Most organizations would struggle to do business without a network of Wi-Fi routers, and the security of those routers is essential.
IoT Inspector, a European platform for IoT security analysis, and CHIP, a German IT magazine, recently discovered an alarming number of vulnerabilities in commonly used Wi-Fi routers.
They examined routers from AVM, Asus, Netgear, and more, finding over 200 vulnerabilities in these devices that are used by millions of people all over the world.
Florian Lukavsky, the CTO of IoT Inspector, says this about the vulnerabilities:
"The test negatively exceeded all expectations for secure small business and home routers. Not all vulnerabilities are equally critical – but at the time of the test, all devices showed significant security vulnerabilities that could make a hacker’s life much easier."
Vulnerabilities in Wi-Fi routers
In total, 9 routers were examined through a security test under laboratory conditions, with 226 potential security vulnerabilities found in devices made by Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology and Linksys.
The devices with the highest number of vulnerabilities came from TP Link, which had 32 vulnerabilities (TP-Link Archer AX6000), and Synology with 30 vulnerabilities (Synology RT-2600ac).
IoT Inspector discusses the most common vulnerabilities found:
"Some of the security issues were detected more than once. Very frequently, an outdated operating system, i.e. Linux kernel, is in use. Since the integration of a new kernel into the firmware is costly, no manufacturer was up to date here.
The device software used is also commonly found to be outdated, as it all too often relies on standard tools like BusyBox. Additional services that the devices offer besides routing – such as multimedia functions or VPN – tend to be outdated as well. In fact, a large number of manufacturers use default passwords like 'admin,' which in many cases can be read in plain text."
Wi-Fi manufacturers and policymakers respond
Upon discovery of the vulnerabilities, the manufacturers were contacted by the test team, allowing them to the opportunity to respond appropriately. IoT Inspector says that "without exception" all responded with prepared firmware patches.
Users of these routers must now apply the patches in case the automatic update function is not activated.
In a move to increase the security of these types of products, the German government announced manufacturers will be required to take more responsibility moving forward. The German government says that "manufacturers are liable for damage negligently caused by IT security vulnerabilities in their products."
This will likely put some pressure on the industry to constantly monitor and secure products to avoid hefty claims for damages.
For more information on the matter, read the IoT Inspector research.