Study: Most Home Routers Have Unpatched Vulnerabilities

A study performed by the non-profit American Consumer Institute (ACI) Center for Citizen Research revealed that the majority of home routers have tens of known vulnerabilities.

For its research, the ACI used a scanner called Insignary Clarity, which can identify vulnerabilities in binary files, to analyze the firmware of 186 Wi-Fi routers from 14 different manufacturers that are available on the U.S. market.

The scans found flaws in 155 of the tested routers—83 percent of those sampled—and the average number of vulnerabilities identified per device was 186. In total, the scans found 32,003 known vulnerabilities across the tested devices.

The real-world numbers are probably higher, because the study only looked at the latest available firmware versions for the tested devices. It’s well-known that users rarely update their router firmware and most routers don’t have firmware auto-update mechanisms. This means that many devices in the wild are also vulnerable to bugs that manufacturers have provided fixes for, but which users haven’t yet patched.

The ACI’s research showed that in many cases the same vulnerability occurs multiple times in different components of a device, providing multiple opportunities for exploitation. On average, the tested routers contained 12 critical vulnerabilities, 36 high-risk vulnerabilities and 103 medium-risk flaws across the entire sample.

“The FBI’s warning that Russian computer hackers had compromised hundreds of thousands of home and office routers highlighted the potential danger of open source routers, but the warning may have gone largely unnoticed by most consumers,” the ACI concluded. “In addition, as this ConsumerGram shows, Wi-Fi router manufacturers are neglecting to update their firmware for known vulnerabilities, and the problem is likely more pervasive for other IoT devices. When these security lapses occur, firmware can be fairly easily exploited by hackers with nefarious intentions.”

The number of attacks and botnets that target internet of things (IoT) devices has grown significantly over the past few years and, according to Symantec’s “2018 Internet Security Threat Report,” routers account for one-third of exploited embedded devices that are connected to the internet.

Compromised routers provide hackers with a foothold inside local networks, allowing them to target the growing number of network-enabled devices that people install in their homes such as cameras, TVs, door locks, sensors, light bulbs, power outlets and more. Attackers also can use hijacked routers to redirect users to phishing pages, as we’ve recently seen in the GhostDNS campaign.

“Each of the 32,003 vulnerabilities identified in this report put consumers, our infrastructure, and our economy at risk,” according to the ACI. “If this growing threat is to be countered effectively, manufacturers must commit more resources to identify and mitigate open source vulnerabilities on their devices and consumers must remain vigilant for potential threats that could compromise their personal data. With the IoT market expanding quickly for both residential and industrial applications, the need to secure firmware cannot be overstated.”

Git Receives a Fix for Remote Code Execution Vulnerability

A new version of the Git version control system resolves a serious vulnerability that could allow specially crafted code repositories to execute arbitrary code on client computers when being cloned.

Like a similar vulnerability patched in May, the new flaw, which is tracked as CVE-2018-17456, can be exploited through the inclusion of a malicious .gitmodules file in a repository. This is a type of file that defines repository submodules.

“When running ‘git clone –recurse-submodules’, Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a ‘git clone’ subprocess,” the Git developers said in an advisory. “If the URL field is set to a string that begins with a dash, this ‘git clone’ subprocess interprets the URL as an option. This can lead to executing an arbitrary script shipped in the superproject as the user who ran ‘git clone’.”

Git is an open source version control system that was originally created for Linux kernel development, but which has since become a popular tool for a large number of developers and companies around the world. The software is also used by various web-based collaborative code hosting services including GitHub, GitLab and Microsoft’s Visual Studio Team Services.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin