Scientists of the FKIE department “Cyber Analysis & Defense” analyzed 122 router models that were on the market as of 31 March 2022. For corpus construction, they selected seven third-party vendors who sell their devices in Europe, but also internationally. Similar to the Home Router Security Report 2020, the security experts downloaded the freely available software of all 122 examined models, the so-called firmware, and analyzed it for the implementation of broadly recognized security best practices.

"The goal of this report is to raise awareness of the fact that well-established security practices must also be taken into account for such pivotal network devices as home routers. On the one hand, they can be directly accessed from the internet and on the other hand, they serve as gatekeepers for other devices in the local network," says research group leader Johannes vom Dorp. FKIE scientist René Helmke adds: "We share our results with the vendors before publishing the report. Our aim is to point out potential issues so that they can be remedied, thus improving the safety of the devices in the long term."

Two-step methodology

The analysis was done in two steps: First, the firmware was automatically unpacked and evaluated according to pre-defined research questions. For example, when did the device last receive an update? Are there any publicly known security issues in the operating system? Are there any hard-coded login credentials? The scientists carried out this automated analysis using the open source "Firmware Analysis and Comparison Tool" (FACT) developed at Fraunhofer FKIE.

Already in the first step, a fully automated analysis, new methods were added to further improve result reliability compared to the 2020 report. As for the second step, which focuses on the evaluation of potential vulnerabilities in the operating system, the scientists developed and published a novel heuristic for the 2022 report. This provides further insights into result interpretation of the previous analysis and reduces false-positive rates.

Results

The analysis showed that the seven vendors address device security very differently: There were devices with only a few potential security issues, but others indicated a clear need for improvement regarding all investigated research questions. Patches, i.e., software updates that may also address security issues, are applied in a timelier manner and the operating system versions are updated at somewhat shorter intervals in comparison to 2020 – although not yet to a sufficient extent in the opinion of the security experts. Also interesting is a clear decline in hard-coded login data. However, the security experts identify a greater security problem in easily guessable passwords, the number of which has not changed significantly. In addition, available protection measures for binary executable files, so-called "binary hardening" methods, are not used consistently in many cases. Finally, the Linux versions used for routers were compared with a public database that documents known security vulnerabilities. The scientists then filtered the results using a new method in order to consider only those potential security vulnerabilities that may also be applicable to the routers in question. Helmke clarifies: "Due to this modified heuristic the results of 2020 and 2022 are not comparable in this regard."

Recommendations to router vendors

Therefore, the scientists' recommendation to vendors is to replace operating system versions that no longer receive security updates more frequently. It is also beneficial to modernize build chains in order to activate security-relevant compiler features. All hard-coded credentials should be checked for their necessity. And finally, passwords that are not easy to crack should be used. "Some of these changes are easy to implement, but can increase security considerably," summarizes vom Dorp.