This is how the Fraunhofer Institute for Communication (FKIE), which has analyzed 127 home routers of seven different brands in a macro study to see if, even when patched with the latest updates, there are any security flaws. And the results are terrifying.
No router is free of vulnerabilities
To determine the security of each router, the researchers analyzed five aspects: when was the latest firmware released for that model, how long has the operating system version used, what techniques are used to mitigate exploits, if there are accessible private keys, or the type of default access credentials.
Of the 127 routers, 46 they had not received not an update in the last yearAnd that means that these routers are affected by hundreds of vulnerabilities of all kinds. Furthermore, they have also discovered that there are manufacturers that release updates without patching the latest known vulnerabilities, so even if you are up to date with the updates, your router is still hackable. 81 routers had received updates in the last 365 days, but the average time that a router is without receiving patches is 378 days.
Of the brands analyzed, ASUS and Netgear are the ones that do it best in front of D-Link, Linksys, TP-Link and Zyxel. A German router manufacturer, called AVM, is the only one that does not publish encryption private keys in the firmware. The Netgear R6800 router has 13 accessible private keys, and that is the same as not having them because any attacker can do a man-in-the-middle attack to impersonate the router. And if a key is in the firmware, it is that it is present in other devices, so thousands may be in danger. In the worst cases, there were routers that had not received updates for five and a half years. Others used easy-to-guess default passwords, and some didn’t even allow it to be changed.
Around 90% of the routers analyzed used Linux as the operating system. However, manufacturers do not update the operating system to implement changes made to the operating system kernel. Only 5.8% of routers use a post-4.4 Linux kernel, the only one with extended support until 2022.
The Linksys WRT54GL is the worst router you can buy
A third of the routers used a version of the Linux kernel prior to 2.6.36, which has not been supported since February 2011. The Linksys WRT54GL uses the Linux kernel 2.4.20, launched in 2002. This router, as it could not be otherwise, is the most vulnerable of all analyzed, with 579 CVE vulnerabilities high risk. And it is still sold on Amazon, so you better not buy it. And if you have it at home, there are surely other better uses for an old router.
Therefore, the conclusion is that manufacturers are far behind in terms of updates compared to operating systems such as Linux or Windows. This study is similar to the one carried out by the United States Consumers Association (ACI), which in 2018 discovered that, of 186 routers analyzed, 155 had vulnerabilities that allowed hacking, and that each router had an average of 172 vulnerabilities. If you are concerned about security in your home, you may want to take a look at the best routers of 2020.