Researchers at IoT Inspector, in collaboration with Chip, have verified the security of many popular routers from Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology and Linksys that are used by millions of people. Alas, as a result, 226 potential vulnerabilities were identified.
“For the evaluation of the routers, the vendors provided the Chip with up-to-date models that were updated to the latest firmware. These firmwares were automatically analyzed by the IoT Inspector, we tested over 5,000 CVEs and other security issues, ”the experts say.
Unfortunately, it turned out that many routers are still vulnerable to well-known vulnerabilities, even if they are using the latest firmware versions.
The leaders in terms of the number of bugs were TP-Link Archer AX6000 (32 vulnerabilities) and Synology RT-2600ac (30 vulnerabilities).
While not all of the issues found carry the same risks, the team found some common flaws that are present in most of the models tested:
- outdated Linux kernel in firmware;
- outdated multimedia and VPN features;
- overuse of old BusyBox versions;
- using weak default passwords such as admin;
- the presence of hard-coded credentials (open test).
IoT Inspector CEO Jan Wendenburg notes that one of the most important ways to protect routers is to change the default password when you first set up a device.
“Changing passwords on first use, as well as enabling automatic refresh should be standard practice for all IoT devices, regardless of whether the device is used at home or on a corporate network,” says the expert. “The biggest threat, in addition to the vulnerabilities introduced by manufacturers, is the use of the device in accordance with the motto” plug, play and forget. “
All manufacturers whose devices were found to be problematic responded to the study and released fixes. For example, Chip author Jörg Geiger reports that vendors have already fixed most of the problems found.
The researchers told Bleeping Computer that mostly minor vulnerabilities remained unpatched . The experts’ report contains the following data on vendor responses:
- Asus . I studied each point of our analysis and provided a detailed answer. Asus has fixed the outdated BusyBox version and also released updates for curl and webserver. They emphasized that the password problems were related to temporary files that are deleted when the process ends, and were not dangerous.
- D-Link . Briefly thanked us for the information and posted a firmware update that fixes all mentioned issues.
- Edimax . We didn’t spend a lot of time checking the problems we found, but in the end we came up with a firmware update that fixed some of the gaps.
- Linksys . Outlined its position on all vulnerabilities that are classified as problems of “high” and “medium” severity. In the future, they do not plan to use default passwords, and also released a firmware update for the remaining bugs.
- Netgear . We worked hard and carefully studied all the problems. Netgear considered some of the “high” severity issues to be less important. Updates for DNSmasq and iPerf have been released, and other issues will be addressed first.
- Synology . Resolved the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to newer versions and Synology will have certificates cleared soon. By the way, not only routers benefit from this, but also other devices of the company.
- TP-Link . With updates to BusyBox, CURL and DNSmasq, the company has fixed many issues. There is no new kernel, but more than 50 fixes are planned.