Router Iot Security Test

Hackers welcome: Major security test uncovers vulnerabilities in all common Wi-Fi routers

  • IoT Inspector and CHIP examine devices from AVM, Asus, Netgear,ย and moreย ย 
  • New German coalitionย announcesย manufacturer liability for damagesย caused by IT security vulnerabilitiesย ย 

Bad Homburg, December 2, 2021ย – Nine Wi-Fiย routers fromย well-known manufacturersย recently underwentย a thorough security testย under laboratory conditionsย  – with devastating resultsย inย the field ofย IT security:ย Aย total of 226 potential security vulnerabilities were foundย inย the devices from Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology and Linksys, which are in circulation by the millions. The front-runners were devices from TP-Link with 32 vulnerabilities (TP-Link Archer AX6000) and Synology with 30 vulnerabilities (Synology RT-2600ac). The test was conducted by the editors of theย German ITย magazine CHIP together with the experts from IoT Inspector, who provided their security platform for automatedย IoTย firmware checks for this purpose. “The test negatively exceeded all expectations for secure small business and home routers. Not all vulnerabilities are equally critical – butย at the time of the test,ย all devicesย showed significant security vulnerabilitiesย that could make a hackerโ€™s life much easier,” says Florian Lukavsky, CTO of IoT Inspector.ย ย ย 

Manufacturers have responded – so have policymakersย ย 

All of the affected manufacturers were contacted by the test team and given the opportunity to respond. Without exception, all responded with more or less intensively prepared firmware patches, which users of the affected routers should now urgently apply,ย inย caseย the automatic update function isย not alreadyย activated.ย โ€œFollowing our test, the affected manufacturers have already patched a lot of security gaps in their devices. But Wi-Fi routers are still not flawless. Manufacturers still have some catching up to do,” says CHIP author Jรถrg Geiger.ย 

At the same time, the coalition agreement of the new German governmentย announcesย that manufacturers will be required to take greater accountability in the future. It states that “manufacturers are liable for damage negligently caused by IT security vulnerabilities in their products.” This increases the pressure on the industry to continuously secure products in order to avoid immense claims for damages. IoT Inspector’s firmware security checksย automateย this important step of analysis. Allย it takesย is to uploadย aย device’s firmware toย iot-inspector.com.ย Within minutes,ย the platform generates aย detailed reportย and risk rating of the detected vulnerabilities, which can then beย addressedย in a targeted manner.ย ย 

Typical problems with all manufacturersย ย 

Some of the securityย issues were detected more than once.ย Veryย frequently,ย an outdated operating system, i.e. Linux kernel, is in use. Since the integration of a new kernel into the firmware is costly, no manufacturerย wasย up to date here. The device software used is alsoย commonly found to beย outdated,ย as itย all too often relies on standard tools like BusyBox.ย Additional services that the devicesย offer besides routing – such as multimedia functions or VPNย โ€“ tend to beย outdatedย as well.ย In fact, a large number of manufacturers use default passwords like “admin”, whichย in many casesย canย be read in plain text. “Changing passwordsย on first use and enabling the automatic update function must be standardย practiceย on all IoT devices, whether the device is used at home orย inย a corporate network. The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT deviceย according to the motto ‘plug, play and forget’,” warnsย IoT Inspectorโ€™s CEOย Jan Wendenburg.ย ย ย 

The full report can be read here (in German). The IoT Inspector Research Lab also published a detailed technical write-up on how they extracted an encryption key for a subset of D-Link routers during the research process.

About ONEKEY

ONEKEY (formerly IoT Inspector) is the leading European platform for automated security & compliance analysis for industrial (IIoT & ICS), manufacturing (OT) and Internet of Things (IoT) devices. Using automatically generated “Digital Twins” and “Software Bill of Materials (SBOM)” of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically remedied. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use and 24/7 throughout the product lifecycle. Leading companies such as SWISSCOM, VERBUND AG and ZYXEL are using this platform today – universities and research institutions can use the ONEKEY platform for study purposes free of charge.

CONTACT:

Sara Fortmann

Marketing Manager

sara.fortmann@onekey.com

ย 

euromarcom public relations GmbH

+49 611 973 150

team@euromarcom.de

Share on facebook
Share on twitter
Share on pinterest
Share on linkedin
Share on xing
Share on email