Worst suspicions confirmed: The terrible security of internet routers

Leland Teschler, Executive Editor
Here’s the latest IoT security nightmare: All of the wireless routers through which most IoT traffic passes are probably vulnerable to botnets and other kinds of security breaches. That’s the conclusion of researchers at Fraunhofer FKIE in Germany who analyzed 127 different routers sold by seven vendors. The routers they examined are sold in Europe, but a quick check reveals many of them have versions available in the U.S.

This is certainly disheartening news for IoT equipment manufacturers doing the equivalent of triple back-flips in the pursuit of designing secure products. The IoT products they’re fielding may be bullet proof, but the routers to which they connect have sold them down the river.

Fraunhofer researchers say every one of the 127 routers they examined had security flaws. They also discovered that 46 of the routers had received no security updates within the last year. And many of the routers are affected by hundreds of known vulnerabilities. Worse, when security updates were issued, they didn’t fix some of the known problems.

The deeper you delve into the Fraunhofer report, the more discouraging the news. Some routers have easily crackable or obvious passwords that users can’t change. (Like, in the case of the Netgear RAX40 router, admin:password.) And most firmware images expose private cryptographic key material. This means bad actors can just look at the router firmware to defeat widely used public-private crypto mechanisms.

Most of the routers Fraunhofer looked at use the Linux operating system, and security patches for the Linux Kernel are released several times annually. But Fraunhofer found many routers hadn’t received security fixes for more than a year. Twenty two of them hadn’t been updated for two years, and one model had gone more than five years without security patches.

Even more worrying is that many routers use versions of Linux that are wildly out of date. More than a third of the devices use version 2.6.36 or even older. The last security update for 2.6.36 came out in early 2011. Fraunhofer researchers found the oldest kernel in use was version 2.4.20 released in 2002, residing in the Linksys WRT54GL. Interestingly, Google lists a user review rating of 4.6 out of 5 for this router. And if your PC ran a version of Windows that was current when Linux 2.4.20 came out, you would be using Windows XP.

Fraunhofer researchers note there are several mitigation techniques router makers could employ to thwart mischief. But they usually don’t bother to take advantage of all the techniques at their disposal. For example, few router makers use a technique called ReLocation Read-Only (RELRO). RELRO protects the global offset table so attackers can’t redirect function calls to malware routines. Another seldom-used technique called stack canaries stores special byte sequences that get checked periodically to ensure attackers haven’t overwritten memory locations via buffer overflow attacks that affect how programs execute.

And different vendors seem to prioritize security differently. Fraunhofer says modem maker AVM does better than other vendors when it comes to most aspects of security. However, AVM routers are not flawless. Researchers also claim ASUS and Netgear do a better job on some aspects of security than D-Link, Linksys, TP-Link, and Zyxel.

Still, when it comes to modem security, the Fraunhofer report shows the choices range from least worst to terrible.