Security researchers from IoT Inspector teamed up with CHIP Magazine to test nine of the most popular home Wi-Fi routers for exploits and vulnerabilities. The results are stunning—not only are these routers poorly secured, but they suffer from vulnerabilities that security researchers first identified months or years ago.
The routers tested by IoT Inspector and CHIP come from ASUS, AVM, D-Link, Edimax, Linksys, Netgear, Synology, and TP-Link. They all ran the latest version of their manufacturer’s firmware, and there’s a good chance that the vulnerabilities found in these routers exist in other models from the same brands.
Here are IoT Inspector and CHIP Magazine’s detailed findings, including some good news that proves the importance of this sort of research.
Before we get into all the terrible flaws in these popular routers, I need to take a moment and explain how IoT Inspector ran these tests. See, IoT Inspector is a software company that sells an automated security-analysis tool for routers and other connected devices.
IoT Inspector ran each routers’ firmware through this automated tool to test for over 5,000 CVEs and other security problems. Here’s what it found:
Here are the results of IoT Inspector and CHIP’s tests:
- The nine routers suffer from a total of 226 flaws.
- TP-Link’s Archer AX6000 is the biggest offender, suffering from 32 security bugs.
- Synology’s RT-2600ac is a close second, sporting 30 security flaws.
- The majority of identified security flaws are “high” or “medium” risk.
- Every tested router suffers from a known vulnerability that was left unpatched.
While the researchers didn’t share much detailed information for these security flaws and bugs, they did publish a critical vulnerability found in D-Link’s DIR-X460 router. Here’s the short of it—IoT Inspector found a way to send malicious firmware updates to the D-Link’s DIR-X460 by extracting its encryption key.
Additionally, IoT Inspector and CHIP published some of the most common flaws found in these nine routers:
- Weak default passwords, such as “admin.”
- Hardcoded credentials in pain text—you know, unencrypted data.
- Outdated Linux kernel in router firmware.
- Outdated multimedia and VPN functionality, which could be exploited.
- Use of old versions of BusyBox.
Bear in mind that anyone could run these tests, including the routers’ manufacturers. Clearly, the nine brands tested here aren’t taking the time to properly secure their products.
According to CHIP Magazine, each of the nine router manufacturers responded to these tests and issued firmware updates to address the vulnerabilities in their products. Most of these fixes are for “low risk” vulnerabilities, but it’s a good start.
Here are the actions taken by each manufacturer following this investigation. Note that these bullet points are translated from CHIP’s report, which is in German.
- ASUS: ASUS examined our findings and presented us with a detailed answer. ASUS patched the outdated BusyBox, and there are now updated for “curl” and the webserver. The password problems we warned about were temp files that the process removes when it is terminated. They are not a risk.
- D-Link: D-Link thanked us for the tip and published a firmware update to fix the problems mentioned.
- Edimax: Edimax didn’t put too much effort into checking these problems but published an update to fix some issues.
- Linksys: Linksys will address all issues categorized as “high” and “medium” It will avoid default passwords in the future, and has issued a firmware update for any remaining problems.
- Netgear: The crew at Netgear worked hard and examined all the problems. Netgear believes some of its “high risk” vulnerabilities are not a big deal. It has pushed an update for DNSmasq and iPerf, though other problems should be addressed first.
- Synology: Synology is addressing the issues we found with an update to the Linux kernel. BusyBox and PHP will be updated, and Synology will clean up its certificates. Funny enough, all Synology devices benefit from this update.
- TP-Link: Updating BusyBox, CURL, and DNSmasq eliminated many of TP-Link’s problems. It still needs a new kernel, but TP-Link has over 50 fixes planned for its firmware.
Just to be clear, IoT Inspector hasn’t checked if these patches work or not. And even if they do work, these routers are still vulnerable to known (and likely unknown) exploits.
Whether you use one of the affected routers or not, I suggest manually updating your router’s firmware and enabling automatic updates (if they aren’t already enabled). Doing so ensures that your router is safe from the latest exploits—or at least the ones that manufacturers decide to fix.
You should also set a secure Wi-Fi password and disable features like WPS (Wi-Fi Protected Setup) and UPnP (Universal Plug and Play), which opens your network to malware and is regularly criticized by the FBI for its numerous security flaws.
And if you’re using an incredibly old router (or NAS device, for that matter) you should seriously consider an upgrade. Old networking hardware is often full of known vulnerabilities that manufacturers just don’t care to patch.
For more information on securing your router, check out our detailed guide at How-To Geek.