Fraunhofer Home Router Security Report 2020

AndreiV

Very Senior Member
Router Issues

A German report conveniently praising AVM products. The article in the link from Coxhaus is at best a pointless piece of garbage.
 

ddaenen1

Senior Member
Whilst Fraunhofer has a solid reputation as a research institute, i did also frown a brow when i read that the only company that got some tumbs up is German. Makes one think.
 

coxhaus

Part of the Furniture
What I meant by old router is they found a lot of old unsupported routers out there which is the big deal. The old routers are probably running old lower level Linux kernels which have a lot of hacks out there.
 

RMerlin

Asuswrt-Merlin dev
I was also struck by how "positive" AVM seemed to be painted in there...

I have a few problems with their methodology. I can only refer to Asus models because that's those I'm familiar with, but some of these probably also applies to Netgear, TP-Link, etc..

1) Average update time. The number they have for Asus looks completely out of whack. A list of investigated routers would help, because I can tell that any Asus router released in the last 1-2 year does NOT get updates "once every 380 days". The typical average time for updates for their mainstream models is between 1-3 months. So if their list includes 5+ years old or very niche models (like the failed BRT-AC828), then yeah, those results will be very skewed.

2) Kernel. Again, how old are the models they analyzed? I don't think any router released by Asus in the last 2 years has used kernel 2.6. All the recent Broadcom models are based on kernel 4.1 for instance. Qualcomm has been at least 3.x, if not 4.x for quite some time as well. So, the advice should rather be "buy a recent model" rather than a blanket "Manufactuers are still largely using obsolete EOL kernels".

3) Kernel patching: "We do not think that manufacturers backport patches" - that is incorrect. Broadcom probably backported quite a few of their owns. I know Asus has backported quite a few, especially those that are critical to a router. A CVE that targets the video driver section is irrelevant to a router.

This is a frequent mistake done by "Security analysts". I've seen a couple of times where a customer was told by an external security analysts "Oh, your Apache version isn't the latest, it's vulnerable to many security exploits", completely ignoring the fact that Red Hat DOES backport all upstream security fixes, making the Apache version irrelevant to their analysis - a proper analysis must specifically look for known vulnerabilities, not blindly assume that the version number means anything about the state of the software's security.

On the other end, too much emphasis on the kernel and not enough on the components. How up to date are critical components like OpenSSL or dnsmasq? This is an area where most manufacturers are failing badly.


I'm not dismissing that the vast majority of router manufacturers are doing a poor job on the security front, however it's not the apocalypse that this report tries to paint.
 
Last edited:

ColinTaylor

Part of the Furniture
Oh dear. That report shows an embarrassing lack of understanding regarding kernel security. Looks like they just phoned this one in for a bit of free publicity.
 

L&LD

Part of the Furniture
Statistics are not the 'truth', by default. Many lies have been backed up by the right 'stats'. :)
 

RMerlin

Asuswrt-Merlin dev
On the topic of updates, a far more useful analysis would have been to chart update frequency vs age (1 year, 2 years, etc...), and report the average update frequency based on the router's age. A manufacturer stopping updates after only 2 years for instance should be avoided when it comes to a security device such as a router. This would be an area where prosumer manufacturers would shine versus the average home user devices.

There's an interesting idea for an article there @thiggins : take the usual suspects (Asus/D-Link/Netgear/TP-Link), pit them against Ubiquity, Microtik, and see how they fare in terms of update frequency vs device age. See if prosumer devices truly provide an advantage there. And also who is the best and the worst.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
I bet the report is based on some statistics and not totally made up. Too big of company.
From what I understood, a lot of it is based on the report from using an automated diagnostic/analysis tool.
 

Jesse Viviano

New Around Here
I was also struck by how "positive" AVM seemed to be painted in there...

I have a few problems with their methodology. I can only refer to Asus models because that's those I'm familiar with, but some of these probably also applies to Netgear, TP-Link, etc..

1) Average update time. The number they have for Asus looks completely out of whack. A list of investigated routers would help, because I can tell that any Asus router released in the last 1-2 year does NOT get updates "once every 380 days". The typical average time for updates for their mainstream models is between 1-3 months. So if their list includes 5+ years old or very niche models (like the failed BRT-AC828), then yeah, those results will be very skewed.

2) Kernel. Again, how old are the models they analyzed? I don't think any router released by Asus in the last 2 years has used kernel 2.6. All the recent Broadcom models are based on kernel 4.1 for instance. Qualcomm has been at least 3.x, if not 4.x for quite some time as well. So, the advice should rather be "buy a recent model" rather than a blanket "Manufactuers are still largely using obsolete EOL kernels".

3) Kernel patching: "We do not think that manufacturers backport patches" - that is incorrect. Broadcom probably backported quite a few of their owns. I know Asus has backported quite a few, especially those that are critical to a router. A CVE that targets the video driver section is irrelevant to a router.

This is a frequent mistake done by "Security analysts". I've seen a couple of times where a customer was told by an external security analysts "Oh, your Apache version isn't the latest, it's vulnerable to many security exploits", completely ignoring the fact that Red Hat DOES backport all upstream security fixes, making the Apache version irrelevant to their analysis - a proper analysis must specifically look for known vulnerabilities, not blindly assume that the version number means anything about the state of the software's security.

On the other end, too much emphasis on the kernel and not enough on the components. How up to date are critical components like OpenSSL or dnsmasq? This is an area where most manufacturers are failing badly.


I'm not dismissing that the vast majority of router manufacturers are doing a poor job on the security front, however it's not the apocalypse that this report tries to paint.
The report has a link to the list of routers investigated in footnote 1 on page 2 of the report. The link points to https://github.com/fkie-cad/embedded-evaluation-corpus/blob/master/2020/FKIE-HRS-2020.md . The page on GitHub lists all of the models of the routers tested, the firmware SHA-256, and the release dates of the tested firmwares.
 

RMerlin

Asuswrt-Merlin dev
The report has a link to the list of routers investigated in footnote 1 on page 2 of the report. The link points to https://github.com/fkie-cad/embedded-evaluation-corpus/blob/master/2020/FKIE-HRS-2020.md . The page on GitHub lists all of the models of the routers tested, the firmware SHA-256, and the release dates of the tested firmwares.
Thanks.

As I suspected, they are mixing a bunch of EOL or esoteric models that are only sold in very limited markets, with up-to-date mainstream models, which paints a totally skewed result when it comes to how frequent firmware updates happen. They did their test on March 27th, and most of Asus's firmwares listed are from 2020, which means the vast majority of tested firmware were less than three months old. Very different from "within one and half year"...
 

Jesse Viviano

New Around Here
Thanks.

As I suspected, they are mixing a bunch of EOL or esoteric models that are only sold in very limited markets, with up-to-date mainstream models, which paints a totally skewed result when it comes to how frequent firmware updates happen. They did their test on March 27th, and most of Asus's firmwares listed are from 2020, which means the vast majority of tested firmware were less than three months old. Very different from "within one and half year"...
So how do buyers know which Asus models are the esoteric and/or EOL models which will likely get shortchanged for firmware updates when we need to buy a router? I know that Asus puts out an end-of-life list https://www.asus.com/event/network/EOL-product/ , but I would not know where to find a list for the esoteric models sold in very limited markets.

I noticed that the RT-AC51U is not on Asus's end of life list, yet its latest stock firmware, which is from November 2019, is older than the rest of the current stock firmware versions of Asus's other non-EOL 802.11ac routers, with several of them having new firmware releases even as soon as this month. I also looked up several of the Asus routers' stock firmware versions. One router, the BRT-AC828 was stuck on a stock firmware version from 2018 when this report was being compiled. To be fair, the BRT-AC828's firmware was recently updated after the Fraunhofer researchers sampled firmware versions for its report on March 27, 2020.
 

HWDan

Occasional Visitor
So how do buyers know which Asus models are the esoteric and/or EOL models which will likely get shortchanged for firmware updates when we need to buy a router? I know that Asus puts out an end-of-life list https://www.asus.com/event/network/EOL-product/ , but I would not know where to find a list for the esoteric models sold in very limited markets.

I noticed that the RT-AC51U is not on Asus's end of life list, yet its latest stock firmware, which is from November 2019, is older than the rest of the current stock firmware versions of Asus's other non-EOL 802.11ac routers, with several of them having new firmware releases even as soon as this month. I also looked up several of the Asus routers' stock firmware versions. One router, the BRT-AC828 was stuck on a stock firmware version from 2018 when this report was being compiled. To be fair, the BRT-AC828's firmware was recently updated after the Fraunhofer researchers sampled firmware versions for its report on March 27, 2020.
1 - check out the Asus Wrt Official forum here. The chatter there will give you an idea of the most popular models you might want to put on your short list.
2 - As it sounds like you may have already done this, go to the Asus support site for your target model and click "show all downloads" to get a list of the recent firmware updates and the frequency of them over time.

This should help give you an idea on how well supported your target router is.
 

RMerlin

Asuswrt-Merlin dev
So how do buyers know which Asus models are the esoteric and/or EOL models which will likely get shortchanged for firmware updates when we need to buy a router?
Like any other electronics, it's recommended to do some research before buying a new product.

One router, the BRT-AC828 was stuck on a stock firmware version from 2018 when this report was being compiled. To be fair, the BRT-AC828's firmware was recently updated after the Fraunhofer researchers sampled firmware versions for its report on March 27, 2020.
That router was a failed experiment that was only sold in a few markets. They tried to start a new business line of models, it didn't sell well and had a fairly different architecture from others, so it eventually started being ignored. This is the one exception out of 20-ish different models.
 

Jesse Viviano

New Around Here
I was also struck by how "positive" AVM seemed to be painted in there...

I have a few problems with their methodology. I can only refer to Asus models because that's those I'm familiar with, but some of these probably also applies to Netgear, TP-Link, etc..

1) Average update time. The number they have for Asus looks completely out of whack. A list of investigated routers would help, because I can tell that any Asus router released in the last 1-2 year does NOT get updates "once every 380 days". The typical average time for updates for their mainstream models is between 1-3 months. So if their list includes 5+ years old or very niche models (like the failed BRT-AC828), then yeah, those results will be very skewed.

2) Kernel. Again, how old are the models they analyzed? I don't think any router released by Asus in the last 2 years has used kernel 2.6. All the recent Broadcom models are based on kernel 4.1 for instance. Qualcomm has been at least 3.x, if not 4.x for quite some time as well. So, the advice should rather be "buy a recent model" rather than a blanket "Manufactuers are still largely using obsolete EOL kernels".

3) Kernel patching: "We do not think that manufacturers backport patches" - that is incorrect. Broadcom probably backported quite a few of their owns. I know Asus has backported quite a few, especially those that are critical to a router. A CVE that targets the video driver section is irrelevant to a router.

This is a frequent mistake done by "Security analysts". I've seen a couple of times where a customer was told by an external security analysts "Oh, your Apache version isn't the latest, it's vulnerable to many security exploits", completely ignoring the fact that Red Hat DOES backport all upstream security fixes, making the Apache version irrelevant to their analysis - a proper analysis must specifically look for known vulnerabilities, not blindly assume that the version number means anything about the state of the software's security.

On the other end, too much emphasis on the kernel and not enough on the components. How up to date are critical components like OpenSSL or dnsmasq? This is an area where most manufacturers are failing badly.


I'm not dismissing that the vast majority of router manufacturers are doing a poor job on the security front, however it's not the apocalypse that this report tries to paint.
See section 3.1 on the bottom of page 7 (according to the page number in the page) or page 11 (based on the page number that the reader software provides) in the report for how the kernel version is determined. It states that a regular expression is used to find version numbers in the non-text files of the kernel. Since I am not a Linux expert, I cannot argue one way or another on whether this method is accurate or not.

Also, see https://www.kernel.org/ to see which generic Linux kernel versions are not end of life. According to the report, none of the routers are using the latest Linux kernel, and the only versions that belong to an active LTS tree are the 4.4.x versions, and both of the versions shown have really old versions of the LTS Linux kernel versions (e.g. some routers use kernel 4.4.14 or 4.4.60, both which are very out of date compared to the latest LTS kernel versions). Also, many current distributions use customized versions of EOL kernels according to https://itsfoss.com/why-distros-use-old-kernel/ , and these distributions are responsible for backporting bug fixes to their own customized kernels. However, using kernel versions 1.x or 2.x is just nuts since they have not been maintained since 2011. The only 3.x version that is actively maintained is 3.18, since Google is maintaining that version for Android. Using any other 3.x kernel versions for a new router is just nuts since they have not been maintained since 2015. We just have to hope that each vendor bothers to backport patches to vulnerabilities to these old kernels in their firmware packages.

I understand that since Linux does not natively support hardware TCP/IP offload engines like the ones in routers due to reasons listed in https://wiki.linuxfoundation.org/networking/toe , so modifying the kernel to support these engines means that one is stuck with that major kernel version since the kernel authors tend to change the kernel APIs between major Linux kernel versions all the time. These maintainers don't care about supporting either TCP/IP offload engines or binary blob drivers, and the maintainers do port free and open source drivers already in the kernel to the new APIs when they change the kernel APIs, so the maintainers see no problem in changing the kernel APIs from major Linux version to major Linux version all the time. However, there is no CPU capable of routing gigabit connections that is inexpensive enough for a consumer-grade gateway's pricing range, so hardware acceleration is a must to reach gigabit speeds with these routers. This is probably the main reason that old Linux kernel versions show up in consumer-grade routers all of the time.

One other test that I think is not getting enough attention in this forum here is the number of hard-coded credentials that the researchers found. Only Asus aced this test with zero throughout all of its models. Netgear had a poor showing with its RAX40 with three account and password pairs that the researchers managed to crack: root : amazon, nobody : password, and admin : password. Other poor showings in the case of crackable passwords included Linksys with models with 0-2 crackable passwords throughout its range, and D-Link with 1 crackable password in an outlier. As for brands with hard-coded passwords whether or not the researchers were able to crack them, TP-Link had a poor showing with 0 to 25 hard-coded login password pairs in its firmware packages throughout its range of models. Linksys was not looking too good here as well. D-Link and AVM also had trouble here.

Another test that is notable is how consistently exploit mitigation techniques are used. AVM looks the best here, but is not perfect. The rest were worse. D-Link is the biggest stinker here.

Based on what I found in the report, I felt that Asus looks like the best vendor whose products are sold in the USA. I think that AVM's routers are designed only for the European Union (and the UK post-Brexit), so I felt that based on the report, Asus looks like the best for US residents.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top