Router Security

This report is six months old, and I don’t know anything about the organization that produced it, but it has some alarming data about router security.

Conclusion: Our analysis showed that Linux is the most used OS running on more than 90% of the devices. However, many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. This leads to a high number of critical and high severity CVEs affecting these devices.

Since Linux is the most used OS, exploit mitigation techniques could be enabled very easily. Anyhow, they are used quite rarely by most vendors except the NX feature.

A published private key provides no security at all. Nonetheless, all but one vendor spread several private keys in almost all firmware images.

Mirai used hard-coded login credentials to infect thousands of embedded devices in the last years. However, hard-coded credentials can be found in many of the devices and some of them are well known or at least easy crackable.

However, we can tell for sure that the vendors prioritize security differently. AVM does better job than the other vendors regarding most aspects. ASUS and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link and Zyxel.

Additionally, our evaluation showed that large scale automated security analysis of embedded devices is possible today utilizing just open source software. To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop of server systems.

One comment on the report:

One-third ship with Linux kernel version 2.6.36 was released in October 2010. You can walk into a store today and buy a brand new router powered by software that’s almost 10 years out of date! This outdated version of the Linux kernel has 233 known security vulnerabilities registered in the Common Vulnerability and Exposures (CVE) database. The average router contains 26 critically-rated security vulnerabilities, according to the study.

We know the reasons for this. Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of. Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable. The way to update your home router is to throw it away and buy a new one.

And this paper demonstrates that even the new ones aren’t likely to be secure.

Posted on February 19, 2021 at 6:00 AM23 Comments

Comments

ATN February 19, 2021 6:59 AM

It is an obvious consequence of the free software license, like the GPL.
A lot of people have written software (on their spare time) under the GPL because they “knew” such software cannot be used in a commercial environment, and interested companies would need another license, with maintenance, so giving the software designer/writer a nice well paid job. That did not happen.

If you transpose the problem in the real physical world, talking about cars, it is like someone owning the two sides of a river, and building a bridge by himself, saying to others: “you can use the bridge, I cannot provide any guaranty it will fit your purpose (stand the weight of your car), you have to check times to times its maintenance – repaint it every few years, for that I provide the first pot of paint. When you decide to repaint, if you run out of paint you have to buy yourself (with your money) another pot of paint and leave it for the next time someone else take that task.”

Everything broke down when companies said “I do not care about copyright laws” (saying to the initial code writer, “my legal team is bigger than yours”, and I will not give you a maintenance contract), and also said to their own clients “any software deficiency are not part of the product legal guaranty”. Nobody (country, courts, costumers) did stand up and complain.

Now, when everything fall down in the real world, a way comparable to a virus is doing right now, there will not be so many people willing to help…

Unwise Bard February 19, 2021 7:12 AM

That’s one of several reasons I’m using a GL iNet device. It uses OpenWRT, it has gotten firmware updates regularly. They even advertise that you can push your own version onto it, and actively support you doing so. It has a gui enabled DNS over TLS option, so you can route all the router’s DNS lookup traffic to be over TLS. I’m sure they are also working on a built in option for DNS over HTTP. I’m using one that is about half a playing card deck size, uses micro-USB for a power adapter, and is dead easy to bring to a hotel/conference/etc and re-route around their laughably bad security practices. AR300M is the model I have.

While I’m sure it is still hack-able, it is a giant step up compared to the generic buy once and never see a upgrade ever standard issue wifi router, complete with weird 80’s low poly styling! I’ve interacted directly with one of their developers about enabling DNS-over-TLS when Cloud-Flare first started their service. Can’t imagine getting remotely closer than a bot or bland customer service rep if I had a similar technical issue with one of the bigger named routers.

Joel Halpern February 19, 2021 7:24 AM

The extract seemed to be all about Home Routers. When I looked at the link, I realized that is because the report is all about home routers. Routers in general have many security flaws, and we should work to improve that. Home routers have significant additional challenges, since the margins there are so small. It would have been nice if your title had said “Home Routers”. Thanks.

Clive Robinson February 19, 2021 8:01 AM

@ Bruce,

The way to update your home router is to throw it away and buy a new one.

And this paper demonstrates that even the new ones aren’t likely to be secure.

I’m probably not the only one to spot the irony in those two statments.

The Voctorian mathmatician and logician Charles Dodgson under his pen name Lewis Carroll christend the resulting behaviour where you run just as fast as you possibly can to stay where you are a “Red Queen’s Race.

The point is it’s unsustainable and it realy does not matter which of the very many courses you pick to resolve the others are so numerous they will keep you in the race…

So what to do about it, and which route to pick? Is more a conundrum than a simple question.

In the past I’ve suggested using two routers in series with strong IDS in the zone between the two, which trips a hard fail safe (a relay that open circuits the network connection). Whilst this will work for some most of the time it has two issued,

1, You constantly have to updaye the IDS.
2, It can not protect against certain instances of zero days that for a new class of attack.

This kind of puts the design beyond wjat most individuals can manage even in the ICTsec industry.

Another solution is “build your own router software from scratch” but realistically who knows enough or has the time to develop their own router software without “borrowing” code either directly via other peoples source code or indirectly by reading it to get the functionality then write your own implementation. Even Microsoft did not write their own networking code they used Open Source and just changed bits such as the direction the slashes worked.

A first step solution might be to dump IP and start all over again from scratch moving various functions down to the correct layers which was not originally posible due to “resource issues”. Whilst at it dump the “security add ons” that have been such a minefield and again put them where they should be built in from scratch.

However even if we were to do that, we can make an almost certain bet that “backwards compatability” issues would probably make things worse than they currently are…

As the legend of the Gordian Knot indicates, some times you have to put things to the sword as the only solution to a functioning realm.

SwashbucklingCowboy February 19, 2021 8:18 AM

Uhhhh… This may be very misleading. Just because it’s not being supported by the kernel project doesn’t mean it’s not being supported. Red Hat uses 2.6.32 in RHEL 6 and they are still supporting it. So, this kind of things CAN be a problem, depending on if and where the vendor is getting the kernel from.

Same thing happens with the Apache web server. Scanners will see a web server banner version 2.2.— and say it’s EOL when in fact, Red Hat or whoever is still supporting it.

Peter February 19, 2021 8:30 AM

How relevant is the router operating system? Intuitively, I’d think that most vulnerabilities in the OS would not be exploitable in the router context.

Roger February 19, 2021 8:40 AM

What about analyzing OpenWRT and LibreCMC replacement firmwares? Given they seem to be updated much more frequently, aren’t they more likely to be secure?
Should we at least promote having people flash these open source firmwares over the vendor-supplied ones, where possible?

AlanS February 19, 2021 9:30 AM

@Roger

I have an Asus which I don’t generally use. With the latest version of AsusWrt it is running 2.6.23. Using OpenWrt it runs on 4.14.221.

TimH February 19, 2021 10:02 AM

My ancient WNR3500L running DD-WRT v3.0-r33555 mega dated 2017 runs Linux 3.10.107… time to seach for another hackable router perhaps.

fajensen February 19, 2021 10:04 AM

Nothing so much to do with the GPL, but everything to do with software being a completely unregulated business, with no enforcement of product liability or requirements for even basic skills required by practitioners.

Anything goes in software. Unlike engineering.

David February 19, 2021 1:16 PM

I find the paper interesting because it once again highlights the need for better software development practices in embedded devices. I don’t really think that the margins are so low in home routers that a little more dev time is out of the question. The problem’s more in the way that these systems are cobbled together so they just work, then grow over time and are at some point are just abandoned. Without an industry standard, this isn’t going to change. Perhaps something like Google’s future approach to Android software updates might be a possibility.

Also, the average user just doesn’t know or cares about security risks and so doesn’t tend to buy the better products. As long as there’s no pressure, most companies won’t change.

FYI: Fraunhofer are a series of reputable research institutes in Germany. Most of their research is independent and and as such fairly trustable. I can recommend keeping an eye on their research, they’re doing cool things in all kinds of fields. (e. g. Fraunhofer researchers invented the mp3 codec).

Clive Robinson February 19, 2021 1:28 PM

@ ALL,

Do not get trapped into the belief that having the latest software, firmware, or even hardware is somehow going to make you secure…

It’s not, that’s just a variation on “magic pixie dust thinking” and no matter what words you cobble together you can not come up with a spell that is going to make you invulnerable now or even one second into the future.

What makes you secure but only shortly after the attack starts is,

1, Eternal vigilance.
2, Rapid response.
3, Solid multiple layered defence.

Now untill this time last year, this sort of thinking was “mega-Corp” not “mom-n-pop” or “home office”…

Then COVID and Lockdown turnrd that all on it’s head.

So folks as the over paid consultants used to tell the folks in walnut corridor,

“Time to get with the program”

That is realise that the router in the CEO’s house has to be by law as good as that which used to be in the corporate HQ, othereise the likes of the SEC are going to come asking questions at the very least, then there are all those other regulators and those laws and regulations they have Sab-Ox HIPPA etc etc etc.

Time to stop the “Castle is my stronghold” thinking now you realy have to up the “My home is my Castle” thinking…

Which just leaves on of those childishly simple questions that even PhD’s struggle to answer… Not “Why is the sky blue” but, that anoying one every parent of a toddler or older dreds,

“When do we get there?”

Because behind that lurks other questions such as,

“Where, and with what, and how, do we start the journey?”

As those without power in Texas and other places now realise, those tasked with answering such questions often fail because they have other agendas they prioratize, which is the point nearly all disasters start.

So first we need to know what all the priorities are, which might be rather embarrassing, because whilst the CEO might spring for a $100,000 system for Corporate HQ withva thousand key workers behind it, they are not even going to authorise $25 for each of those employees homes till somebody points a gun at their head.

Old Junos February 19, 2021 2:05 PM

I know this question may sound naïve. Is it possible attacking these devices if no service is offered to the outside world, and they act as restrictive firewalls only allowing “egress traffic, and ingress replies to traffic originated from the internal network”?

ICMP is blocked on the WAN port too.

This question is a bit off-topic. I know home routers cannot be really protected in this way, as they always offer some sort of services to the outside world. I am thinking on a few hardened Dell (Juniper) PowerConnect SRX devices that do not get operating system updates since a year ago.

Michael Horowitz February 19, 2021 3:07 PM

>Is it possible attacking these devices if no service is offered to the outside world…

Windows 10 just had a bug with IPv6 fragmentation. The OS did not process fragmented IPv6 packets, but it detected them and sent out a “no thanks” type of response. Yet, that was enough to make the OS vulnerable. And, while a router purchased at retail is likely to block all ports in the firewall, the same does not apply to routers from ISPs. So, yes. Plus, routers can also be attacked from the LAN side. Every web page is viewed and processed on the LAN side. Not to mention IoT devices on the LAN. Then too, there are the many consumer routers that are managed with a mobile app and a cloud service. These routers are vulnerable to attack from this cloud service since they are always in contact with it.

Ismar February 19, 2021 3:09 PM

Since most home users either don’t care or are not even aware of the issues presented here, the security of these devices is likely to stay at the current levels for as long as the governments and businesses realise there is a much bigger price to pay when breaches occur and these devices, say, start being used to attack countries internet infrastructure bringing it to its knees and impacting all walks of life in the process.
So, those countries who might care enough about avoiding such scenarios, I would suggest should seriously consider regulating the routers and putting them through an approval process not unlike that used for approval of food and medical devices.

Old Junos February 19, 2021 4:50 PM

@ Michael Horowitz

Thank you, your comments have been really valuable. Not all machines on these networks run web browsers, and traffic is normalised on pf(4) on an external firewall before entering the network, but the risks you mention are a concern to us.

Arclight February 19, 2021 7:08 PM

Mikrotik has been the subject of some serious CVEs, but they offer basically lifetime updates, issued regularly for even their US$40 products.

Eric Valk February 20, 2021 11:14 AM

I think this work does a poor analysis of Zyxel Routers. Zyxel routers do have vulnerabilities and security issues that are a significant concern, but this report does not do a very good job of analysing them.

For the USG series of firewall router (I have owned one for some time) Zyxel has been providing firmware updates at least twice in every year, and if problems come to light somes time every two months. But this report claims a much longer interval.

This is possibly because Zyxel provides access to security updates only to regitered owners of its products. For example, someone who is not a registerd onwer might think that the latest version is 4.25 (the last publically available version in July 2017, but in fact updates continues at least twice yearly and versions 4.60 and 4.62 were received within the last 4 months.

JonKnowsNothing February 20, 2021 12:19 PM

@All

re: you can even have the updates installed automatically

Is this not one of the many problems? Exactly what is updating the router? How do you know?

Can you Trust the Source? Is the Source Good? Does Benedict Trust the Source?

Today’s hiccup on the internet:

A previously undetected piece of malware found on almost 30,000 Macs worldwide

Once an hour, infected Macs check a control server to see if there are any new commands the malware should run or binaries to execute.

[except]
So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

Trust in auto-updating anything, is maybe not such a great idea. Of course, not updating things is not much better.

ht tps://arstechnica.com/information-technology/2021/02/new-malware-found-on-30000-macs-has-security-pros-stumped/

ht tps://en.wikipedia.org/wiki/Page_Eight
  A now outdated plot with great repartee and one-liners.
(url fractured to prevent autorun)

Red February 22, 2021 10:24 AM

@Clive Robinson

Given that these are home consumer routers, we have to discuss the threat model.

Vendors that provide regular security updates will keep you in decent shape.

0-days are a concern, but generally the bad scenario is that they turn the router into a member of botnet or DDOS zombie, not compromise your network.

If a threat actor is using a 0-day against your router to intercept personal data or leverage attacks against other devices on your network, maybe you’ve got the attention of someone powerful enough that you shouldn’t be relying on a consumer router for security.

Clive Robinson February 22, 2021 10:55 AM

@ Red,

maybe you’ve got the attention of someone powerful enough that you shouldn’t be relying on a consumer router for security.

And with COVID lockdown happening, people of all levels within an organisation from the most senior of directors down to those who are just typing reports are doing it from home…

I doubt that there are enough “secure routers” in the US for even a very small percentage of new “home workers” to be secure.

Thus it’s effectively “Open Season” on directors and critical decision makers and creatives by those with an interest in IP.

Jeff February 23, 2021 10:39 AM

This is one reason I’m sad that Apple got out of the home wifi business. Which is a surprise given that all of their devices feature multiple ways to communicate with one another, and their devotion to privacy. I have no idea what OS the airports run, but I still have one in service and it saw a security update not that long ago.

I shouldn’t be but was surprised to read here that most big-box sold routers are rebadged(?) products that were designed by third parties…this would be an awful dereliction of responsibility by those vendors to their customers. The risk might currently be low, but if this were to change quickly, a very large number of people could be exposed rapidly.

Jason Riddell March 1, 2021 11:37 AM

to make matters “worse” MOST home users likely have the router/modem there ISP provided and it is the same one that everybody on that ISP has and at the same security level
so breaching ONE is almost guaranteed to be able to breach almost all the neighbours
“great” for a BOTNET or MASS DATA harvesting
and it also “pushes” security onto the ISP that is NOT THE VICTIM and ties the consumers hands as the ISP does not allow access into the modem/router outside of “consumer settings” IE naming the wi-fi

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.