Routers are a key piece of any computer network and handle all traffic destined from one network to another. While business networks typically utilize big single purpose routers from vendors like Cisco or Juniper, home networks typically utilize a smaller ‘router’ combining a router, switch, and wireless access point. They make it extremely simple to establish a home network to anyone with about $100. This low cost and ease of use seems to come with a penalty though: The security of the resulting network.
Two researchers, Peter Weidenbach and Johannes vom Dorp, from the German Fraunhofer Institute recently released a comprehensive report on the state of home router device security. What they found is that nearly every home router device on the market is insecure in various ways.
In their research the researchers looked at the security posture of 127 different models of routers designed for home use. These included models from name brands you would find at any store carrying this type of product like Netgear, Linksys, TP-Link, and D-Link. The first step in evaluating the security of these devices was extracting the included firmware in order to get a look at how they were configured and the software versions in place. The result of this was surprising: they found that most devices on the market were still using Linux kernel 2.6, which has been EOL for a few years. This means that system security patches are unlikely to be released in a timely manner, if at all for those devices. In the extracted firmware they also found a number of hardcoded credentials as well as cryptographic keys being used in an insecure manner, defeating the point of having them.
Another aspect in their research was figuring out how often updates are released to the devices. Security vulnerabilities can happen to any device, but the impact can be mitigated with regular and timely patching. They disappointingly found that the average number of days between up-dates was 378, over a full year of no up-dates for many of the devices. It did appear that ASUS, AVM, and Netgear were among the better vendors when it comes to updates for their devices. It is also important to note that just because updates are available doesn’t mean they are al-ways applied. Most devices do not have auto-update mechanisms, instead an ad-min must check for and apply updates manually.
When it comes to the security of your home network it may be worth doing some research before spending your money on a device. It is important to note too that high price is not always an indicator of quality, as many devices appear to focus more on form over function in this space. The best bet would be to look for past security vulnerabilities for the particular device and note how often the device receives updates from the vendor.