[WOW] 32,003 Router Vulnerabilities Found

Category: Security

A nonprofit consumer advocacy group looked at 186 SOHO (small office/home office) WiFi routers from 14 U.S. vendors and found 83% of them were running outdated firmware whose vulnerabilities are public knowledge, leaving the routers and their users vulnerable to hacking attacks. Is yours on the hit list? Here's what you need to know...

New Study: 5 out of 6 Consumer Routers Are Inadequately Secured

The American Consumer Institute (ACI) compared each router’s firmware version to public databases of known vulnerabilities. “In total, there was a staggering number of 32,003 known vulnerabilities found in the sample,” ACI reported in its end-of-September publication.

Of the 186 routers studied, 155 of them (83%) were vulnerable to known exploits. The analysis revealed “an average 186 vulnerabilities per router for the identified routers,” the ACI analysts reported. Wow, that's a lot of attack vectors -- so how bad is it really?

More than one-quarter of the 32,003 vulnerabilities are deemed “critical” or “high risk,” meaning they can be exploited to give an attacker complete access to all devices served by a router, as well as giving the attacker complete control over the router itself.

32,003 router vulnerabilities discovered

Open-source software libraries were identified as one of the major sources of vulnerabilities. In their endless quest to reduce costs, vendors use and reuse open-source software that may be old and weakly supported, if at all. Vulnerabilities in these open-source components are cumulative, leading to the staggeringly high numbers of vulnerabilities per router firmware package studied.

The industry-wide dearth of automatic updates is another source of firmware vulnerability, the study’s authors found. Router firmware seldom gets updated until a major security breach is reported. Even then, relying on laypersons to manually download and install firmware updates ensures that many critical updates are not widely installed.

Most people are justifiably afraid of “bricking” their routers by attempting to update the firmware. (Bricking is a tech term that means "rendered useless." ) Vendors do little to alleviate this fear by providing software or human guidance through the often tricky process of updating a firmware package. Some vendors even discourage users from updating firmware even when the vendor knows, or should know that a critical vulnerability exists.

Part of the problem is that many consumers don't buy their own routers. They are provided by Internet Service Providers, who have an interest in keeping costs down. In my article [HOWTO] Protect Your Router Now, I give tips on how to spot a poorly secured router, and several steps you can take to tighten up its defenses.

Self-Updating Routers to the Rescue

A single compromised router can become a weapon of mass destruction in the hands of hackers. It can deliver millions of spam emails, spread malware like wildfire, and infect every other vulnerable router through which its traffic passes. Multiply that dreadful vision by a few million vulnerable routers and you may not sleep very well tonight.

"Keeping firmware patched for known online threats may be an expense for manufacturers, but not doing so leaves consumers to collectively bear the burden of potentially much higher costs from cybercrime," ACI experts said.

The best you can do is remember, when you next buy a router, to insist on one that automatically updates its firmware. Self-updating routers will become the industry norm, but that may take several years as low-end vendors continue to save money at the expense of every user who buys or connects to one of their vulnerable routers. Only by refusing to buy routers that don’t self-update can consumers and businesses force the vendors to spend the money necessary to make them self-updating.

If you want to replace your router with a top-notch auto-updating model, see my article Does Your Router Auto-Update? (it should...).

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 5 Oct 2018


For Fun: Buy Bob a Snickers.

Prev Article:
Grab October Windows 10 Update Now Or Wait?

The Top Twenty
Next Article:
[FAKE] When Your Friend is Not Your Friend

Most recent comments on "[WOW] 32,003 Router Vulnerabilities Found"

Posted by:

Sarah L
05 Oct 2018

Now I have a gateway device from AT&T, combining the functions of modem and router, for my high speed broadband connection. I have no idea if it is self updating. How would I learn that?


Posted by:

Bob K
05 Oct 2018

You start off with " Is yours on the hit list?".

OK, how do I find out? Got a link to a list of the routers that should be suspect?

As far as updates, I take a very careful approach. One router I have, I updated the firmware after I had it 13 months. That essentially broke it. The manufacturer wanted almost half of what I had paid for it to tell me simply if I could roll back the firmware. Instead I updated to a different brand. A recent update to it now requires a reboot every few days to keep my internet connection up.

Maybe one of the aftermarket firmwares is the way I should go.


Posted by:

Brian
05 Oct 2018

@Bob
If GM or Ford sold cars with 32,003 known vulnerabilities, all in the name of reducing costs, I don't think that would "leave consumers to collectively bear the burden" of horrific law suits when the brakes fail, or the steering, or if the accelerator sticks full open.

BTW, it would have been handy to see a list of this junk being sold to us.


Posted by:

Turboprop Ted
05 Oct 2018

Here's where you can find the report:

http://www.theamericanconsumer.org/wp-content/uploads/2018/09/FINAL-Wi-Fi-Router-Vulnerabilities.pdf

The list is at the end of the PDF.


Posted by:

Jeannie
05 Oct 2018

While self updating routers would be a benefit for most people since they wouldn't know when or how to update a router, there is no way I would want a router that self updated unless I could turn that dubious "feature" off.

Updates aren't always perfect. It's not uncommon for updates for anything, hardware and software, to be buggy or flat broken (I'm talking to you, MS!) so I prefer to wait a week or two before deciding to download and install an update (waiting allows time for bug reports to start surfacing), then choose when I will download and install the update rather than having it foisted upon me whether I want it or not and at an inconvenient time.

What is needed is for router manufactures to develop easier ways to for users to manually update their routers, then send out reminders saying a new update is available without a link to direct people to the update (not providing an update link would help make it harder to entrap the unwary with spoofed update emails).

I recently received an email from Netgear saying there was a new update available. I went to Netgear's website (directly, not via the link in the email), got the number of the latest version, then checked inside my router. The version I had was the one I updated to several months ago. While I'm reasonably confident the email I received was actually from Netgear, I can't help but wonder why they sent it, saying my router needed updating?


Posted by:

Bob k
05 Oct 2018

Thank you, Turboprop Ted!

The router I am using is listed. My "retired" router is not. But, this list is for the routers they investigated -- and not all (but most) have weak spots. So, I still don't know if the current router is OK, or if the one I set aside is.

There is a firmware update for both routers, but I run with extensive configuration changes. And they say I will probably lose those with an update.

Maybe it's time to update the spare first, swap that in, and see how it goes.


Posted by:

aa1234aa
05 Oct 2018

Bob, please don't scare your readers with such sensational, and mostly theoretical, claims of threats and impending doom. It's OK to provide information, but it needs to be put into the proper perspective, especially for your target audience. Look at it this way: The chances that YOUR router is going to be hit with one of these 32,003 vulnerabilities are astronomical (you can actually calculate that). But then, if YOUR router is targeted for a hack, you are out of luck no matter how much you update the firmware. I don't know who came up with the ridiculous number 32003, but I would add one more to that: With auto update routers the hacker now has one more (and very easy) method of getting into your router and network.


Posted by:

John T
05 Oct 2018

Well my Linksys E2500 routers last firmware update, V2 available is April of 2014. There is a V3 but it is not compatible with the V1 or V2 models. So is it then time for a new router?


Posted by:

Coco
05 Oct 2018

Here is the link every one is looking for: http://www.theamericanconsumer.org/wp-content/uploads/2018/09/FINAL-Wi-Fi-Router-Vulnerabilities.pdf

Thanks Bob for bringing this to our attention.

Coco


Posted by:

Bob Stromberg
05 Oct 2018

While your router might well need a firmware update to close one or more vulnerabilities, and that might be difficult to accomplish, there are also many, many steps to take to improve the security of routers, such as:

1) Making sure the WiFI password(s) are WPA2 or WPA3 (coming soon).
2) Changing the administrative user name and password.
3) Disabling remote administration. Clarify whether a remote app on a phone or tablet requires remote administration.
4) Limiting IoT devices to their own WiFi network (such as a guest network).
5) Making sure the SSIDs (network names) for all networks are nondescript (such as "Kitchen" or "Network1"), never your own name or the name of the make/model of the router itself.
6) Use a wired connection (Ethernet) if possible.
7) Turn the router off, and on, once in a while (maybe once a week).

There's plenty more information at routersecurity.org.

Second, the published report does not really explain their methodology. Keep it simple, make complexities manageable for home and business owners! Tell us how to assess known vulnerabilities for whatever router we happen to have, and give excellent security-oriented buying advice for a replacement.


Posted by:

Coco
05 Oct 2018

One other thing that hasn't been mentioned, is that even if your router is not on the list, it DOES NOT mean it is safe and not vulnerable, it just means it wasn't checked.

Bob S's comment is good advice to follow.

Coco


Posted by:

Lucy
05 Oct 2018

I too was unable to find a list of these vulnerable routers, so I decided to message the manufacturer of the one we own.

I just received their four paragraph response. I am familiar with and know the definition of every word in the response, but they are strung together in a way that makes no sense and most definitely did not answer my simple question.

They also linked me back to the page I started from, and from where I had originally written them with my question.

About as much use as a chocolate coffeepot. I still don't know if my router auto updates firmware, or if I can do it myself.


Posted by:

Lucy
05 Oct 2018

Thank you to the posters who added great information in the time it took me to formulate my own post.


Posted by:

gene
05 Oct 2018

I wish you'd, or someone, had said what happens if your router is secured with a password that would take 6 trillion years to crack. Yes, that's possible and not even difficult. I have Comcast, but only use their modem. I run that through a Linksys EA router which I replace every two years Smart WiFi which according to your link is okay, I already knew it was self-updating.


Posted by:

Bruce Fraser
06 Oct 2018

Great article, Bob, to create FUD (fear, uncertainty, doubt). You warn readers "Your router may be compromised!!!" but then fail to point us to the news source so we can look up our model.
Thanks to the alert people who did provide that necessary URL.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [WOW] 32,003 Router Vulnerabilities Found (Posted: 5 Oct 2018)
Source: https://askbobrankin.com/wow_32003_router_vulnerabilities_found.html
Copyright © 2005 - Bob Rankin - All Rights Reserved