Your expensive Wi-Fi router probably has security flaws — here's what to do

(Prototype credit: Tom's Guide)

Even the most highly-rated Wi-Fi routers with up-to-appointment firmware can exist riddled with security flaws, an analysis by German security researchers IoT-Inspector and German tech mag Bit has constitute.

The researchers looked at nine models on CHIP's "best routers" list: two FritzBoxes from High german router-maker AVM, plus one each from Asus, D-Link, Edimax, Linksys, Netgear, Synology and TP-Link. (Two are also on the Tom'southward Guide list of best Wi-Fi routers.) The Synology and TP-Link had the most vulnerabilities, with xxx and 32 each, although some of those flaws were classified as low-risk.

"The test[south] negatively exceeded all expectations for secure small business and home routers," said IoT-Inspector CEO Florian Lukavsky in a web log mail. "Non all vulnerabilities are equally critical — simply at the time of the test, all devices showed significant security vulnerabilities that could make a hacker's life much easier."

According to Fleck's report (in German language), the flaws included multimedia and VPN software known to be vulnerable, outdated versions of the Linux kernel, outdated software such every bit the BusyBox Linux distribution oft used in routers, hardcoded administrative passwords and default administrative passwords that were too simple or widely known.

In all, 226 known software vulnerabilities were found across all nine Wi-Fi router models, which IoT-Inspector and Bit reported to the router makers. Except for AVM, all the manufacturers responded positively and have issued, or volition soon be issuing, firmware updates to fix at to the lowest degree some of the loftier-risk and medium-risk flaws.

This story was before reported by Bleeping Computer.

Which Wi-Fi routers to update, and how

Because router makers use similar firmware for most of their current models, you'll want to update your firmware if you own any recent router from one of the brands named below, even if yours isn't exactly the same model. (In fact, Netgear patched 35 different models earlier this week, although that was for unrelated security issues.)

The Wi-Fi routers examined were:

Asus ROG Rapture GT-AX110000: fifteen serious (high- or medium-run a risk) flaws
AVM FritxBox 7530 AX: nine serious flaws
AVM FritxBox 7590 AX: vii serious flaws
D-Link DIR-X5460: 13 serious flaws
Edimax BR-6473AX: 16 serious flaws
Linksys Velop MR9600: 19 serious flaws
Netgear Nighthawk AX12 (RAX120): 16 serious flaws
Synology RT-2600ac: 19 serious flaws
TP-Link Archer AX6000: 22 serious flaws

The Asus, D-Link, Netgear and TP-Link models are loftier-end gaming routers, while the AVM FritzBoxes are gateway combination modem/routers widely used in German-speaking countries.

In each instance, the nigh recent firmware available at the time was tested by IoT-Inspector. Tom's Guide reviewed three of these routers and gave the Asus 4.5/five stars, the TP-Link iv/5 stars and the Linksys 3.v/5 stars.

All or nearly of these routers are contempo and expensive enough and then that they should back up automated firmware updates. If you own 1 of these models, or something similar from each brand, become into your router's administrative interface and brand sure that automatic updates are enabled. (Older and cheaper models are certainly not immune to security flaws, however.)

The flaws reported by this latest written report won't be the last found in your router model, and so best simply leave automatic updates on.

If automatic updates are not available or you'd rather non enable them, and so use the admin interface to bank check for new updates and install them from the interface. Every decent router made in the past few years should be able to let you lot practice that.

What to do virtually older Wi-Fi routers

Things get dicier with older Wi-Fi routers. You lot may have to become to the manufacturer's website and search the support pages for firmware updates, download the update to your PC or Mac (or Linux box) and load the update onto the router manually via an Ethernet cable. It'south straightforward just once you get used to it.

In whatever example, if your router is more than 5 years old, you'll want to check the manufacturer's website to see if information technology's still getting firmware updates at all. If not, then it's time to get a new router — or if you're technically inclined, to "flash" it with open-source router firmware such as DD-WRT, OpenWRT or Tomato.

If your Wi-Fi router is more than ten years old, it'southward probably not getting whatsoever more than back up and you lot'll definitely want to retire it or flash it with open-source firmware.

And as always, with all routers, the first thing you'll want to exercise is to change the default authoritative password. That's the easiest way that a hacker tin attack your router.

One time you're in the administrative interface, you'll want to disable remote access then no one can operate it from outside your network, and also disable the convenient but needlessly unsafe universal plug-and-play (UPnP) and Wi-Fi Protected Setup (WPS) features if your computer has them.

But are all these Wi-Fi routers really unsafe?

In that location is nevertheless the question of how serious these perceived flaws are, withal. Physically testing any router for security flaws is time-consuming and expensive, and each major router maker has more than a dozen models in production at any given time, each of which gets unique firmware updates periodically.

So to salvage time, money and their own sanity, security researchers often but analyze a router'southward firmware, or operating organization, instead of the router itself. Even that takes a long fourth dimension, so the process can be automated.

IoT-Inspector, for example, is both the name of the research business firm and the firm'south proprietary computer programme. The plan, noted CHIP, can run through a router'southward firmware in 15 minutes and spit out a report of more than 300 pages on each model.

Such "static analysis" has its flaws, though. Even Bit acknowledged that a known vulnerability in the firmware is not always something that can be exploited — information technology's possible that the router maker has mitigated the flaw past some other means.

Also, running an older Linux kernel doesn't necessarily hateful more vulnerabilities, although CHIP argued that it's strongly correlated with the presence of other firmware flaws.

The most recent stable Linux kernel is five.15, only Android 11 and Android 12 run Linux kernels as far back every bit 4.14 and there are tens of thousands of servers worldwide happily and (presumably) safely running Linux with even older kernels.

As noted higher up, AVM was the just router maker to respond negatively to the report of vulnerabilities. The visitor, which has a reputation for quickly fixing security flaws, questioned the static code analysis, telling Fleck that such methods generate too many imitation positives and that one-time Linux kernels don't ever result in security flaws.

"The age of the kernel doesn't matter," AVM told Scrap in German, "just rather whether the kernel contains vulnerabilities that are relevant to the cadre operation of the router."

Paul Wagenseil is a senior editor at Tom'southward Guide focused on security and privacy. He has also been a dishwasher, fry melt, long-booty commuter, lawmaking monkey and video editor. He's been rooting around in the information-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'due south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random Television news spots and fifty-fifty moderated a panel word at the CEDIA abode-technology briefing. Yous can follow his rants on Twitter at @snd_wagenseil.