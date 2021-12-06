Despite having up-to-date firmware, nine popular Wi-Fi routers likely used by millions worldwide contained more than 200 security flaws.

That is according to recent security tests carried out by IoT Inspector in collaboration with German tech magazine Chip.

The models analysed in these tests were primarily used by small businesses and homes and included Asus, D-Link, Linksys, Netgear, and Synology units.

“For Chip’s router evaluation, vendors provided them with current models, which were upgraded to the latest firmware version,” IoT Inspector chief technology officer and founder Florian Lukavsky explained to Bleeping Computer.

“The firmware versions were automatically analysed by IoT Inspector and checked for more than 5,000 CVEs [Common Vulnerabilities and Exposures] and other security issues,” Lukavsky said.

Between the tested routers, IoT Inspector identified a total of 226 security flaws, ranging in severity from “low risk” to “high risk”.

Among the common problems that affected most of the tested models were:

Outdated Linux kernel in the firmware

Outdated multimedia and VPN functions

Over-reliance on older versions of BusyBox

Use of weak default passwords like “admin”

Presence of hardcoded credentials in plain text form

The router with the most vulnerabilities was the TP-Link Archer AX6000, which had 32 issues, of which 11 were “high risk”.

The table below summarises the number of vulnerabilities detected in each router, what firmware they were running when tested, and how manufacturers reacted when Chip informed them of the issues.

Chip advised the implicated manufacturers of the problems. Most addressed the high and medium risk problems and claimed they rolled out patches to fix them.

However, the magazine said it did not do follow-up tests to confirm these claims.

IoT Inspector CEO Jan Wendenburg has advised users that one of the most essential steps Internet users can take to protect themselves from attacks is immediately changing the default password when first configuring a new router.

“Changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network,” said Wendenburg.

“The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget’.”

