Fraunhofer FKIE: Significant security flaws detected in Home Routers

Alarming findings are published in the »Home Router Security Report 2020« by the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE. Of the 127 home routers tested from seven major manufacturers, nearly all were found to have security flaws, some of them very severe. The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago.

The Home Router Security Report 2020: You can download the complete report here.

A team led by Peter Weidenbach and Johannes vom Dorp in the Fraunhofer FKIE’s Cyber Analysis & Defense department had downloaded the latest available firmware as of March 27, 2020. This is the same software that manufacturers offer to customers who have one of these 127 routers in service for private home use.

The security flaws were detected and identified using the Fraunhofer FKIE's Firmware Analysis and Comparison Tool (FACT). »The evaluation showed that not a single router was free of flaws. Some of them were even affected by hundreds of known vulnerabilities. Of the routers tested, 46 had not received a security update in the preceding twelve months,« reports IT security expert and FKIE scientist Peter Weidenbach. The extreme case among the evaluated devices had not received a security update for more than 5 years.

In preparing their report, the FKIE scientists focused on various security aspects including not only security updates but also which operating system versions are used and the extent to which critical security vulnerabilities influence these versions. More than 90 percent of the home routers tested use the Linux operating system, but very often the versions used are very old. On this point, vom Dorp reserves his strongest criticism of the manufacturers. »Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities. Really, all the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should.«

The FKIE scientists were also astonished by how passwords are handled. »Numerous routers have passwords that are either well known or simple to crack – or else they have hard-coded credentials that users cannot change.« The researchers also discovered numerous longstanding known security vulnerabilities which manufacturers should have eliminated long ago.

Weidenbach finds it utterly incomprehensible that home router manufacturers are no longer clearly focusing on the security aspects he and his team deal with. »It is immediately clear that providers deal with existing security vulnerabilities and their elimination in completely different ways.« AVM, for instance, attaches more importance to security issues than the other providers, even though AVM routers are not without their own security flaws. He also said that in some respects ASUS and Netgear were more reliable than D-Link, Linksys, TP-Link and Zyxel.

»Our test has demonstrated that a large-scale automated security analysis of home routers is definitely possible,« says vom Dorp, adding, »And the large number of vulnerabilities identified in the report shows that manufacturers still have a long way to go in their efforts to make these devices far more secure.«