Are Home Routers Secure? NO!

Joined
Jan 31, 2006
Messages
4,440
Location
Idaho
https://threatpost.com/report-most-popular-home-routers-have-critical-flaws/157346/

Quote
...Common devices from Netgear, Linksys, D-Link and others contain serious security vulnerabilities that even updates don't fix.

A security review of 127 popular home routers found most contained at least one critical security flaw, according to researchers.

The "Home Router Security Report" (PDF) by Peter Weidenbach and Johannes vom Dorp-both from the German think tank Fraunhofer Institute-found that not only did all of the routers they examined have flaws, many "are affected by hundreds of known vulnerabilities," the researchers said.

On average, the routers analyzed--by vendors such as D-Link, Netgear, ASUS, Linksys, TP-Link and Zyxel-were affected by 53 critical-rated vulnerabilities (CVE), with even the most "secure" device of the bunch having 21 CVEs, according to the report. Researchers did not list the specific vulnerabilities....


..."To sum it up, our analysis shows that there is no router without flaws and there is no vendor who does a perfect job regarding all security aspects," Weidenbach and vom Dorp wrote. "Much more effort is needed to make home routers as secure as current desktop or server systems."

While people make common mistakes when configuring home routers-thus leading to security issues-they are not the primary reasons for the lack of security found among the devices, researchers said.

Their analysis clearly shows that device vendors, despite knowing the security risks, are still doing a rather dismal job to ensure that routers are secure even before users take them out of the box...


...Some vendors seem to prioritize security a bit more than others, according to the report. AVM International was the best of the bunch in terms of all the security aspects researchers examined, although the company's routers also contained flaws, they said.

ASUS and Netgear also prioritized several aspects of device security more than some of the other vendors. Both update their routers more frequently than their rival companies, and use more current, supported versions of the Linux kernel for their firmware, researchers found.

Among the routers examined, those from D-Link, Linksys, TP-Linkand Zyxel fared the worst in terms of how well common security aspects were addressed out of the box, according to the report....
 
my 8 year old ASUS still gets updates a couple times a year. Go into your routers setup and Disable any service/s on it that you don't use and Disable the ping feature from internet side. This may increase performance of the device and make it less more difficult to SEE it from internet. Enabling things like MAC filter may help lockdown you device also.
 
For better or worst I purchased Google Wifi (mesh 3 pucks) and hope or believe Google pushes updates to it especially vulernabilties. My Cisco was manual upload of file and the TP-Link was clunky experience too.
 
Cybersecurity analyst here. Purchase hardware with vendors that have an established platform, not some junk no name chinese router. Even the big boys tend to not update after a few years. My recommendation is Ubiquiti, but they can be difficult to setup for the average Joe. Or a software based linux router. Google wifi is a good choice for the average user.
 
Last edited:
  • Like
Reactions: Y_K
my 8 year old ASUS still gets updates a couple times a year. Go into your routers setup and Disable any service/s on it that you don't use and Disable the ping feature from internet side. This may increase performance of the device and make it less more difficult to SEE it from internet. Enabling things like MAC filter may help lockdown you device also.

Disabling ICMP response is pretty useless (ping). If an IP is shown as producing traffic or as a valid end-point to target, the fact it's not responding to ICMP isn't relevant and isn't going to change if somebody is going to DDoS you or run a port scan.
 
Just don't expose your router to the internet. It doesn't matter nearly as much if it has security flaws if it is sitting behind an decent firewall and is only used as a WIFI radio. There are lots of low cost, turn key options. I'm running OPNSense, myself on a tiny Atom box that's sitting next to the modem in our entry way closet.
 
Just don't expose your router to the internet. It doesn't matter nearly as much if it has security flaws if it is sitting behind an decent firewall and is only used as a WIFI radio. There are lots of low cost, turn key options. I'm running OPNSense, myself on a tiny Atom box that's sitting next to the modem in our entry way closet.

Then it's just a glorified Access Point/Switch, though sometimes more cost effective than individual devices.

PFSense is another excellent option and Sophos makes their UTM product free for home use as well for somebody who has the hardware handy.
 
PFSense and OPNSense are just about beyond my capabilities as a non-network engineer software dev. Without Google, I'd be lost a lot of the time. If it wasn't for some specific capabilities that I wanted, I would prefer IPFire for its greater level of user friendliness.
 
PFSense and OPNSense are just about beyond my capabilities as a non-network engineer software dev. Without Google, I'd be lost a lot of the time. If it wasn't for some specific capabilities that I wanted, I would prefer IPFire for its greater level of user friendliness.
Smoothwall used to be a really "friendly" firewall distro, not sure if it is still developed or maintained. I recall it forking at some point as the devs split up?

The Sophos UTM product is pretty easy to install and configure and I generally recommend it as an option for somebody who might be more comfortable with it over PFSense, which I think has a beautiful GUI, but may be a bit much for some people. There's no denying how capable PFSense is however, for a product that's free, it is utterly incredible how good it is.
 
I dont think any router is secure. ;) More so if you allow someone onto your system by downloading malware, which I think is way more often then hackers hacking into homeowner owned routers. If they are that good, they are going to break into businesses where the real money is.
Just my thoughts, not that they are correct.
 
Smoothwall used to be a really "friendly" firewall distro, not sure if it is still developed or maintained. I recall it forking at some point as the devs split up?

The Sophos UTM product is pretty easy to install and configure and I generally recommend it as an option for somebody who might be more comfortable with it over PFSense, which I think has a beautiful GUI, but may be a bit much for some people. There's no denying how capable PFSense is however, for a product that's free, it is utterly incredible how good it is.
Thanks for the heads up on Sophos UTM and PFSense. I'm looking at what they offer now. I used Smothwall extensively 20 years ago but don't know what became of them.
 
Zyxel USG60 that just got decommissioned because of the stupid Zyxel backdoor that just happened. Zyxel with Cyren was at the boarder with Untangle or Sophos UTM in bridge. Now just Untangle on my Rangeley. Have you seen our used Untangle yet?
 
Back
Top