Study shows 5 out of 6 routers inadequately updated for security flaws

Brink

Administrator
Staff member
Local time
1:00 AM
Messages
74,940
Location
Oklahoma
A new study by a US consumer nonprofit has found that five out of six home routers are inadequately updated for security flaws, leaving the devices, and indirectly their users, vulnerable to hacking.

Carried out by the American Consumer Institute (ACI), the study analyzed a sample of 186 SOHO (small office/home office) WiFi routers from 14 different vendors with a presence on the US market.

ACI experts looked at the firmware version the routers were running and searched public vulnerabilities databases for known security flaws affecting each device's firmware.

"In total, there was a staggering number of 32,003 known vulnerabilities found in the sample," said ACI experts in the study published last week.

"Our analysis shows that of the 186 sampled routers, 155 (83%) were found to have vulnerabilities to potential cyber attacks, in the router firmware, with an average of 172 vulnerabilities per router, or 186 vulnerabilities per router for the identified 155 routers," ACI experts said.

aci-report-router-flaws.png


Of the total 32,003 security flaws, more than a quarter were vulnerabilities that received the two highest severity ratings of "critical" and "high-risk" respectively.

"Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample," researchers said.

These are staggeringly large numbers...


Read more:

 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
It would help if router manufacturers made updating routers easier. I'm not exactly a computer noob and I find updating ing my netgear router to be a royal PITA. At least Netgear does send me an email to inform me when new firmware is available. They even sent an email recently that my router needed updating when, in fact I had already updated to that version several months ago (yes, I checked to make sure the email wasn't spoofed; I never click on links in emails anyway).
 

My Computer My Computer

At a glance

Win 7 Ultimate 64 bitIntel i7-3930KKingston HyperX Genesis 32GB Kit (8x4GB Modul...MSI R7850 Twin Frozr 2GD5/OC Radeon HD 7850 2...
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Custom Build
OS
Win 7 Ultimate 64 bit
CPU
Intel i7-3930K
Motherboard
ASUS P9X79 WS
Memory
Kingston HyperX Genesis 32GB Kit (8x4GB Modules) 1600MHz DDR
Graphics Card(s)
MSI R7850 Twin Frozr 2GD5/OC Radeon HD 7850 2GB 256-bit GDDR
Sound Card
Asus Xonar Essence STX
Monitor(s) Displays
3x Asus VG248QE 24", Vizio 32" TV
Screen Resolution
1920 x 1080, ?
Hard Drives
Samsung 128GB 840 Pro SSD (1),
Samsung 4TB 850 EVO SSDs (4)
Samsung 4TB 850 EVO SSDs (16) external backup drives used in 2.5" hot swap bays in the computer.
PSU
Corsair HX750w
Case
Antec Two Hundred v2 (modified)
Cooling
Cooler Master GeminII S524 120mm (fan replaced with a 140mm)
Keyboard
Logitech G510s
Mouse
Logitech M525 (two in use)
Internet Speed
=< 32Mbps down, 8Mbps up
Antivirus
AVAST!, MBAM, SAS, Spybot S&D (all but MBAM free) Glary Util
Browser
IE11
Other Info
LSI 9211-8i HBA card (8 SATA III ports), 2.5" & 3.5" Hot Swap Bays, HooToo HT-CR001 PCI-E to USB 3.0 Internal Hub + 6 Slot Card Reader, and LG Model CH12LS28 BD-ROM Optical Drive. Also, ScanSnap S1500 ADF duplexing scanner, Canon 9000F flat bed scanner, Corsair SP2500 2.1 speakers, Samsung CLP 415nw laser color printer, Cyberpower PP2200SW UPS
IMHO, not a very useful "study".

The pdf lists the "routers included in the sample", but doesn't say which had vulnerabilities. If 83% had vulnerabilities, that means 17% were completely devoid of *any* of the 32,003 security flaws, doesn't it? It would have been helpful to know which those were. Were they randomly distributed, or was one brand consistently better than the others?

Furthermore, the study sample appears to be badly skewed. For instance, it lists the Asus RT-AC66U and the RT-1750, which are the same router with different model designations. And the RT-AC66U_B2 and RT-AC68U and RT-AC1900, which are all the same. I could go on with more examples.

If I put 12 units of a single router into the sample, can I then conclude that manufacturer is 12 times more vulnerable than the average?

And who knows how many other routers from other brands are essentially the same. How similar are the D-Link DIR-605L_VERSIONA and the D-Link DIR-605L_VERSIONB, for example? Or the Linksys WRT1900ACSV2 and the Linksys WRT1900AC_V2? Or the Netgear R7900 and the Netgear R7900P?

It appears in the latter case that the 7900 and 7900P actually use different CPUs, but my point is what effort or care did the study make to avoid functionally or actually identical products in the sample? Are two routers that may be essentially the same being given the same weight in the study as two uniquely different routers from different manufacturers?

And there's no indication how the study did its "counting" ... what do they mean by "5 out of 6" routers have security flaws? 5 out of 6 routers by market share? 5 out of 6 on the list, regardless of shipping volume?

As Mark Twain wrote, quoting Benjamin Disraeli, "There are lies, d**ned lies, and statistics."

Oh, and don't get me started on that really helpful pie chart!
 

My Computer My Computer

At a glance

Windows 7/8.1/10 multibootIntel Core i7-770048GB (2x16GB Crucial DDR4-3200 + 2x8GB Hynix ...Intel HD630 + AMD Radeon R7 450 PCIe
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Optiplex 7050
OS
Windows 7/8.1/10 multiboot
CPU
Intel Core i7-7700
Motherboard
Dell, Intel Q270 chipset
Memory
48GB (2x16GB Crucial DDR4-3200 + 2x8GB Hynix DDR4-2400)
Graphics Card(s)
Intel HD630 + AMD Radeon R7 450 PCIe
Monitor(s) Displays
Asus VC279 (27")
Screen Resolution
1920x1080
Hard Drives
Toshiba M.2 NVMe (256GB),
Samsung 960 Evo (500GB),
WD Red Plus 80EFBX (8TB)
I see many legit ISPs trying to do nefarious things on my websites and I can conclude this is due to hacked routers. I have also read recently about a router hack going around that was created by some Russian hacker group. This is primarily why I use third party firmware, use a strong Admin. password and different user name, turn off remote Admin., UPnP and don't use port forwarding unless I need it.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64
Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Back
Top