When we activate an Internet connection and our Internet Provider sends us his router, we install it, configure it and believe that everything is fine. The same is true if we prefer to buy a “free router”: we take it home, install it, configure it and start surfing. If we are particularly attentive to security, we take a step further: we change the router’s standard username and password with personalized login data.
Is all this enough to make us navigate safely? According to the Fraunhofer Institute for Communication (FKIE) in Wachtberg, Germany, no. The important German research center, in fact, in June 2020 published the Home router security report 2020 , which collects the results of numerous tests conducted on 127 router models, produced by 7 famous manufacturers (Asus, AVM, D-Link , Linksys, Netgear, TP-Link and Zyxel, all very popular in the “free router” market). Unfortunately, no good news emerges from the tests.
Router security: how things stand
The Fraunhofer Institute found that many of the routers tested have long-known vulnerabilities. It also found that many manufacturers do not include fixes to existing vulnerabilities in their router firmware updates . Many routers, then, mount operating systems in old versions and, consequently, not secure. As many use cryptographic keys that are strange to hackers and even weak. The research center then revealed that some routers had not received an update for over five years. But the most worrying thing is that the FKIE could not find, among the 127 models examined, only one router without at least one security problem.
Router Security: Firmware Updates
Although 81 routers were updated in the last 365 days prior to the FKIE tests (which ran from March 27, 2019 to March 27, 2020) the average number of days since the last update was 378 . As many as 27 devices hadn’t been updated for at least two years, while the absolute worst router hadn’t been updated for 1,969 days, more than five years. Asus, AVM, and Netgear have released updates for their devices in the past year and a half. Just for comparison: Most popular antivirus programs post updates at least daily.
Router security: the operating system
90% of the routers tested by the Fraunhofer Institute for Communication had a Linux operating system , a third of the routers worked with the Linux 2.6.36 kernel , version that was released in late October 2010. One of the routers analyzed, the Linksys WRT54GL, was equipped with even a Linux 2.4.20, which dates back to 2002. It is clear that such an old operating system cannot be secure and, in fact, the operating system-related vulnerabilities discovered by the FKIE were on average 53 for each router. The best had “only” 21, the worst 348.
Router security: the encryption keys
Most of the router firmware analyzed used a private cryptographic key. This means that anything they try to protect with a public-private encryption mechanism is not secure at all . A private key stored in the firmware , in fact, is all too easy for a hacker to extract and for this reason the Open Web Application Security Project (OWASP) suggests not to use private keys or, if you really need to use them, to store them outside the firmware. , on separate chips. The FKIE has found that at least five private keys from these firmware and that within theNetgear R6800 router firmware there were 13 private keys.
Router security: login credentials
Most router uses access credentials (ie, user name and password, and required the user to access the Web interface of the router configuration) of type ” hard-coded “ . That is, written directly in the firmware , without any encryption. Even worse, login credentials ( username and password ) such as “Admin-Password” or “User-Password” abound. The problem encountered by the Fraunhofer Institute for Communication on login credentials was that only 60% of routers analyzed did not have hard-coded credentials ,hard-coded already known for years.
Router security: how to improve it
In light of what FKIE discovered, how can you try to make your modem-router more secure? Meanwhile, it should be specified that most of the products analyzed are not used by the main Internet Providers, but are aimed at the end user who chooses and buys the “free” modem-router for better performance, additional features or (paradoxically) more security. To keep the security of your router high, therefore, the user must make sure to install all the available firmware updates , which very often Internet Providers do automatically remotely for their customers with the modem-router on loan for use. It is also essential to change the access credentials to the router’s web interface as soon as it is installed.