as i have said before, most if not all home routers are not secure, this study is scary in many ways
do not rely on your home router for firewall security
https://www.fkie.fraunhofer.de/cont...uter/HomeRouterSecurity_2020_Bericht.pdf
Executive Summary
This report analyses 127 current routers for private use developed by seven different large vendors
selling their products in Europe. An automated approach was used to check the router's most
recent firmware versions for five security related aspects.
We were able to extract completely 117 of the 127 firmware images. Four firmware images
could be extracted partly and six firmware images could not be extracted at all. 116 of 127
(91%) devices are powered by Linux. One was powered by ThreadX and another one by eCos.
The security aspects addressed in this report are:
When were the devices updated last time?
Which operating system versions are used and how many known critical vulnerabilities
affect these operating system versions?
Which exploit mitigation techniques do the vendors use? How often do they activate these
techniques?
Do the firmware images contain private cryptographic key material?
Are there any hard-coded login credentials?
Our results are alarming. There is no router without flaws. 46 routers did not get any security update within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if
the routers got recent updates, many of these known vulnerabilities were not fixed. What makes
matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy
crackable or even well known passwords that cannot be changed by the user. Most firmware
images provide private cryptographic key material. This means, whatever they try to secure with
a public-private crypto mechanism is not secure at all.
Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job
than the other vendors regarding most of the security aspects. However, AVM routers are not
flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link
and Zyxel.
To sum it up, much more effort is needed to make home routers as secure as current desktop or
server systems.
do not rely on your home router for firewall security
https://www.fkie.fraunhofer.de/cont...uter/HomeRouterSecurity_2020_Bericht.pdf
Executive Summary
This report analyses 127 current routers for private use developed by seven different large vendors
selling their products in Europe. An automated approach was used to check the router's most
recent firmware versions for five security related aspects.
We were able to extract completely 117 of the 127 firmware images. Four firmware images
could be extracted partly and six firmware images could not be extracted at all. 116 of 127
(91%) devices are powered by Linux. One was powered by ThreadX and another one by eCos.
The security aspects addressed in this report are:
When were the devices updated last time?
Which operating system versions are used and how many known critical vulnerabilities
affect these operating system versions?
Which exploit mitigation techniques do the vendors use? How often do they activate these
techniques?
Do the firmware images contain private cryptographic key material?
Are there any hard-coded login credentials?
Our results are alarming. There is no router without flaws. 46 routers did not get any security update within the last year. Many routers are affected by hundreds of known vulnerabilities. Even if
the routers got recent updates, many of these known vulnerabilities were not fixed. What makes
matters even worse is that exploit mitigation techniques are used rarely. Some routers have easy
crackable or even well known passwords that cannot be changed by the user. Most firmware
images provide private cryptographic key material. This means, whatever they try to secure with
a public-private crypto mechanism is not secure at all.
Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job
than the other vendors regarding most of the security aspects. However, AVM routers are not
flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link
and Zyxel.
To sum it up, much more effort is needed to make home routers as secure as current desktop or
server systems.