Research: Almost all home routers have outdated software

German security researchers conclude that virtually all home routers they have studied are not up to date. The researchers looked at 127 routers and found outdated software, missing security patches and simple security flaws everywhere.

The research was conducted by the German Fraunhofer Institute for Communication, Information Processing and Ergonomics. The researchers looked at 127 routers from well-known brands, such as Asus, Zyxel and TP-Link, that were intended for home use. This explicitly concerned routers supplied by OEMs; routers where providers place their own firmware are not covered.

The researchers conclude that none of the 127 routers is really well secured. The problems are different. In many cases, these are security updates that are not implemented, but sometimes also known vulnerabilities. The researchers found that 46 routers had not had a security update in more than a year. In 22 cases this was even more than two years. In fact, a router hadn’t received updates for five years.

In some cases, security updates were made, but they did not fix all vulnerabilities. According to the researchers, more than ninety percent of routers also use Linux-based firmware, but their kernel was not updated, so that vulnerabilities still remain in the routers. The majority of devices are still running on kernel version 2.6, which has not been updated for years.

Other issues include default passwords that are easy to guess or crack, and private keys that are hard-coded into the firmware. The researchers conclude that in most cases, AVM is the best at implementing security solutions. Asus and Netgear are slightly less good at that, but “in some cases better than D-Link, Linksys, TP-Link and Zyxel,” the researchers write.

Update: added that it is only for oem routers and not for isp routers with custom firmware.