家用路由器被发现存在大量漏洞

 你正在使用的家用路由器非常有可能存在众多的安全隐患，需要尽可能快的更新固件，如果厂商有新固件释出的话。德国 Fraunhofer Institute for Communication 最近测试了 127 款家用路由器，其中 91% 运行了某个版本的嵌入式 Linux 系统。研究人员发现，没有一款路由器免于安全漏洞，其中许多款存在数以百计的安全问题。四分之一的路由器超过一年时间没有收到任何安全方面的更新，部分路由器没有收到更新的时间长达五年。研究人员称，部分路由器很容易被破解，或存在用户无法改变的已知硬编码密码。知名路由器厂商 D-Link、TP-Link 和 Linksys 在定期更新上远远落在后面，其中 Linksys 的一款路由器 WRT54GL 使用的是 2002 年释出的 Linux 内核版本 2.4.20，存在 579 个高危漏洞。

from https://www.solidot.org/story?sid=64884

---------------------

Millions Of Home Wi-Fi Routers Are Likely Vulnerable To Unpatched Linux Security Exploits

If you're reading this article from home, it’s likely that you're connected to a consumer-grade Wi-Fi router, either wirelessly or via hard wired Ethernet. And if that's the case, you should probably take this time to upgrade your router's firmware ASAP. That is if an update is even available from the manufacturer.

We say this because the Fraunhofer Institute for Communication (FKIE) in Germany recently performed test of 127 home routers, to probe them for their resistance to security threats. Of the routers the researchers tested, 91 percent of them were found to be running some version of embedded Linux, which isn’t surprising.

What was surprising, however, was that the researchers found that not a single router was free of security flaws. In fact, it was discovered that many of these routers were actually susceptible to hundreds of known security vulnerabilities. With respect to modern vulnerabilities, we all know that no device is absolutely perfect. Security vulnerabilities in networking products -- especially routers -- are found all the time, so it's critical that manufacturers put out frequent firmware updates and patches to at least stay somewhat on top of newly discovered exploits. It's incumbent upon router manufacturers to provide continuous maintenance updates on their products.

The Linksys WRT54GL flunked FKIE's security tests.

However, FKIE found that over 25 percent of the tested routers hadn't received a single security-related update in over a year (some as long as five years). And the problems don't stop there. "Some routers have easy crackable or even well-known passwords that cannot be changed by the user," wrote the FKIE researchers. "Most firmware images provide private cryptographic key material. This means, whatever they try to secure with a public-private crypto mechanism is not secure at all."

So, were there any vendors that at least made the effort to try prioritizing security for their hardware? Well, ASUS, Netgear and German firm AVM were all called out for their work to keep products updated on a regular basis, with big names like D-Link, TP-Link and Linksys sometimes far behind. Regardless, of the routers tested, the Linksys WRT54GL was the most trouble prone with a Linux kernel dating back to 2002 (version 2.4.20) along with a test high of 579 high-severity CVEs.

ASUS ROG Rapture GT-AX11000 Router
One of the better brands

In conclusion, the researchers added:

"Many routers are powered by very old versions of Linux. Most devices are still powered with a 2.6 Linux kernel, which is no longer maintained for many years. This leads to a high number of critical and high severity CVEs affecting these devices."

You can find the full research report here (PDF). The bottom line, however, is that you should research OEMs before purchasing your next router, and see what their track record is like with respect to security updates and firmware upgrades. Don't let attractive pricing take your eye of the ball, as this is a piece of hardware that you will likely be keeping around and connecting your devices and home to the internet with for years.

from https://hothardware.com/news/millions-of-home-wi-fi-routers-linux-exploits