An analysis of 127 home routers developed by well-known vendors such as AVM, ASUS, Netgear, D-Link, Linksys, TP-Link, and Zyxel has revealed that all of them feature security flaws and dozens of them have not received a single security update in the past one year.
The work-from-home culture that countries across EMEA have been forced to adopt due to the unending COVID-19 pandemic has created new challenges for companies as far as storing and processing enterprise and customer data is concerned.
Employees working from home are now forced to use their personal home broadband connections to connect to their company applications and share data with their colleagues and co-employees. As such, the security of information transmitted through the Internet depends upon how secure are the devices that are being used by employees to connect to the Internet- be it laptops, smartphones, webcams, or home routers.
However, as far as home routers are concerned, a new study, conducted by Germany’s Fraunhofer Institute for Communication (FKIE), has revealed that every single home router developed by the top vendors in the genre features security flaws, thereby exposing millions of users to a wide variety of cyber threats.
22 home routers from major vendors not updated even once in two years
The Institute analysed 127 home routers developed by the likes of AVM, ASUS, Netgear, D-Link, Linksys, TP-Link, and Zyxel and sold in Europe and found that not only did all of them feature security flaws, but 46 of them also did not get any security update within the last year, and many of them had crackable and easily-guessable passwords that users could not change.
Even though a majority of home routers received at least one security update within the past year, these updates failed to plug various security flaws that hackers could exploit using variants of the Mirai botnet or other botnets to hijack home routers.
To make matters worse, vendors who develop home routers use exploit mitigation techniques very rarely and the use of hard-coded passwords in may routers makes their users even more vulnerable to existing and emerging cyber security threats.
The researchers found that while 81 routers were updated within the past 365 days, 22 routers were not updated by vendors even once within the past two years, with one router not receiving a single update within the past five years.
Even though vendors like ASUS, AVM, and Netgear updated all of their routers within one and half years, their update policies are still far behind standards as routers are exposed to the Internet at all times and are at great risk of malware infection.
The Home Router Security Report also revealed that while exploit mitigation is a great way to ensure the prevention of exploitation of vulnerability through the use of additional security measures, such techniques are rarely used by vendors to secure their respective routers. A vast majority of routers are also being powered by a 2.6 Linux kernel which is very much obsolete.
"Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.
"However, we can tell for sure that the vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link, and Zyxel," FKIE noted.
"Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open-source software. To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems," the institute added.
IoT legislation must be strictly enforced to keep home routers secure
Commenting on these findings, Dr. Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast, said that these findings are particularly worrying as the COVID-19 pandemic means that many employees are working from home and connecting corporate devices to their home router. This obviously provides greater opportunity for sensitive corporate data to be lost or stolen by nefarious actors.
"The manufacturers of these devices need to rapidly improve the security of their products and ensure that patches for known vulnerabilities are developed and made available through updates. This will likely require the enforcement of legislation, such as the IoT legislation recently proposed by the UK government.
"It is also vital that people understand that these routers need regular patching and must be registered with the manufacturer to receive these updates when available, which can help keep them secure. This is important cyber-awareness and it is the role of organisations to educate their workforce on this.
"According to our State of Email Security report, despite this increased threat, over half of organisations – 55% – don't provide any sort of email security training on a frequent basis. This needs to be improved, or vulnerabilities such as this one will lead to further security problems for UK organisations," she added.