Security vulnerabilities in your home router have been the story for years, with the responsibility being placed at the feet of users to keep their router firmware updated. But a damning report by Fraunhofer says that router manufacturers themselves have taken years to issue patches, with potentially dozens of critical vulnerabilities lurking within older routers.

The June report by Fraunhofer-Institut fur Kommunikation (FKIE) extracted firmware images from routers made by Asus, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel—127 in all. The report (as noted by ZDNet) compared the firmware images to known vulnerabilities and exploit mitigation techniques, so that even if a vulnerability was exposed, the design of the router could mitigate it.

No matter how you slice it, Fraunhofer’s study pointed out basic lapses in security across several aspects. At the most basic level, 46 routers didn’t receive any updates at all in the last year. Many used outdated Linux kernels with their own, known vulnerabilities. Fifty routers used hard-coded credentials, where a known username and password was encoded into the router as a default credential that asked the user to change it—but would still be there, accessible, if they did not.

FKIE could not find a single router without flaws. Nor could the institute name a single router vendor that avoided the security issues.

“AVM does [a] better job than the other vendors regarding most aspects,” the report concluded. “Asus and Netgear do a better job in some aspects than D-Link, Linksys, TP-Link, and Zyxel.” We contacted Belkin (Linksys) and D-Link, two vendors named in the report, for comment, but didn’t hear back by press time.

“In conclusion the update policy of router vendors is far behind the standards as we know it from desktop or server operating systems,” FKIE said elsewhere in the report. “However, routers are exposed to the internet 24 hours a day leading to an even higher risk of malware infection.”

Fraunhofer broke down how router vendors have fallen short into several categories.

Days since the last firmware release: Although 81 routers were updated in the last 365 days before the FKIE gathered its results (March 27, 2019 to Match 27, 2020) the average number of days to the prior update, across all devices, was 378. FKIE said 27 of the devices had not been updated within two years, with the absolute worst stretching to 1,969 days—more then five years.


We're not around right now. But you can send us an email and we'll get back to you, asap.


Log in with your credentials

Forgot your details?