Are Home Routers Secure? NO!

Messages
3,003
Location
Idaho
Thread starter
https://threatpost.com/report-most-popular-home-routers-have-critical-flaws/157346/
Quote
...Common devices from Netgear, Linksys, D-Link and others contain serious security vulnerabilities that even updates don't fix. A security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers. The "Home Router Security Report" (PDF) by Peter Weidenbach and Johannes vom Dorp-both from the German think tank Fraunhofer Institute-found that not only did all of the routers they examined have flaws, many "are affected by hundreds of known vulnerabilities," the researchers said. On average, the routers analyzed--by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel-were affected by 53 critical-rated vulnerabilities (CVE), with even the most "secure" device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities.... ..."To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects," Weidenbach and vom Dorp wrote. "Much more effort is needed to make home routers as secure as current desktop or server systems." While people make common mistakes when configuring home routers-thus leading to security issues-they are not the primary reasons for the lack of security found among the devices, researchers said. Their analysis clearly shows that device vendors, despite knowing the security risks, are still doing a rather dismal job to ensure that routers are secure even before users take them out of the box... ...Some vendors seem to prioritize security a bit more than others, according to the report. AVM International was the best of the bunch in terms of all the security aspects researchers examined, although the company's routers also contained flaws, they said. ASUS and Netgear also prioritized several aspects of device security more than some of the other vendors. Both update their routers more frequently than their rival companies, and use more current, supported versions of the Linux kernel for their firmware, researchers found. Among the routers examined, those from D-Link, Linksys, TP-Linkand Zyxel fared the worst in terms of how well common security aspects were addressed out of the box, according to the report....
 
Messages
933
Location
Arizona
my 8 year old ASUS still gets updates a couple times a year. Go into your routers setup and Disable any service/s on it that you don't use and Disable the ping feature from internet side. This may increase performance of the device and make it less more difficult to SEE it from internet. Enabling things like MAC filter may help lockdown you device also.
 
Messages
6,126
Location
New England
For better or worst I purchased Google Wifi (mesh 3 pucks) and hope or believe Google pushes updates to it especially vulernabilties. My Cisco was manual upload of file and the TP-Link was clunky experience too.
 
Messages
68
Location
Los Angeles
Cybersecurity analyst here. Purchase hardware with vendors that have an established platform, not some junk no name chinese router. Even the big boys tend to not update after a few years. My recommendation is Ubiquiti, but they can be difficult to setup for the average Joe. Or a software based linux router. Google wifi is a good choice for the average user.
 
Last edited:
Messages
42,597
Location
Ontario, Canada
my 8 year old ASUS still gets updates a couple times a year. Go into your routers setup and Disable any service/s on it that you don't use and Disable the ping feature from internet side. This may increase performance of the device and make it less more difficult to SEE it from internet. Enabling things like MAC filter may help lockdown you device also.
Disabling ICMP response is pretty useless (ping). If an IP is shown as producing traffic or as a valid end-point to target, the fact it's not responding to ICMP isn't relevant and isn't going to change if somebody is going to DDoS you or run a port scan.
 
Messages
266
Location
Pacific Northwest
Just don't expose your router to the internet. It doesn't matter nearly as much if it has security flaws if it is sitting behind an decent firewall and is only used as a WIFI radio. There are lots of low cost, turn key options. I'm running OPNSense, myself on a tiny Atom box that's sitting next to the modem in our entry way closet.
 
Messages
42,597
Location
Ontario, Canada
Just don't expose your router to the internet. It doesn't matter nearly as much if it has security flaws if it is sitting behind an decent firewall and is only used as a WIFI radio. There are lots of low cost, turn key options. I'm running OPNSense, myself on a tiny Atom box that's sitting next to the modem in our entry way closet.
Then it's just a glorified Access Point/Switch, though sometimes more cost effective than individual devices.

PFSense is another excellent option and Sophos makes their UTM product free for home use as well for somebody who has the hardware handy.
 
Messages
266
Location
Pacific Northwest
PFSense and OPNSense are just about beyond my capabilities as a non-network engineer software dev. Without Google, I'd be lost a lot of the time. If it wasn't for some specific capabilities that I wanted, I would prefer IPFire for its greater level of user friendliness.
 
Messages
42,597
Location
Ontario, Canada
PFSense and OPNSense are just about beyond my capabilities as a non-network engineer software dev. Without Google, I'd be lost a lot of the time. If it wasn't for some specific capabilities that I wanted, I would prefer IPFire for its greater level of user friendliness.
Smoothwall used to be a really "friendly" firewall distro, not sure if it is still developed or maintained. I recall it forking at some point as the devs split up?

The Sophos UTM product is pretty easy to install and configure and I generally recommend it as an option for somebody who might be more comfortable with it over PFSense, which I think has a beautiful GUI, but may be a bit much for some people. There's no denying how capable PFSense is however, for a product that's free, it is utterly incredible how good it is.
 
Top