46 makes of router have not had a security update in 12 months, leaving employees possibly open to attack
Employees working from home could be exposed to hacking attempts, after the assertion that many home-routers contain 100s of vulnerabilities that vendors have failed to put right.
Fraunhofer Institute for Communication (FKIE) in Germany examined 127 routers from several vendors, & sadly discovered vulnerabilities in them all.
According to this study, 46 routers did not get any security update within the last 12 months.
“Many routers are affected by 100s of known vulnerabilities. Even if the routers got recent updates, many of these known vulnerabilities were not fixed. What makes matters even worse is that exploit mitigation techniques are used rarely.
Some routers have easy crackable or even well -known passwords that cannot be changed by the user,” outlined the report.
It also added that most firmware images provide private cryptographic ‘key material’. This means, whatever they try to secure with a public-private crypto-mechanism is not really secure at all.
“To sum it up, much more effort is needed to make home routers as secure as current desktop or server systems,” explained the report.
Craig Young, Senior Security Researcher at Tripwire, explained that he was “absolutely stunned” that they would assess that Netgear & ASUS do a ‘better’ job than do others.
“Overall, I have some questions about how they selected the ‘127 current routers.
The research specifically cites Linksys WRT54GL despite that it is been out of support for years. I’m not sure how relevant it is to be comparing this router to currently supported devices from other brands,” he commented.
He observed that the metrics used by the research included ‘days since last update’, ‘use of outdated software’, ‘inclusion of private keys’, ‘hardcoded passwords’, & ‘exploit-mitigations’. While these are all useful data, there is however much more that goes into security.
“A router vendor can keep their Linux kernel up to date & enable all the exploit mitigations they want, but it isn’t going to matter if the device still allows command injection by a cross-site request forgery. Likewise, a vendor can release updates on a regular basis but still ignore security researchers.
A complete picture of vendor security reliability should include aspects related as to how well the vendor works with researchers, & the ‘typical ‘response time for resolving externally reported issues,” he observed.
James McQuiggan, Security Awareness Advocate at KnowBe4, outlined that as with smartphones or computers, these devices must be updated to limit an opportunity for exploitation by cyber-criminals.
“Unfortunately, with legacy devices, the products may no longer be supported, & therefore the router should be replaced. If the router is a later model, it is essential that people register their router with the manufacturer so they can receive notifications to update the device.
If registration is a privacy concern for the person, then visiting the manufacturer’s website on a regular basis for updates would be the best option,” he concluded.