Employers who have suddenly shifted a large percentage of their workforce to remote due to Covid-19 no doubt will shudder by the findings of a new Frauhofer Institute study that concluded no home router was without security vulnerabilities. The German tech think tank analyzed 127 home routers from seven manufacturers sold in Europe and found that 46 of them hadn’t a security update within 12 months, and some hadn’t been updated for more than five years. The lion’s share (91 percent) of the routers use Linux OS, but many manufacturers don’t integrate fixes when they’re available from Linux kernel maintainers. Vendors can distribute security patches to their devices far more often, but do not, Fraunhofer found, and to make matters even worse, many of the routers are powered by a very old version of Linux.
These findings are particularly worrying as the COVID-19 pandemic means that many employees are working from home and connecting corporate devices to their home router. This obviously provides greater opportunity for sensitive corporate data to be lost or stolen by nefarious actors. The manufacturers of these devices need to rapidly improve the security of their products and ensure that patches for known vulnerabilities are developed and made available through updates. This will likely require the enforcement of legislation, such as the IoT legislation recently proposed by the UK government.
It is also vital that people understand that these routers need regular patching and must be registered with the manufacturer to receive these updates when available, which can help keep them secure. This is important cyber-awareness and it is the role of organisations to educate their workforce on this. According to our State of Email Security report, despite this increased threat, over half of organisations – 55% – don\’t provide any sort of email security training on a frequent basis. This needs to be improved, or vulnerabilities such as this one will lead to further security problems for UK organisations.
I’m absolutely stunned that they would assess that Netgear and ASUS do a better job than others. Overall I have some questions about how they selected the ‘127 current routers’. The research specifically cites Linksys WRT54GL despite that it’s been out of support for years. I’m not sure how relevant it is to be comparing this router to currently supported devices from other brands.
The metrics used by the research included days since the last update, the use of outdated software, the inclusion of private keys, hardcoded passwords, and exploit mitigations. While these are all interesting data points, there is a lot more that goes into security. A router vendor can keep their Linux kernel up to date and enable all the exploit mitigations they want, but it isn’t going to matter if the device still allows command injection by a cross-site request forgery. Similarly, a vendor can release updates on a regular basis but still ignore security researchers. A more complete picture of vendor security reliability should include aspects related to how well the vendor works with researchers and the typical response time for resolving externally reported issues.
As consumers, people consider their home routers, computers, and other electronic devices like their oven, dishwasher, and refrigerator, to be able to just plug them in and run. They only look at them when there is a problem. With home routers, people buy them, install them, and maybe configure them with a new password, but for the most part, as long as it\’s running, they don\’t mess with it.
Similar to smartphones or computers, these devices need to be updated to reduce an opportunity for exploitation by cybercriminals. Unfortunately, with legacy devices, the products may no longer be supported, and therefore the router should be replaced. If the router is a later model, it\’s essential that people register their router with the manufacturer so they can receive notifications to update the device. If registration is a privacy concern for the person, then visiting the manufacturer\’s website on a regular basis for updates would be the best option.
Comparable to vehicle recalls, the manufacturer alerts the owner that there is an issue with their car, which needs to be corrected. If the person fails to bring in the car, they could be liable for matters in the event of it causing an accident. Similar to the router issues, if the owner doesn\’t update the router when notified, they could be exposed to vulnerabilities that could have been corrected before a possible data loss, ransomware attack, or worse, identity theft.