Router Iot Security Test

Hackers welcome: Major security test uncovers vulnerabilities in all common Wi-Fi routers

  • IoT Inspector and CHIP examine devices from AVM, Asus, Netgear, and more  
  • New German coalition announces manufacturer liability for damages caused by IT security vulnerabilities  

Bad Homburg, December 2, 2021 – Nine Wi-Fi routers from well-known manufacturers recently underwent a thorough security test under laboratory conditions  – with devastating results in the field of IT security: A total of 226 potential security vulnerabilities were found in the devices from Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology and Linksys, which are in circulation by the millions. The front-runners were devices from TP-Link with 32 vulnerabilities (TP-Link Archer AX6000) and Synology with 30 vulnerabilities (Synology RT-2600ac). The test was conducted by the editors of the German IT magazine CHIP together with the experts from IoT Inspector, who provided their security platform for automated IoT firmware checks for this purpose. “The test negatively exceeded all expectations for secure small business and home routers. Not all vulnerabilities are equally critical – but at the time of the test, all devices showed significant security vulnerabilities that could make a hacker’s life much easier,” says Florian Lukavsky, CTO of IoT Inspector.   

Manufacturers have responded – so have policymakers  

All of the affected manufacturers were contacted by the test team and given the opportunity to respond. Without exception, all responded with more or less intensively prepared firmware patches, which users of the affected routers should now urgently apply, in case the automatic update function is not already activated. “Following our test, the affected manufacturers have already patched a lot of security gaps in their devices. But Wi-Fi routers are still not flawless. Manufacturers still have some catching up to do,” says CHIP author Jörg Geiger. 

At the same time, the coalition agreement of the new German government announces that manufacturers will be required to take greater accountability in the future. It states that “manufacturers are liable for damage negligently caused by IT security vulnerabilities in their products.” This increases the pressure on the industry to continuously secure products in order to avoid immense claims for damages. IoT Inspector’s firmware security checks automate this important step of analysis. All it takes is to upload a device’s firmware to iot-inspector.com. Within minutes, the platform generates a detailed report and risk rating of the detected vulnerabilities, which can then be addressed in a targeted manner.  

Typical problems with all manufacturers  

Some of the security issues were detected more than once. Very frequently, an outdated operating system, i.e. Linux kernel, is in use. Since the integration of a new kernel into the firmware is costly, no manufacturer was up to date here. The device software used is also commonly found to be outdated, as it all too often relies on standard tools like BusyBox. Additional services that the devices offer besides routing – such as multimedia functions or VPN – tend to be outdated as well. In fact, a large number of manufacturers use default passwords like “admin”, which in many cases can be read in plain text. “Changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network. The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget’,” warns IoT Inspector’s CEO Jan Wendenburg.   

The full report can be read here (in German). The IoT Inspector Research Lab also published a detailed technical write-up on how they extracted an encryption key for a subset of D-Link routers during the research process.

About ONEKEY

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.

 

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de