Router Security
This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.
Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. This leads to a high number of critical and high severity CVEs affecting these devices.
Since Linux is the most used OS, exploit mitigation techniques could be enabled very easily. Anyhow, they are used quite rarely by most vendors except the NX feature.
A published private key provides no security at all. Nonetheless, all but one vendor spread several private keys in almost all firmware images.
Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.
However, we can tell for sure that the vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.
Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open source software. To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop of server systems.
One comment on the report:
One-third ship with Linux kernel version 2.6.36 was released in October 2010. You can walk into a store today and buy a brand new router powered by software that’s almost 10 years out of date! This outdated version of the Linux kernel has 233 known security vulnerabilities registered in the Common Vulnerability and Exposures (CVE) database. The average router contains 26 critically-rated security vulnerabilities, according to the study.
We know the reasons for this. Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable. The way to update your home router is to throw it away and buy a new one.
And this paper demonstrates that even the new ones aren’t likely to be secure.
ATN • February 19, 2021 6:59 AM
It is an obvious consequence of the free software license, like the GPL.
A lot of people have written software (on their spare time) under the GPL because they “knew” such software cannot be used in a commercial environment, and interested companies would need another license, with maintenance, so giving the software designer/writer a nice well paid job. That did not happen.
If you transpose the problem in the real physical world, talking about cars, it is like someone owning the two sides of a river, and building a bridge by himself, saying to others: “you can use the bridge, I cannot provide any guaranty it will fit your purpose (stand the weight of your car), you have to check times to times its maintenance – repaint it every few years, for that I provide the first pot of paint. When you decide to repaint, if you run out of paint you have to buy yourself (with your money) another pot of paint and leave it for the next time someone else take that task.”
Everything broke down when companies said “I do not care about copyright laws” (saying to the initial code writer, “my legal team is bigger than yours”, and I will not give you a maintenance contract), and also said to their own clients “any software deficiency are not part of the product legal guaranty”. Nobody (country, courts, costumers) did stand up and complain.
Now, when everything fall down in the real world, a way comparable to a virus is doing right now, there will not be so many people willing to help…