Kitz Forum
Announcements => News Articles => Topic started by: Alex Atkin UK on July 07, 2020, 05:22:00 PM
-
https://www.zdnet.com/article/home-router-warning-theyre-riddled-with-known-flaws-and-run-ancient-unpatched-linux/
https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf
Our analysis showed that Linux is the most used OS running on more than 90% of the devices.However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. This leads to a high number of critical and high severity CVEs affecting these devices.
Since Linux is the most used OS, exploit mitigation techniques could be enabled very easily. Anyhow, they are used quite rarely by most vendors except the NX feature.
A published private key provides no security at all. Nonetheless, all but one vendor spread several private keys in almost all firmware images.
Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.
However, we can tell for sure that the vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.
Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open source software. To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems.
-
This seems to be a report based on such seriously flawed methodology it's not even funny. I think it's largely based on what version of the Linux kernel they found in each firmware and the number of vulnerabilities between that and the latest, with no regard for if a patch has been applied or if they are even in any way applicable to the router. They also seem to think that the Linux kernel is the OS and do not seem concerned about any of the other software in the device.
They are just saying that all routers have vast numbers of security flaws without actually bothering to actually find, verify and exploit a single vulnerability in any router. Just look at the version number of the Linux kernel instead.
-
b*cat mods in agreement with what ejs has written.
-
Its obviously not in-depth, they mostly seem to be probing the firmware for known key words rather than actually intrusion testing the routers, but there is some merit to their claims I'm sure.
Although I don't think many routers manufacturers ever update their kernel version as there are often binaries tied to it, the question is do they back-port security fixes? In the cases where they said the device hasn't HAD a firmware update in years, its certainly true they are left open to abuse.
-
On this subject I read that ESET Internet Security probes routers on the system for known vulnerabilties. Good feature if it works.
-
As @ejs has said, if the vulnerabilities can't be exploited in a router then their existence is of no real relevance.
This is like saying that there are lots of old PCs out there with BIOS vulnerabilities, but if they have been mitigated at a different level (eg Intel microcode) then it doesn't matter.
:)