Home and home office internet routers have become a major point of failure for privacy and digital security concerns. Routers are more vulnerable than other devices mostly because they function as a front door to the internet - it's where everything comes in and goes out. But, according to a recent study of 127 router models across the board, the level of security is like having no door at all, much less lock and key.
Home Router Security Report 2020
The report we're referencing is a white paper by the German firm Fraunhofer Institute for Communication, published in June 2020. The analysis covers 127 router models used primarily for personal use like home, home offices, professional practices, and in many cases, small businesses.
Router vendors analyzed in the study include:
The report's conclusions speak for themselves:
"Our results are alarming.
There is no router without flaws. 46 of the routers did not get any security update within the last year.
Many routers are affected by hundreds of known vulnerabilities. Even if the router got recent updates, many of these known vulnerabilities were not fixed.
Some routers have hackable or even well known passwords that cannot be changed by the user."
From the executive summary by P. Weidenbach and J v.Dorp, June 2020
Click for the full report by the Fraunhofer Institute for Communication.
What Makes Internet Routers Unsafe?
First, routers are more vulnerable to cyber risk than other internet devices for the following reasons:
- Routers connect directly to the internet.
- They're always on and connected 24/7.
- And the value of the information the router manages has increased since Covid-19.
According to the report, the security problems with personal routers go far past the list above and are systemic to the industry. The most significant drivers are:
- Most routers run on a very old version of Linux that has 233 known security vulnerabilities.
- On average, each router contains 26 critically rated security vulnerabilities.
- Most routers come with easily hackable passwords, a published password, or no password at all.
In his conclusion from reading the report, security guru Bruce Schneier says:
"We know the reasons for this.
Most routers are designed offshore, by third parties, and then private labeled and sold by the vendors you’ve heard of.
Engineering teams come together, design and build the router, and then disperse. There’s often no one around to write patches, and most of the time router firmware isn’t even patchable.
The way to update your home router is to throw it away and buy a new one.
How to Privatize Your Home Router for Privacy and Cybersecurity