A security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers.
The “Home Router Security Report” (PDF) by Peter Weidenbach and Johannes vom Dorp—both from the German think tank Fraunhofer Institute–found that not only did all of the routers they examined have flaws, many “are affected by hundreds of known vulnerabilities,” the researchers said.
On average, the routers analyzed–—by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel—were affected by 53 critical-rated vulnerabilities (CVE), with even the most “secure” device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.
Researchers examined the routers based on several key aspects: device updates, version of operating system and any known critical vulnerabilities affecting them; exploit mitigation techniques by vendors and how often they activate them; the existence of private cryptographic key material in the router’s firmware; and the existence of hard-coded login credentials.
“To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects,” Weidenbach and vom Dorp wrote. “Much more effort is needed to make home routers as secure as current desktop or server systems.”