Lack of basic security features in 28 popular routers points to industry-wide failure, researchers say
Many popular wireless routers perform very poorly with regards to known, basic safety features, and there is little consistency in terms of security practices even within the models of the same brand, according to a new study.
The Cyber Independent Testing Lab (Cyber-ITL) analyzed 28 routers and access points from different vendors and found “a significant lack of basic security and safety hygiene.”
Security hardening features like DEP (Data Execution Prevention), ASLR (Address Space Layout Randomization), RELRO (RELocation Read-Only), and others were missing, to varying degrees, in all 28 routers.
“The absence of these security features is inexcusable,” said Parker Thompson and Sarah Zatko, the researchers behind the study. “The features discussed in this report are easy to adopt, come with no downsides, and are standard practices in other market segments (such as desktop and mobile software),” they duo added.
Notably, the Linksys WRT32X scored highest, with 100% DEP coverage, 95% RELRO coverage, 82% stack guard coverage, and a much lower 4% ASLR coverage. However, most other routers didn’t even come close to these numbers. The paper (PDF) lists all 28 routers with their specific scores.
“The router with the highest usage of ASLR across binaries was the Linksys e2500 from the first group, with a still extremely poor 9% ASLR. Given that ASLR is an easy safety hygiene feature to accomplish for binary applications, this is a major industry-wide security lapse,” the researchers added.access point ASLR DEP Linksys RELRO router