Home Router Analysis: 'No Router Is Without Flaws'

Home routers are one of the many poster children for 2020.

Be it for remote work or a remote education, these devices are critical for your end users, and your organization, to get the job done from home.

But new security research reveals a darker side to home routers, summed up best in a statement plucked directly from the research:

"Our results are alarming. There is no router without flaws."

Study: serious vulnerabilities in home routers

In its study, "Home Router Security Report 2020," EU cybersecurity firm Fraunhofer sought to answer five questions about some of the most popular home routers:

1. Days Since Last Firmware Update Release: when were the devices updated last time? 
2. Operating System: which operating system versions are used and how many known critical vulnerabilities affect these operating system versions? 
3. Exploit Mitigation: which exploit mitigation techniques do the vendors use? How often do they activate these techniques? 
4. Private Cryptographic Key Material: do the firmware images contain private cryptographic key material? 
5. Hard-coded Login Credentials: are there any hard-coded login credentials?

The report analyzed 127 current routers for private use developed by seven different large vendors selling their products in Europe, many of which are also sold in the United States and Canada.

Routers lack security updates

One of the most crucial takeaways?

"46 routers did not get any security update within the last year."

That lack of updates leaves room for hundreds of vulnerabilities, according to the research.

But that's not all. The data also shows some mixed results when it comes to login credentials and home routers:

"The good news is that more than 60% of the router firmware images do not have hard-coded login credentials. The bad news is that 50 routers do provide hard-coded credentials. 16 routers have well known or easily crackable credentials."

Researcher conclude with the definitive statement that the routers it analyzed certainly prioritize security differently. Perhaps your organization could help end-users be more selective about choosing the most secure router brands.

However, from a big picture view, one theme continues to ring true:

"To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects. Much more effort is needed to make home routers as secure as current desktop or server systems."

Related cybersecurity podcast: patching as a failed security paradigm

Relying on patching to secue the IoT and a whole new class of connected devices is a "failed security paradigm" according to cybersecurity thought leader Bruce Schneier. 

Listen to our podcast interview with him on the state of cybersecurity, where we discuss this topic and much more: