Most home wireless routers fail to use basic security precautions that are commonplace on computers and smartphones, two researchers say in a scathing new report released earlier this month.
The problems are so bad, they say, that a large numbers of routers currently on the market should not be used at all.
Of 28 widely used home routers, made by seven different manufacturers, examined by Parker Thompson and Sarah Zatko of the Cyber Independent Testing Lab, "not a single one took full advantage of the basic application armoring features provided by the operating system." All the routers placed on various publications' best-of lists.
Ten of the tested routers, made by Asus, D-Link, Linksys, Netgear, TP-Link and Trendnet, use the outdated MIPS processor architecture, which Thompson and Zatko says contains a "seemingly forgotten" flaw that completely undermines system security.
"We believe consumers should avoid purchasing products built on this [MIPS] architecture for the time being," the researchers said.
Newer, more expensive routers are more likely to use the ARM architecture that also powers most smartphones and some laptops. But Thompson and Zatko said that of the ARM-based routers they examined, "not a single one took full advantage of the basic application armoring features provided by the operating system."
Linksys a Bright Spot
There were a couple of bright spots. All 18 ARM-based routers implemented DEP at a rate of 99 or 100 percent. One of those, the Linksys WRT32X, also implemented RELRO on 95 percent of its code and buffer-overflow protection on 82 percent.
Yet "the Linksys WRT32x was still missing ASLR almost entirely, so there is still room for improvement," the report noted. "Given that ASLR is an easy safety hygiene feature to accomplish for binary applications, this is a major industry-wide security lapse."
An Industry-Wide Failure
Sadly, it's not easy for a consumer shopping for a new router to tell what kind of processor architecture a prospective router uses. Googling "processor architecture" along with the name of a particular model might yield a lot of unhelpful technical details — and that's if you're lucky.
"These findings suggest an industry-wide failure to audit and test the security of the software running on these products," the researchers added. "Even the most basic practices are being largely ignored.
Today's desktop and mobile operating systems, including Windows, Android, iOS, macOS and Linux, all use security features that may not be household words, but have become commonplace in the last decade.
These features include address space layout randomization (ASLR), which makes it hard for malware to find vulnerable processes; data execution prevention (DEP), which stops malware from using code found in certain parts of running memory; buffer overflow protection, which thwarts a very common type of malware attack; and, in Linux-based systems (including Android), RELocation Read-Only (RELRO), which stops another common type of malware attack.
'Inexcusable' Security Lapse
Most routers also use Linux. Yet their manufacturers have failed to implement most or all of these security precautions, even though adding them would often be cheap and easy.
"The absence of these security features is inexcusable," Thompson and Zatko write. "The features discussed in this report are easy to adopt, come with no downsides, and are standard practices in other market segments."
Thompson and Zatko contrasted the Linux firmware of the routers with a two-year-old, still commonly used desktop Linux distribution, Ubuntu Linux 16.04 Long Term Support (aka Xenial Xerus).
The Ubuntu distro used RELRO on 100 percent of its 5,000-plus bits of executable code, and DEP on 99 percent. Buffer overflow protection was used on 79 percent of the code, and ASLR on 23 percent. The report pointed out that Xenial Xerus is not as secure as Windows 10 and macOS 10.13, both of which implement ASLR on 99 percent of their code.
The routers' numbers were far lower than the Ubuntu distribution's. One MIPS-based router, the Linksys E2500, used DEP on 9 percent of its code, and that was the high point among all 28 routers tested. The rest of the MIPS-based routers were at zero percent. Seven ARM-based routers completely failed to implement ASLR. Seventeen of the 28 routers, both MIPS- and ARM-based, had zero buffer-overflow protection.
"This lack of basic hygiene does not appear to be due to any inherent issue," the report said. "If it weren't possible to institute these safety features, then the values would be zero across the board. Instead, this poor showing implies an apathetic attitude towards applied consumer safety and security for the home router products analyzed."
The inherent weakness of most home routers is one reason that malicious hackers are shifting their targets away from desktop and mobile operating systems and towards routers and other "internet of things" devices.
"Home routers are soft targets in comparison to the security hygiene present in modern desktop operating systems," Thompson and Zatko say. "All vendors have room for improvement, especially when it comes to consistently applying basic safety features across different models in their product lines."