Wireless routers are the most often attacked and exploited type of IoT device. They are also one of the rare IoT devices that most of us can’t do without. We need them to be as secure as can be, but unfortunately most of them are not.
The non-profit American Consumer Institute Center for Citizen Research (ACI) has tested the latest available versions of the firmware of 186 Wi-Fi routers present in the U.S. market, and found that 155 (83%) of them contain known open source vulnerabilities.
The tested firmware is for devices by TP-Link, Asus, AVM, Belkin, Cerio, D-Link, HPE, Linksys, NETGEAR, Sierra Wireless, TRENDnet, Ubiquiti Networks, Yamaha and Zyxel.
The findings
While most of the vulnerabilities within the sample are considered medium risk, 28% of them are high-risk and critical.
“Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample,” API noted.
“High-risk vulnerabilities require very little knowledge or skill to exploit, but, unlike critical-risk vulnerabilities, they will not entirely compromise the system. The potential damage remains a concern, as exploited high-risk vulnerabilities can partially damage the system and cause information disclosure.”
The reason for this egregious number of open source vulnerabilities is because router manufacturers often use open source components in the firmware, but fail to keep the firmware updated as fixes become available.
“Fixing vulnerabilities lies partly in the hands of consumers who must do their homework and install firmware (software) updates,” ACI noted, but pointed out that manufacturers often do not provide user-friendly ways for consumers to update firmware or may even view building security protocols into their devices.
“Sometimes accessing firmware updates requires consumers to have registered their products with the manufacturers, while other times these updates are not readily available online, and still other times somewhat older routers are not supported at all. This means that even consumers who try to update their router firmware might download outdated code that is all but useless against critical vulnerabilities discovered since its sale,” they added.
Providing automated updating is one way manufacturers can make sure devices’ firmware is up-to-date, but for that to have an effect, newer versions of the firmware must be released often and known vulnerabilities must be fixed quickly.
“Keeping firmware patched for known online threats may be an expense for manufacturers, but not doing so leaves consumers to collectively bear the burden of potentially much higher costs from cybercrime,” ACI concluded.
from Help Net Security https://ift.tt/2y7CbgQ
No comments:
Post a Comment