• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Microcontroller Tips

Microcontroller engineering resources, new microcontroller products and electronics engineering news

  • Products
    • 8-bit
    • 16-bit
    • 32-bit
    • 64-bit
  • Applications
    • 5G
    • Automotive
    • Connectivity
    • Consumer Electronics
    • EV Engineering
    • Industrial
    • IoT
    • Medical
    • Security
    • Telecommunications
    • Wearables
    • Wireless
  • Learn
    • eBooks / Tech Tips
    • EE Training Days
    • FAQs
    • Learning Center
    • Tech Toolboxes
    • Webinars/Digital Events
  • Resources
    • Design Guide Library
    • DesignFast
    • LEAP Awards
    • Podcasts
    • White Papers
  • Videos
    • EE Videos & Interviews
    • Teardown Videos
  • EE Forums
    • EDABoard.com
    • Electro-Tech-Online.com
  • Engineering Training Days
  • Advertise
  • Subscribe

Worst suspicions confirmed: The terrible security of internet routers

April 7, 2021 By Lee Teschler 2 Comments

Leland Teschler, Executive Editor
Here’s the latest IoT security nightmare: All of the wireless routers through which most IoT traffic passes are probably vulnerable to botnets and other kinds of security breaches. That’s the conclusion of researchers at Fraunhofer FKIE in Germany who analyzed 127 different routers sold by seven vendors. The routers they examined are sold in Europe, but a quick check reveals many of them have versions available in the U.S.

This is certainly disheartening news for IoT equipment manufacturers doing the equivalent of triple back-flips in the pursuit of designing secure products. The IoT products they’re fielding may be bullet proof, but the routers to which they connect have sold them down the river.

Fraunhofer researchers say every one of the 127 routers they examined had security flaws. They also discovered that 46 of the routersLeeTeschler had received no security updates within the last year. And many of the routers are affected by hundreds of known vulnerabilities. Worse, when security updates were issued, they didn’t fix some of the known problems.

The deeper you delve into the Fraunhofer report, the more discouraging the news. Some routers have easily crackable or obvious passwords that users can’t change. (Like, in the case of the Netgear RAX40 router, admin:password.) And most firmware images expose private cryptographic key material. This means bad actors can just look at the router firmware to defeat widely used public-private crypto mechanisms.

Most of the routers Fraunhofer looked at use the Linux operating system, and security patches for the Linux Kernel are released several times annually. But Fraunhofer found many routers hadn’t received security fixes for more than a year. Twenty two of them hadn’t been updated for two years, and one model had gone more than five years without security patches.

Even more worrying is that many routers use versions of Linux that are wildly out of date. More than a third of the devices use version 2.6.36 or even older. The last security update for 2.6.36 came out in early 2011. Fraunhofer researchers found the oldest kernel in use was version 2.4.20 released in 2002, residing in the Linksys WRT54GL. Interestingly, Google lists a user review rating of 4.6 out of 5 for this router. And if your PC ran a version of Windows that was current when Linux 2.4.20 came out, you would be using Windows XP.

Fraunhofer researchers note there are several mitigation techniques router makers could employ to thwart mischief. But they usually don’t bother to take advantage of all the techniques at their disposal. For example, few router makers use a technique called ReLocation Read-Only (RELRO). RELRO protects the global offset table so attackers can’t redirect function calls to malware routines. Another seldom-used technique called stack canaries stores special byte sequences that get checked periodically to ensure attackers haven’t overwritten memory locations via buffer overflow attacks that affect how programs execute.

And different vendors seem to prioritize security differently. Fraunhofer says modem maker AVM does better than other vendors when it comes to most aspects of security. However, AVM routers are not flawless. Researchers also claim ASUS and Netgear do a better job on some aspects of security than D-Link, Linksys, TP-Link, and Zyxel.

Still, when it comes to modem security, the Fraunhofer report shows the choices range from least worst to terrible.

You may also like:


  • Post-quantum crypto standardization — what’s the end game?
  • BLE hacks
    Breaking BLE — Vulnerabilities in pairing protocols leave Bluetooth devices…
  • RF won't hurt you
    No, IoT RF radiation won’t cause a pandemic
  • lidar
    A better way to measure LiDAR
  • flash
    Flash memory keeps cars connected

Filed Under: Applications, Connectivity, Consumer Electronics, Featured, IoT, Security Tagged With: commentary

Reader Interactions

Comments

  1. T says

    April 9, 2021 at 12:20 pm

    The WRT54GL has a high rating because it and it’s predecessor (the WRT54G) were two of the most used routers for DD-WRT and tomato shibby.

    Reply
  2. ThaCrip says

    April 19, 2021 at 10:42 am

    The Linksys WRT54 series (and the like routers) can still be updated with recent versions of DD-WRT (or FreshTomato in some cases) as for example DD-WRT r46329 from April 13th 2021 works okay for general use. it’s still using a old Linux 2.4.37 kernel but I can’t imagine that would matter much for routers since things like OpenSSL/Dnsmasq etc are updated (i.e. dnsmasq v2.85 and OpenSSL 1.1.1k (and probably various other security fixes over the years to)). so I imagine it’s probably still ‘secure enough’ for the common person as I doubt routers running DD-WRT (or the like), especially recent versions, are of any red flag level of security risk to where it would be a bad idea for people to use them, especially with updated DD-WRT.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured Contributions

Five challenges for developing next-generation ADAS and autonomous vehicles

Securing IoT devices against quantum computing risks

RISC-V implementation strategies for certification of safety-critical systems

What’s new with Matter: how Matter 1.4 is reshaping interoperability and energy management

Edge AI: Revolutionizing real-time data processing and automation

More Featured Contributions

EE TECH TOOLBOX

“ee
Tech Toolbox: Internet of Things
Explore practical strategies for minimizing attack surfaces, managing memory efficiently, and securing firmware. Download now to ensure your IoT implementations remain secure, efficient, and future-ready.

EE Learning Center

EE Learning Center

EE ENGINEERING TRAINING DAYS

engineering
“bills
“microcontroller
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, tools and strategies for EE professionals.

RSS Current EDABoard.com discussions

  • How to calculate Gate Driver's propagation delay time?
  • Bidirectional data bus
  • Editing posts
  • avoiding mixer compression when acting as a phase detector
  • Crude Powerline FSK comms literally shorts the power bus at a certain frequency?

RSS Current Electro-Tech-Online.com Discussions

  • RS485 bus: common ground wire needed or not?
  • Kawai KDP 80 Electronic Piano Dead
  • Good Eats
  • What part is this marked .AC ?
  • Photo interrupter Connections

DesignFast

Design Fast Logo
Component Selection Made Simple.

Try it Today
design fast globle

Footer

Microcontroller Tips

EE World Online Network

  • 5G Technology World
  • EE World Online
  • Engineers Garage
  • Analog IC Tips
  • Battery Power Tips
  • Connector Tips
  • DesignFast
  • EDA Board Forums
  • Electro Tech Online Forums
  • EV Engineering
  • Power Electronic Tips
  • Sensor Tips
  • Test and Measurement Tips

Microcontroller Tips

  • Subscribe to our newsletter
  • Advertise with us
  • Contact us
  • About us

Copyright © 2025 · WTWH Media LLC and its licensors. All rights reserved.
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media.

Privacy Policy