Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users.
IoT Inspector CTO Florian Lukavsky said the vendors provided them with the latest versions which had the best firmware.
The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues.
While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:
- Outdated Linux kernel in the firmware
- Outdated multimedia and VPN functions
- Over-reliance on older versions of BusyBox
- Use of weak default passwords like "admin"
- Presence of hardcoded credentials in plain text form....
All of the affected manufacturers responded to the researchers' findings and released firmware patches.
The researchers demonstrated one exploit they found on one of the routers that extracted the AES key used for the firmware encryption, letting malicious firmware image updates pass verification checks on the device — and thus potentially planting malware on the router.
To be fair not all the identified weaknesses are considered real security flaws, and for some bugs, it is unclear whether exploitation is even possible. However, many of the identified vulnerabilities (ranging from two in AVM devices to a dozen in other routers) were classified as high- and medium-severity.