The very serious Fraunhofer Institute has published an overwhelming study on the security of consumer modem routers. Between the innumerable security flaws and the often far from being up-to-date updating policies, a large part of the park would suffer from very concrete vulnerabilities, which are easily exploitable.
This is a relatively widespread a priori which has just been confirmed today: the general public modems-routers, available on the market, are real disasters in terms of security. These results come from an in-depth study by the very serious Fraunhoffer Institute in Germany. This research structure in applied sciences, renowned for the solidity of its work nevertheless judges its results “Alarming”. A term far from trivial, when we know the measure that the organization systematically demonstrates in its publications.
The institution analyzed no less than 127 firmwares, used by seven different brands, well known to the general public: Asus, AVM, D-Link, Linksys, Netgear, TP-Link and Zyxel. To judge the level of security, the study is based on many criteria among which the average time between two updates, the known vulnerabilities of the OS, the countermeasures implemented by the manufacturers, and the presence or not a private cryptographic key or identifiers hard-coded (i.e. explicitly written in the device code). And the Fraunhofer Institute does not go with a dead hand, attacking with an overwhelming first paragraph. The text explains thatnone of the routers analyzed was free of flaws. Worst : “Many routers” would present “hundreds of known vulnerabilities”, further accentuated by the scarcity of mitigation measures (supposed to limit the damage).
Insufficient update frequency
To start, the archi-majority of the panel tested was updated on average every 378 days, much less frequently than necessary. For some devices tested, the delay was even several years. A particularly important component, when you know that cybersecurity is in essence a vast game of cat and mouse where the whole stake for the manufacturers is to stay one step ahead of the pirates… With similar deadlines, a criminal has plenty of time to tackle the security system without breaking a sweat, as if your football opponent was quietly waiting for your replacement before launching a counterattack.
The other concern is that these updates do not systematically represent a solution: the manufacturer must precisely target the vulnerabilities of his equipment… and the majority seem to have difficulty doing so. In many cases, this comes from the operating system used, which is very, very often obsolete. We are even surprised to note that nearly a third of the tested devices are marketed with a Linux 2.6 kernel… older than ten years, and therefore completely obsolete despite any attempt to update. The oldest model even has a 2.4.20 kernel, published in 2002, a figure that even climbs to 50% for Netgear, a manufacturer that is renowned in this segment…
Critical flaws shovel
The consequence is that these modem routers are riddled with flaws at all levels. The study explains that even the “best” devices have at least 21 critical flaws and 348 high priority flaws. This is all the more deplorable since the use of countermeasures to mitigate attacks is qualified as “quite rare, with few exceptions ”. Finally, most of the boxes would include several secret keys hard coded, and therefore easy to extract with a relatively basic exploit. Especially since the manufacturers did not necessarily break their heads, with password / identifier pairs sometimes very convoluted as “admin/password”…
The study concludes that only the manufacturer AVM stands out. It manages to get out of the fray thanks to a decent update frequency, a kernel still supported and no secret key hard-coded in its most recent models. But overall, the picture is really distressing, because these are real concrete vulnerabilities, far from the sometimes abstract threats that hover over different services. It is simply hoped that the manufacturers will take good note of this study as soon as possible, although one can imagine that they can hardly ignore some of the facts exposed by the Fraunhofer Institute, because this systemic problem will not go away. arranging or resolving on its own. And during this time, it is the citizens who will be increasingly exposed.