Your expensive Wi-Fi router probably has security flaws — here's what to do

TP-Link Archer AX6000 review
(Image credit: Tom's Guide)

Even the most highly-rated Wi-Fi routers with up-to-date firmware can be riddled with security flaws, an analysis by German security researchers IoT-Inspector and German tech magazine CHIP has found.

The researchers looked at nine models on CHIP's "best routers" list: two FritzBoxes from German router-maker AVM, plus one each from Asus, D-Link, Edimax, Linksys, Netgear, Synology and TP-Link. (Two are also on the Tom's Guide list of best Wi-Fi routers.) The Synology and TP-Link had the most vulnerabilities, with 30 and 32 each, although some of those flaws were classified as low-risk.

"The test[s] negatively exceeded all expectations for secure small business and home routers," said IoT-Inspector CEO Florian Lukavsky (opens in new tab) in a blog post. "Not all vulnerabilities are equally critical — but at the time of the test, all devices showed significant security vulnerabilities that could make a hacker's life much easier."

According to CHIP's report (opens in new tab)  (in German), the flaws included multimedia and VPN software known to be vulnerable, outdated versions of the Linux kernel, outdated software such as the BusyBox Linux distribution often used in routers, hardcoded administrative passwords and default administrative passwords that were too simple or widely known. 

In all, 226 known software vulnerabilities were found across all nine Wi-Fi router models, which IoT-Inspector and CHIP reported to the router makers. Except for AVM, all the manufacturers responded positively and have issued, or will soon be issuing, firmware updates to fix at least some of the high-risk and medium-risk flaws.

This story was earlier reported by Bleeping Computer (opens in new tab).

Which Wi-Fi routers to update, and how

Because router makers use similar firmware for most of their current models, you'll want to update your firmware if you own any recent router from one of the brands named below, even if yours isn't exactly the same model. (In fact, Netgear patched 35 different models earlier this week, although that was for unrelated security issues.)

The Wi-Fi routers examined were:

  • Asus ROG Rapture GT-AX110000: 15 serious (high- or medium-risk) flaws
  • AVM FritxBox 7530 AX: 9 serious flaws
  • AVM FritxBox 7590 AX: 7 serious flaws
  • D-Link DIR-X5460: 13 serious flaws
  • Edimax BR-6473AX: 16 serious flaws
  • Linksys Velop MR9600: 19 serious flaws
  • Netgear Nighthawk AX12 (RAX120): 16 serious flaws
  • Synology RT-2600ac: 19 serious flaws
  • TP-Link Archer AX6000: 22 serious flaws

The Asus, D-Link, Netgear and TP-Link models are high-end gaming routers, while the AVM FritzBoxes are gateway combination modem/routers widely used in German-speaking countries. 

In each case, the most recent firmware available at the time was tested by IoT-Inspector. Tom's Guide reviewed three of these routers and gave the Asus 4.5/5 stars, the TP-Link 4/5 stars and the Linksys 3.5/5 stars.

All or most of these routers are recent and expensive enough so that they should support automatic firmware updates. If you own one of these models, or something similar from each brand, go into your router's administrative interface and make sure that automatic updates are enabled. (Older and cheaper models are certainly not immune to security flaws, however.)

The flaws reported by this latest report won't be the last found in your router model, so best just leave automatic updates on.

If automatic updates are not available or you'd rather not enable them, then use the admin interface to check for new updates and install them from the interface. Every decent router made in the past few years should be able to let you do that.

What to do about older Wi-Fi routers

Things get dicier with older Wi-Fi routers. You may have to go to the manufacturer's website and search the support pages for firmware updates, download the update to your PC or Mac (or Linux box) and load the update onto the router manually via an Ethernet cable. It's straightforward only once you get used to it.

In any case, if your router is more than five years old, you'll want to check the manufacturer's website to see if it's still getting firmware updates at all. If not, then it's time to get a new router — or if you're technically inclined, to "flash" it with open-source router firmware such as DD-WRT, OpenWRT or Tomato. 

If your Wi-Fi router is more than 10 years old, it's probably not getting any more support and you'll definitely want to retire it or flash it with open-source firmware.

And as always, with all routers, the first thing you'll want to do is to change the default administrative password. That's the easiest way that a hacker can attack your router. 

Once you're in the administrative interface, you'll want to disable remote access so no one can operate it from outside your network, and also disable the convenient but needlessly unsafe universal plug-and-play (UPnP) and Wi-Fi Protected Setup (WPS) features if your computer has them.

But are all these Wi-Fi routers really unsafe?

There is still the question of how serious these perceived flaws are, however. Physically testing any router for security flaws is time-consuming and expensive, and each major router maker has more than a dozen models in production at any given time, each of which gets unique firmware updates periodically. 

So to save time, money and their own sanity, security researchers often just analyze a router's firmware, or operating system, instead of the router itself. Even that takes a long time, so the process can be automated. 

IoT-Inspector, for example, is both the name of the research firm and the firm's proprietary computer program. The program, noted CHIP, can run through a router's firmware in 15 minutes and spit out a report of more than 300 pages on each model. 

Such "static analysis" has its flaws, though. Even CHIP acknowledged that a known vulnerability in the firmware is not always something that can be exploited — it's possible that the router maker has mitigated the flaw by some other means.

Likewise, running an older Linux kernel doesn't necessarily mean more vulnerabilities, although CHIP argued that it's strongly correlated with the presence of other firmware flaws. 

The most recent stable Linux kernel is 5.15, but Android 11 and Android 12 run Linux kernels as far back as 4.14 and there are tens of thousands of servers worldwide happily and (presumably) safely running Linux with even older kernels.

As noted above, AVM was the only router maker to respond negatively to the report of vulnerabilities. The company, which has a reputation for quickly fixing security flaws, questioned the static code analysis, telling CHIP that such methods generate too many false positives and that old Linux kernels don't always result in security flaws.

"The age of the kernel doesn't matter," AVM told CHIP in German, "but rather whether the kernel contains vulnerabilities that are relevant to the core operation of the router."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.