Many popular home router devices have been affected by hundreds of known vulnerabilities, and more than a third of them did not receive updates last year, according to a new report. The study, conducted by FKIE, a communications institute in Germany, involved 127 home routers from seven brands, from Asus Computer, Netgear, D-Link, Linksys, TP-Link Technologies, Zyxel Communications and AVM Systeme Vertriebs GmbH. It compares the latest firmware versions of each router with known security vulnerabilities and finds that none is perfect.
Of the 127 routers, 46 have not received a security update in the past year, while 22 have not received any updates in the past two years. The most serious case has been running for 1969 days, more than five years, without security patches. Asus, AVM and Netgear are among the top security players, with all of their devices updated over the past year and a half, but D-Link, Linksys, TP-Link and Zyxel lag behind. Although about 90% of routers use Linux, many manufacturers do not update the operating system, and most product kernel versions are still 2.6 (or earlier), which last saw an update in February 2011, which resulted in a large number of critical and high-severity CVE affecting these devices.
50 routers were found to have hard-coded login credentials, the default username and password embedded in the device, and 16 routers with well-known or easy-to-crack credentials. Asus is the only company that does not store any hard-coded credentials in its firmware image. The analysis shows that no router is defective, and no vendor is doing it perfectly in all aspects of security, and more effort is needed to make a home router as secure as the current desktop or server system.