Nine WiFi Routers Used by Millions Were Vulnerable to 226 Flaws

“Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them,” reports Bleeping Computer, “even when running the latest firmware.”
Slashdot reader joshuark shared their report:
The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people… Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users. “For Chip’s router evaluation, vendors provided them with current models, which were upgraded to the latest firmware version,” Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email. “The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues….”

While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:

– Outdated Linux kernel in the firmware
– Outdated multimedia and VPN functions
– Over-reliance on older versions of BusyBox
– Use of weak default passwords like “admin”
– Presence of hardcoded credentials in plain text form….

All of the affected manufacturers responded to the researchers’ findings and released firmware patches.

The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.

jd (Slashdot reader #1,658) shares another perspective on the same study from Security Week: Not all of the identified weaknesses are considered real security flaws, and for some bugs it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from 2 in AVM devices to nearly a dozen in other routers) were classified as high- and medium-severity.