Fraunhofer FKIE: Significant Security Flaws Detected In Home Routers

Alarming findings are published in the 'Home Router Security Report 2020' by the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE.

Of the 127 home routers tested by seven major manufacturers, nearly all were found to have security flaws, some of them very severe. 

security flaws

The problems range from missing security updates to easily decrypted, hard-coded passwords and known vulnerabilities that should have been patched long ago.

A team led by Peter Weidenbach and Johannes vom Dorp in the Fraunhofer FKIE’s Cyber Analysis & Defense department had downloaded the latest available firmware as of March 27, 2020. This is the same software that manufacturers offer to customers who have one of these 127 routers in service for private home use.

Firmware Analysis and Comparison Tool (FACT)

The extreme case among the evaluated devices had not received a security update for more than 5 years

The security flaws were detected and identified using the Fraunhofer FKIE's Firmware Analysis and Comparison Tool (FACT).

"The evaluation showed that not a single router was free of flaws. Some of them were even affected by hundreds of known vulnerabilities," reports IT Security Expert and FKIE Scientist - Peter Weidenbach.

Peter Weidenbach adds, "Of the routers tested, 46 had not received a security update in the preceding twelve months." The extreme case among the evaluated devices had not received a security update for more than 5 years.

Testing focus areas

In preparing their report, the FKIE scientists focused on various security aspects including not only security updates but also which operating system versions are used and the extent to which critical security vulnerabilities influence these versions.

More than 90 percent of the home routers tested use the Linux operating system, but very often the versions used are very old.

criticizing the manufacturers

All the manufacturers would have to do is install the latest software, but they do not integrate it"

On this point, Johannes vom Dorp reserves his strongest criticism of the manufacturers, stating "Linux works continuously to close security vulnerabilities in its operating system and to develop new functionalities."

Johannes vom Dorp adds, "All the manufacturers would have to do is install the latest software, but they do not integrate it to the extent that they could and should."

password vulnerabilities

The FKIE scientists were also astonished by how passwords are handled. Numerous routers have passwords that are either well known or simple to crack or else they have hard-coded credentials that users cannot change.

The researchers also discovered numerous longstanding known security vulnerabilities that manufacturers should have eliminated long ago.

addressing home router security flaws

AVM, for instance, attaches more importance to security issues than the other providers

Peter Weidenbach finds it utterly incomprehensible that home router manufacturers are no longer focusing on the security aspects he and his team deal with.

He said, "It is immediately clear that providers deal with existing security vulnerabilities and their elimination in completely different ways."

AVM, for instance, attaches more importance to security issues than the other providers, even though AVM routers are not without their security flaws. 

automated security analysis

He also said that in some respects ASUS and Netgear were more reliable than D-Link, Linksys, TP-Link, and Zyxel.

"Our test has demonstrated that a large-scale automated security analysis of home routers is possible," says Johannes vom Dorp, adding "And the large number of vulnerabilities identified in the report shows that manufacturers still have a long way to go in their efforts to make these devices far more secure."