2 December 2021, Bad Homburg – Nine well-known Wi-Fi routers were recently put through a rigorous security test in a lab setting, with shocking results in the world of IT security: A total of 226 potential security flaws were discovered in millions of devices from Asus, AVM, D-Link, Netgear, Edimax, TP Link, Synology, and Linksys. The devices from TP-Link, which had 32 vulnerabilities (TP-Link Archer AX6000), and Synology, which had 30 vulnerabilities, were the front-runners (Synology RT-2600ac). The test was carried out by the editors of the German IT magazine CHIP in collaboration with IoT Inspector experts, who donated their security platform for automated IoT firmware checks for this reason. “The test for secure small business and household routers well exceeded all expectations.” Not every vulnerability is equally dangerous -“However, all devices indicated serious security weaknesses at the time of the test, which might make a hacker’s life considerably simpler,” says Florian Lukavsky, CTO of IoT Inspector.
Manufacturers and policymakers have both responded.
The test team contacted all of the affected manufacturers and gave them the opportunity to reply. All replied with more or less actively crafted firmware fixes, which owners of impacted routers should apply immediately if the automatic update mechanism has not already been activated. “The impacted manufacturers have already patched a lot of security flaws in their devices as a result of our examination.” However, Wi-Fi routers are not without flaws. “Manufacturers still have a lot of catching up to do,” says Jörg Geiger, author of the CHIP.
At the same time, the new German government’s coalition agreement states that producers will be held to a higher standard of accountability in the future. “Manufacturers are accountable for damage caused recklessly by IT security flaws in their products,” it says. This puts even more pressure on the industry to maintain product security in order to prevent massive liability claims. The firmware security checks in IoT Inspector automate this crucial step in the process. All that is required is for a device’s firmware to be uploaded to iot-inspector.com. The software delivers a complete report and risk rating for the discovered vulnerabilities in minutes, allowing them to be handled in a targeted manner.
All manufactures have their own challenges.
Several security flaws were discovered multiple times. An old operating system, such as the Linux kernel, is frequently used. No manufacturer was up to date in this area because integrating a new kernel into the firmware is pricey. The device software, which all too often relies on standard tools like BusyBox, is also frequently found to be outdated. Other features of the devices, such as multimedia and VPN, are also becoming obsolete. Many manufacturers, in fact, employ default passwords like “admin,” which may be read in plain text in many circumstances. “On all IoT devices, whether used at home or in a corporate network, changing passwords on first use and setting the automatic update mechanism should be common practise.”
Apart from vulnerabilities introduced by manufacturers, the greatest hazard is utilising an IoT device with the motto ‘plug, play, and forget,'” cautions IoT Inspector’s CEO Jan Wendenburg.