Wireless routers are the most often attacked and exploited type of IoT device. They are also one of the rare IoT devices that most of us can’t do without. We need them to be as secure as can be, but unfortunately most of them are not.
The non-profit American Consumer Institute Center for Citizen Research (ACI) has tested the latest available versions of the firmware of 186 Wi-Fi routers present in the U.S. market, and found that 155 (83%) of them contain known open source vulnerabilities.
The tested firmware is for devices by TP-Link, Asus, AVM, Belkin, Cerio, D-Link, HPE, Linksys, NETGEAR, Sierra Wireless, TRENDnet, Ubiquiti Networks, Yamaha and Zyxel.
While most of the vulnerabilities within the sample are considered medium risk, 28% of them are high-risk and critical.
“Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample,” API noted.
“High-risk vulnerabilities require very little knowledge or skill to exploit, but, unlike critical-risk vulnerabilities, they will not entirely compromise the system. The potential damage remains a concern, as exploited high-risk vulnerabilities can partially damage the system and cause information disclosure.”
The reason for this egregious number of open source vulnerabilities is because router manufacturers often use open source components in the firmware, but fail to keep the firmware updated as fixes become available.
“Fixing vulnerabilities lies partly in the hands of consumers who must do their homework and install firmware (software) updates,” ACI noted, but pointed out that manufacturers often do not provide user-friendly ways for consumers to update firmware or may even view building security protocols into their devices.
“Sometimes accessing firmware updates requires consumers to have registered their products with the manufacturers, while other times these updates are not readily available online, and still other times somewhat older routers are not supported at all. This means that even consumers who try to update their router firmware might download outdated code that is all but useless against critical vulnerabilities discovered since its sale,” they added.
Providing automated updating is one way manufacturers can make sure devices’ firmware is up-to-date, but for that to have an effect, newer versions of the firmware must be released often and known vulnerabilities must be fixed quickly.
“Keeping firmware patched for known online threats may be an expense for manufacturers, but not doing so leaves consumers to collectively bear the burden of potentially much higher costs from cybercrime,” ACI concluded.
UPDATE (October 3, 2018, 07:13 PDT):
I reached out to ACI to see whether they would share which routers/manufacturers fell into the 17% of firmware without known vulnerabilities. The organization’s president Steve Pociask said that they suspect that manufacturers quickly stop maintaining their firmware, but continue to offer unsupported and out-of-date firmware for download.
“If we recommend one brand/model today, it may be vulnerable tomorrow. Therefore, we did not show those free from known vulnerabilities, because all of the manufacturers shared some level of guilt,” he noted.
“We are hoping that this study will encourage diligence on the part of manufacturers. Having said that, we have discussed (internally) the possibility of updating this study and releasing the names, just to see if anyone got the message.”
Krisztina Pusok, Director of Policy and Research at ACI, pointed out that these results show the magnitude of risks that vulnerabilities present in consumer and work-at-home Wi-Fi routers, and the need for manufacturers to stay ahead of cybercrime, in the interest of protecting their customers.