The security of home routers has made little progress in recent years. Remove up-to-earth safety updates for their equipment, which leads to the fact that many routers have weaknesses that have been known for a long time. Also suffering problems with preset manufacturer’s passwords, which are uncertain and often do not otherwise, relate to many devices. In an automated test of 127 firmware images of various routers from seven manufacturers, security researchers of the fraunhofer institute for communication, information processing and ergonomics (fkie) found one or other problem in each of the images tested.
127 routers of seven manufacturers, huawei dear
Rates of the manufacturer asus, avm, d-link, linksys, netgear, tp-link and zyxel were tested. All tested devices were actively advertised by the manufacturers at the time of the tests, so can be considered as new enough to actively support updates. The avm routers cut at the text with a distance, asus and netgear also have a few praising words of the tester. The most critical views see the fraunhofer researchers of d-link, linksys, tp-link and zyxel. Geratas of huawei were not tested because the manufacturer does not provide his firmware – whether one would have a device with such intransparent update policies with themselves at home, let go.
Not all the results of the researchers can be transferred directly to the devices really in use in the market. That’s because many gates standing at home customers of internet providers are provided by the provider with their own branding, and some of them have their own firmware versions in use. These are usually not exactly with the firmware that provides the relevant manufacturer for the basic apparatus on his website.
The fuf examined weakness criteria
In order to find security swallowing in the 127 tested router models, the employees of the fkie did not have to examine the equipment by hand by hand. They used the open source tool firmware analysis and comparison tool (fact) developed by the fki and a 127-based router models list with the corresponding manufacturer as a currently specified firmware version. Fact download the firmware images, extracted the router operating system – which sets up on linux for most tested – and asked the software to funf different security aspects. These fun test criteria were: time since the last firmware release for the device, version of the underlying operating system kernel, presence of exploits protection measures, presence of private crypt clots in the system and preset passwords.
Based on the first two criteria examined by the researchers, it can be seen whether the router firmware contains vulnerabilities that are based on the underlying operating system. This does not necessarily mean that with these vulnerabilities, the router really stops, but strongly indicates security ies. The age of the kernel used, the more likely it is that a serious vulnerability remained unpatable. The lack of well-known exploits protection measures makes it probable again more likely that it is likely to be attacked somewhere in the operating system, and if necessary, it may even be abused to capers the device. If, on the other hand, private cryptals are available, it is conceivable that attackers also read from the firmware download and thus can crack the shutter, which uses the router operating system to protect – presumable secret data. Again, attacks are conceivable.
The fun and last point, factory default passwords are particularly critical. Although all hardware manufacturers needed to know how fat is such a thing (especially in routers), this kind of security chute is always before. If the owner of the router concerned does not other such preset passwords, anyone who makes the muhe makes these passwords to complain or to find out by automated firmware analysis, mostly accept the affected devices without further ado. This vulnerability is particularly critical when the passwords are set firmly and can not be changed. Even if these passwords, and thus the backtime in the router, is nowhere documented, so this lobby will be discovered regularly – as the fraunhofer researchers once again prove impressively – and can then be abused.
Obsolete code, bad protection, private krypt climbs installed
The results of the fkie report are devastating. Whole 22 of the 127 devices tested were not supplied with firmware updates within the past two years. More than a third of the equipment is based on linux kernel versions that have not received security updates for at least 9 years. The firmware of a linksys-gerat was at just under 18 years old linux kernel. Avm stands out as the only manufacturer who continues newer linux versions. Of course, these results are not clear that manufacturers provide their own kernel patches for their devices. Nevertheless, the number of known security in the linux substructure of most tested routers is considered considerable. The picture consolidates the exploits protection measures in use in the firmware code, as set nx bits, position-independent code or code-hardening with relpro: avm also has the nose in front, but according to the fkie researchers all the manufacturers could have a lot do more to make your routers safer.
The researchers found on average scarce funf-private crypt cloals per investigated firmware image. Avm was the only manufacturer who has not published a single private key in his firmware. From the automatic analysis of the fact software does not necessarily seem to show what these keys are in use in individual cases on the device, a good sign for safety is the presence of private cryptum block in free to download firmware image but probably under no circumstances.
Mirai leave pits
That permanently set passwords, which one can not change, represent a security risk, meanwhile almost every child. That this is a catastrophe that this is especially due to the mains-accessible home routers, should have also talked about the massive attacks of the mirai botnet network, which in 2016 rough parts of the internet and hundred thousands of routers of the german telekom paralyzed. Especially with the rough router manufacturers. Nevertheless, the fkie found preset password in the 127 firmware images tested. In 16 routers, these were trivial easy to crack. However, the researchers do not have any insights on how many of these passwords really make themselves exploit from remotely for attacks and thus represent valid backtings. Asus is the only manufacturer that does not use preset passwords.
Despite the rather superficial analysis of the fraunhofer researchers, many of the results indicate sometimes serious security deficiency in the tested home routers. Although a closer look at some look, you could not turn out to be amed, you can probably ame that other references to tangible safety deficiency. Our experiences with router security cover themselves with the findings of the fki employees: updates usually get much to spat or not at all and many manufacturers attach great importance to make their equipment safe. For many years, it has been almost impossible to report newly discovered security and to get details when a certain vulnerability should be closed in the firmware of a device. Although the affected companies deny this regularly, but the testimonials of independent security researchers who want to report security in products, speak gang. And thanks to automated methods, as they provide for the fki researchers with their open-source tool, in the future, will be found more than less security in router firmware in the future.