi protocols up to 802.11g, but is still on sale today

However, the WRT54G series is probably the best-selling family of Wi-Fi routers. The continued appeal of the Wrt54GL may be driven by a reputation for reliability and the fact that it is easily "flashed" to run open source firmware - OpenWRT's firmware was originally developed to run on this series of routers.

Other models are not so good at running the latest Linux kernel. (More than 90% of the routers under investigation were running Linux.By far, the most common version of the Linux kernel was published in 2010, 2.6.36. Only AVM did not do 2.x kernel, its oldest version is 2013-3.10.10.

"Nevertheless, more than half of AVM devices are running kernel versions that are no longer maintained," the report notes.

Linux has consistently built new security features directly into its kernel, and updating the kernel on Linux devices is not that difficult. Manufacturers of Linux PC and server distributions do it all the time.

The latest Linux kernel (2020/3/27) at the time of the Fraunhofer test was version 5.4, but none of the routers tested use anything newer than 2016-4.4.60. (AVM and Netgear used it.

"Linux works continuously to close security vulnerabilities in the operating system and develop new features," researcher Johannes vom Dorp said in a press release for Fraunhofer, "Manufacturers should install all the latest software, but not integrate as much as possible." I don't know.

Another no-no model is the Netgear R6800, which had a whopping 13 hard-coded secret security keys embedded in its firmware, as mentioned above.

Its last firmware update was in 2019/8 and I didn't want to use it until the new firmware was available. (This model was not part of the Netgear Hotfix series in late May 6.

Private keys are an important part of the mechanisms that govern Internet security, and routers use them to initiate secure transmissions and verify firmware updates. They need to maintain a closely guarded secret to be effective, but if the key can be found in the router's firmware, that's pretty much "this means that an attacker could impersonate a device and conduct a man-in-the-middle attack," the report states. "These keys are shared with all devices of the same model. This means that 1 private key exposed in the firmware is putting thousands of devices at risk.

Only AVM did not have a private key in all firmware images. Netgear was the most popular. The D-Link DSL-321B Z has not been updated since 2014/8.

In total, 46 models had not received updates for more than 1 year, but most had received updates within the past 2 years.

"If the vendor did not update the firmware for a long time, it is certain that there are some known vulnerabilities in the device," the report states. "The other way round is not always true.

In terms of available security protections that are too technical to discuss here, AVM fared worst when deploying them on its devices in the distant seconds of Netgear, far away.

However, most of these protections are standard on Linux PCs and servers, and even Android phones. There is no real good reason they can not be used with more routers.

.

Categories