The results were not encouraging. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware. For example: firmware for the ASUS RT-AC55U wifi router did not employ ASLR or stack guards to protect against buffer overflow attacks. Nor did it employ a non-executable stack to protect against “stack smashing,” another variety of overflow attack. CITL found the same was true of firmware for Ubiquiti’s UAP AC PRO wireless access points, as well as DLink’s DWL-6600 access point. Router firmware by vendors like Linksys and NETGEAR performed only slightly better on CITL’s assessment.CITL researchers also “found no clear progress in any protection category over time,” reports The Security Ledger. “Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study… but 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better.”
On the bright side, the survey found that almost all recent router firmware by Linksys and NETGEAR boasted non-executable stacks. “However, those same firmware binaries did not employ other common security features like ASLR or stack guards, or did so only rarely,” says the report.