Even the Highly rated Wi-Fi routers available in the market with latest firmware can be interrogated with security flaws, researchers of IoT-Inspector and German tech magazine CHIP has found. They looked at nine models on CHIP’s best routers list.
The flaws included multimedia and VPN software known to be vulnerable, outdated versions of the Linux kernel, outdated software such as the BusyBox Linux distribution often used in routers, hardcoded administrative passwords and default administrative passwords that were too simple or widely known.
In total, 226 known software vulnerabilities were found across all nine Wi-Fi router models, which IoT-Inspector and CHIP reported to the router makers. Except for AVM, all the manufacturers responded positively and have issued, or will soon be issuing, firmware updates to fix at least some of the high-risk and medium-risk flaws.
The Wi-Fi routers examined were:
- Asus ROG Rapture GT-AX110000: 15 serious (high- or medium-risk) flaws
- AVM FritxBox 7530 AX: 9 serious flaws
- AVM FritxBox 7590 AX: 7 serious flaws
- D-Link DIR-X5460: 13 serious flaws
- Edimax BR-6473AX: 16 serious flaws
- Linksys Velop MR9600: 19 serious flaws
- Netgear Nighthawk AX12 (RAX120): 16 serious flaws
- Synology RT-2600ac: 19 serious flaws
- TP-Link Archer AX6000: 22 serious flaws
The Asus, D-Link, Netgear and TP-Link models are high-end gaming routers, while the AVM FritzBoxes are gateway combination modem/routers widely used in German-speaking countries.
All or most of these routers are recent and should support automatic firmware updates. The flaws reported by this latest report won’t be the last found in your router model, automatic updates to be kept On always
Analysing the firmware for vulnerabilities is an easy known method, when comparing with interrogating the hardware itself. Such static analysis has its flaws, though. Even CHIP acknowledged that a known vulnerability in the firmware is not always something that can be exploited it’s possible that the router maker has mitigated the flaw by some other means.
Running an older Linux kernel doesn’t necessarily mean more vulnerabilities, although CHIP argued that it’s strongly correlated with the presence of other firmware flaws. The most recent stable Linux kernel is 5.15, but Android 11 and Android 12 run Linux kernels as far back as 4.14 and there are tens of thousands of servers worldwide happily and safely running Linux with even older kernels.
AVM was the only router maker to respond negatively to the report of vulnerabilities. The company, which has a reputation for quickly fixing security flaws, questioned the static code analysis, telling CHIP that such methods generate too many false positives and that old Linux kernels don’t always result in security flaws.