Almost all home Wi-Fi routers tested in a mass study by Germany's renowned Fraunhofer Institute had serious security vulnerabilities that could easily be fixed by router makers, a recently released report states.
"Nearly all were found to have security flaws, some of them very severe," the Fraunhofer Institute said in a press release. "The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago."
- Your router's security stinks: Here's how to fix it
- The best Wi-Fi routers to bring the internet to your home
- Plus: WhatsApp dark mode just came to desktop — how to try it now
Using its own analytical software, the institute tested the most recently available firmware for 117 home Wi-Fi models currently sold in Europe, including routers from ASUS, D-Link, Linksys, Netgear, TP-Link, Zyxel and the small German brand AVM. The models themselves were not physically tested.
A full list of the tested models and firmware is on GitHub. The institute was not able to examine the firmware of 10 more models, mostly from Linksys. The report notes that many firmware updates are issued without fixing known flaws.
Because the study was begun in late March and examines the firmware available on March 27, it will not include the dozens of firmware hot fixes that Netgear issued in late June to correct a series of flaws.
Meanwhile, Huawei routers were not examined because the company does not make its router firmware publicly available, and routers and gateways issued by ISPs were not examined because the ISPs outsource firmware development to many third parties.
It's not like this is the first survey of its kind. A separate study of router security delivered a similarly dire report in December 2018, yet little improvement has been seen in the subsequent 18 months.
- More: Out and about? See how to use a VPN to stay safe on public Wi-Fi
How can you protect your router?
So what can you do? You can make sure that the next router you buy automatically installs firmware updates. You can check to see whether your current router does so, or makes it fairly easy to install firmware updates manually.
You should also make sure that the administrative password for your router has been changed from the factory default password. (Check the list of default passwords at https://www.routerpasswords.com.) You should also check its administrative interface to make sure that UPnP and remote access are disabled.
And if your router was first released more than 5 years ago, consider buying a newer model unless it meets all of the above criteria. (Here are our picks for best Wi-Fi router.)
Alternatively, you could try to "flash" your older router to run more secure open-source router firmware such as OpenWrt, DD-WRT or Tomato.
The bad, and the worse
AVM came out by far the best among the seven manufacturers examined, although it was not without flaws. ASUS and Netgear did not do well, but they were less terrible than D-Link, Linksys, TP-Link and Zyxel.
The flaws included out-of-date firmware (the D-Link DSL-321B Z had not been updated since 2014); out-of-date Linux kernels (the Linksys WRT54GL uses a kernel from 2002); failure to implement common security techniques (AVM did better than the rest here); secret private keys embedded in the firmware so anyone could find them (the Netgear R6800 had 13); and hard-coded administrative usernames and passwords allowing full device takeover (only ASUS had none).
"There is no router without flaws, and there is no vendor who does a perfect job regarding all security aspects," the Fraunhofer report concluded. "Much more effort is needed to make home routers as secure as current desktop or server systems."
The routers you really shouldn't use
There are a few routers named in the study that you should definitely not use, even though it appears you still can buy them.
"The worst case regarding high severity CVEs [widely known flaws] is the Linksys WRT54GL powered by the oldest kernel found in our study," the report said, noting that this model uses the 2.4.20 kernel from 2002. "There are 579 high severity CVEs affecting this product."
That particular model last had its firmware updated in January 2016, one of the oldest firmwares in the study. The Linksys WRT54GL was first released in 2005 and is still sold today, even though it handles Wi-Fi protocols only up to 802.11g.
However, the WRT54G series is possibly the best-selling family of Wi-Fi routers ever. The WRT54GL's continued appeal may be driven by a reputation for reliability and the fact that it's easily "flashed" to run open-source firmware -- the OpenWrt firmware was initially developed to run on this series of routers.
Popping the kernels
It's not that other models do so much better in running up-to-date Linux kernels. (More than 90% of the routers in the study ran Linux.) By far, the most common version of the Linux kernel was 2.6.36, issued in 2010. Only AVM didn't run any 2.x kernels, its oldest version being 3.10.10 from 2013.
"Nevertheless, more than half of the AVM devices run kernel versions that are not maintained anymore," noted the report.
Linux consistently builds new security features right into its kernel, and it's not that difficult to update the kernel on Linux devices. Makers of Linux PC and server distributions do it all the time.
While the most recent Linux kernel at the time of the Fraunhofer testing (March 27, 2020) was version 5.4, none of the routers tested used anything newer than 4.4.60, from 2016. (AVM and Netgear used that one.)
"Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities," said researcher Johannes vom Dorp in the Fraunhofer press release. "All the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should."
Everyone's got your private secret key
Another no-no model is the Netgear R6800, which as mentioned above had a whopping 13 hard-coded private security keys embedded in its firmware.
Its last firmware update was in August 2019, and we'd not want to use it until a new one was made available. (That model wasn't part of the late-June series of Netgear hot fixes.)
Private keys are a crucial part of the mechanisms governing internet security, and routers would use them to initiate secure transmissions and verify firmware updates. They need to stay closely guarded secrets to be effective, but that's pretty well undermined if the keys can be found in a router's firmware.
"This means any attacker can impersonate the device and do man-in-the-middle attacks," the report said. "These keys are shared with all devices of the same model. This means one private key published in a firmware puts thousands of devices in danger."
Only AVM had zero private keys in all its firmware images. Netgear had the most.
Well out of date
Then there's the D-Link DSL-321B Z, which hadn't had a firmware update since August 2014. In total, 46 models hadn't received updates in more than a year, although most had within the previous two years.
"If a vendor did not update a firmware in a long time, it is for sure that there are several known vulnerabilities in the device," the report said. "The other way round is not necessarily true."
In terms of available security protections, which are too technical to discuss here, AVM was far and away the best at deploying them on its devices, with Netgear a distant second. D-Link fared worst.
But again, most of these protections are standard on Linux PCs and servers, and even on Android phones. There's no real good reason they can't be used on more routers.