Constantly connected, but without cybersecurity ─ WiFi routers with a 19-year-old software architecture and nearly 600 security loopholes

The Fraunhofer Institute tested 127 current WiFi routers from seven manufacturers with regard to operating systems, update provision, security vulnerabilities, and protective measures.

Routers are an essential network device in both homes and businesses, and they are running all day, every day and always sharing information.

What kind of impact can an affected router have on your business? Multiple security-relevant effects are conceivable for example:

– Disruptions through business network outages

– Infection and failure of production control devices with botnet malware

– Manipulation of device commands via an insecure connection (private key codes that can be used by hackers)

– Theft of intellectual property via a monitored connection.

The text that follows contains the most important insights from the Fraunhofer report.

Outdated operating systems: Some 90 percent of routers use Linux as an operating system, and in one-third of cases, the system was a nine-year-old version with no security updates. Furthermore, in a current model, a version of an operating system from 2002 was in use meaning it was 19 years old.

Open security loopholes: Some 350 to 590 security loopholes exist, depending on device and manufacturer.

A lack of security controls: Protective measures, such as location-independent execution (PIE) files, are rarely implemented by vendors.

Non-secure communication: Private security keys are readable from firmware images and are publicly discoverable. And in this way, connections are able to be tapped and manipulated (man-in-the-middle attacks).

Open access: Hard-coded login access data with default public passwords are used in routers. This allows easy infection and control for botnets, as well as further infection in and attacks on IOT devices (e.g., Mirai).

Security is manufacturer dependent: ASUS, AVM, and Netgear provide, on average, updates for their devices once per year, and this improves them, relatively speaking. Other manufacturers, such as D-Link, Linksys, TP-Link, and Zyxel provide updates for only about half of their devices. These receive updates every two years, on average.

How great is the risk? And what kind of compensatory measures are available?

The question of risk is very individual and tied to the circumstances and the use of the routers in question. We are happy to answer any questions and discuss any issues.

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.