A new study by a US consumer nonprofit has found that five out of six home routers are inadequately updated for security flaws, leaving the devices, and indirectly their users, vulnerable to hacking.
Carried out by the American Consumer Institute (ACI), the study analyzed a sample of 186 SOHO (small office/home office) WiFi routers from 14 different vendors with a presence on the US market.
ACI experts looked at the firmware version the routers were running and searched public vulnerabilities databases for known security flaws affecting each device's firmware.
"In total, there was a staggering number of 32,003 known vulnerabilities found in the sample," said ACI experts in the study published last week.
"Our analysis shows that of the 186 sampled routers, 155 (83%) were found to have vulnerabilities to potential cyber attacks, in the router firmware, with an average of 172 vulnerabilities per router, or 186 vulnerabilities per router for the identified 155 routers," ACI experts said.
Of the total 32,003 security flaws, more than a quarter were vulnerabilities that received the two highest severity ratings of "critical" and "high-risk" respectively.
"Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample," researchers said.
These are staggeringly large numbers...
Read more:
It would help if router manufacturers made updating routers easier. I'm not exactly a computer noob and I find updating ing my netgear router to be a royal PITA. At least Netgear does send me an email to inform me when new firmware is available. They even sent an email recently that my router needed updating when, in fact I had already updated to that version several months ago (yes, I checked to make sure the email wasn't spoofed; I never click on links in emails anyway).
IMHO, not a very useful "study".
The pdf lists the "routers included in the sample", but doesn't say which had vulnerabilities. If 83% had vulnerabilities, that means 17% were completely devoid of *any* of the 32,003 security flaws, doesn't it? It would have been helpful to know which those were. Were they randomly distributed, or was one brand consistently better than the others?
Furthermore, the study sample appears to be badly skewed. For instance, it lists the Asus RT-AC66U and the RT-1750, which are the same router with different model designations. And the RT-AC66U_B2 and RT-AC68U and RT-AC1900, which are all the same. I could go on with more examples.
If I put 12 units of a single router into the sample, can I then conclude that manufacturer is 12 times more vulnerable than the average?
And who knows how many other routers from other brands are essentially the same. How similar are the D-Link DIR-605L_VERSIONA and the D-Link DIR-605L_VERSIONB, for example? Or the Linksys WRT1900ACSV2 and the Linksys WRT1900AC_V2? Or the Netgear R7900 and the Netgear R7900P?
It appears in the latter case that the 7900 and 7900P actually use different CPUs, but my point is what effort or care did the study make to avoid functionally or actually identical products in the sample? Are two routers that may be essentially the same being given the same weight in the study as two uniquely different routers from different manufacturers?
And there's no indication how the study did its "counting" ... what do they mean by "5 out of 6" routers have security flaws? 5 out of 6 routers by market share? 5 out of 6 on the list, regardless of shipping volume?
As Mark Twain wrote, quoting Benjamin Disraeli, "There are lies, d**ned lies, and statistics."
Oh, and don't get me started on that really helpful pie chart!
I see many legit ISPs trying to do nefarious things on my websites and I can conclude this is due to hacked routers. I have also read recently about a router hack going around that was created by some Russian hacker group. This is primarily why I use third party firmware, use a strong Admin. password and different user name, turn off remote Admin., UPnP and don't use port forwarding unless I need it.
Quote