Linksys WRT32X, the router that scored the highest in the Cyber-ITL security-focused case study.
Many of today's most popular home router models don't take full advantage of the security features that come with the Linux operating system, which many of them use as a basis for their firmware.Security hardening features such as ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), RELRO (RELocation Read-Only), and stack guards have been found to be missing in a recent security audit of 28 popular home routers.
Security experts from the Cyber Independent Testing Lab (Cyber-ITL) analyzed the firmware of these routers and mapped out the percentage of firmware code that was protected by the four security features listed above.
"The absence of these security features is inexcusable," said Parker Thompson and Sarah Zatko, the two Cyber-ITL researchers behind the study.
"The features discussed in this report are easy to adopt, come with no downsides, and are standard practices in other market segments (such as desktop and mobile software)," the two added.
While some routers had 100 percent coverage for one feature, none implemented all four. Furthermore, researchers also found inconsistencies in applying the four security features within the same brand, with some router models from one vendor rating extremely high, while others had virtually no protection.
According to the research team, of the 28 router firmware images they analyzed, the Linksys WRT32X model scored highest with 100 percent DEP coverage for all firmware binaries, 95 percent RELRO coverage, 82 percent stack guard coverage, but with a lowly 4 percent ASLR protection...
Read more: Most home routers don't take advantage of Linux's improved security features | ZDNet
Wouldn't all of the vulnerabilities referenced be blocked, if and when there's no access to the external interface from the outside and/or public networks? That would explain why most of routers don't have the security options enabled...
I believe the concern here is that once an attacker finds a way through the firewall - for instance, by exploiting a router service exposed to the Internet (e.g. VPN server) or a LAN-side device (e.g. compromised IoT device) - how much damage they can do even if the router were otherwise properly secured.
Without ASLR or DEP a buffer overflow vulnerability in your VPN server may let an attacker get root access whereas with ASLR/DEP an overflow may just result in a crash.
Hi there
this sort of stuff won't even begin to effect 99.999% of home users out there (corporates / cloud providers / professional service co's etc - another issue).
Most home users will get scammed by things like "Fake websites", giving away too much data on social media, sending money to rogue bank accounts -- favourite scam here is for say builder, mortgage account, other service provider etc to ask for money to be sent to a different bank account than the original one -- loads of people assume genuine request without verifying Bank or service provider and hence lose money (not refundable) as they've initiated the Bank transfer !!!! plus a load of other nasty things.
If only people would learn (home users again -- corporates etc have different issues to contend with) that the name of the game is just to COLLECT MONEY -- old time hacking and infecting computers is just so last C20. Making a fast buck is the name of the game and no software will protect you against common scams -- learn what they are and TAKE CARE.
I'm going to try and create a non geekish "Anti-Scammers" handbook on using the Internet which I hope I can upload on to the tutorial section soon showing how home users can protect themselves against a whole slew of common Internet Scams.
Seems there's a real need for this type of advice (what on earth do schools teach kids these days in I.T classes !!).
Adults also could benefit from this too I think.
Cheers
jimbo
Quote