Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Home routers still riddled with security flaws (like we didn't know)  (Read 517 times)

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1729
    • My Broadband History

https://www.zdnet.com/article/home-router-warning-theyre-riddled-with-known-flaws-and-run-ancient-unpatched-linux/

https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf

Quote
Our analysis showed that Linux is the most used OS running on more than 90% of the devices.However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel,  which is no longer maintained for many years.  This leads to a high number of critical and high severity CVEs affecting these devices.

Since  Linux  is  the  most  used  OS,  exploit  mitigation  techniques  could  be  enabled  very  easily. Anyhow, they are used quite rarely by most vendors except the NX feature.

A published private key provides no security at all. Nonetheless, all but one vendor spread several private keys in almost all firmware images.

Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.

However, we can tell for sure that the vendors prioritize security differently.  AVM does better job than the other vendors regarding most aspects.  ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.

Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open source software.  To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems.
« Last Edit: July 07, 2020, 08:51:31 PM by Alex Atkin UK »
Logged
INTAKE (ECI) Zen: Home Hub 5A OpenWrt Plusnet: VMG-3925-B10B Three 4G: Hauwei B535-232 Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors

ejs

  • Kitizen
  • ****
  • Posts: 2063
Re: Home routers still riddled with security flaws (like we didn't know)
« Reply #1 on: July 07, 2020, 07:01:28 PM »

This seems to be a report based on such seriously flawed methodology it's not even funny. I think it's largely based on what version of the Linux kernel they found in each firmware and the number of vulnerabilities between that and the latest, with no regard for if a patch has been applied or if they are even in any way applicable to the router. They also seem to think that the Linux kernel is the OS and do not seem concerned about any of the other software in the device.

They are just saying that all routers have vast numbers of security flaws without actually bothering to actually find, verify and exploit a single vulnerability in any router. Just look at the version number of the Linux kernel instead.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 31045
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Home routers still riddled with security flaws (like we didn't know)
« Reply #2 on: July 07, 2020, 08:37:30 PM »

b*cat mods in agreement with what ejs has written.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 1729
    • My Broadband History
Re: Home routers still riddled with security flaws (like we didn't know)
« Reply #3 on: July 07, 2020, 08:51:08 PM »

Its obviously not in-depth, they mostly seem to be probing the firmware for known key words rather than actually intrusion testing the routers, but there is some merit to their claims I'm sure.

Although I don't think many routers manufacturers ever update their kernel version as there are often binaries tied to it, the question is do they back-port security fixes?  In the cases where they said the device hasn't HAD a firmware update in years, its certainly true they are left open to abuse.
« Last Edit: July 07, 2020, 08:56:09 PM by Alex Atkin UK »
Logged
INTAKE (ECI) Zen: Home Hub 5A OpenWrt Plusnet: VMG-3925-B10B Three 4G: Hauwei B535-232 Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors

banger

  • Kitizen
  • ****
  • Posts: 1053
  • TTB 80/20
Re: Home routers still riddled with security flaws (like we didn't know)
« Reply #4 on: July 08, 2020, 12:31:08 AM »

On this subject I read that ESET Internet Security probes routers on the system for known vulnerabilties. Good feature if it works.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

tubaman

  • Addicted Kitizen
  • *****
  • Posts: 6177
Re: Home routers still riddled with security flaws (like we didn't know)
« Reply #5 on: July 08, 2020, 08:02:08 AM »

As @ejs has said, if the vulnerabilities can't be exploited in a router then their existence is of no real relevance.
This is like saying that there are lots of old PCs out there with BIOS vulnerabilities, but if they have been mitigated at a different level (eg Intel microcode) then it doesn't matter.
 :)
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924-B10A