87 critical vulnerabilities discovered in routers in 2021, most remain unpatched
Woburn, MA – June 8, 2022 – A new analysis from Kaspersky showed that 506 vulnerabilities were discovered in routers in 2021, including 87 critical ones. The findings continued a trend that began in 2020, when there were 603 new vulnerabilities, which was roughly triple the totals from each of the two previous years.Almost a third of the critical vulnerabilities discovered in 2021 remain without any response from vendors, while another 26% received only a comment from the company.The flaws threaten the security of millions of devices set up daily in homes and workplaces.
Threats stemming from vulnerable routers affect both households and organizations, moving beyond email compromises to physical home security. Despite this, people rarely think about the security of their devices. According to research data, 73% of users have never thought about upgrading or securing their router, making it one of the biggest threats impacting the Internet of Things today.
A router is the hub of an entire home network, through which all connected devices access the internet and exchange data. Infecting a router, attackers gain access to the network through which data packets are transmitted. Using this, they can install malware on connected computers to steal sensitive data, private photos, or business files, possibly causing irreparable damage to the victim. Through the infected router the attacker can also redirect users to phishing pages masquerading as often-used webmail or online banking sites. Any data they enter on these pages, whether it’s their login and password from the email or bank card details, will immediately fall into the hands of fraudsters.
Since 2010, the number of vulnerabilities found in routers has been steadily increasing. In 2020, the number of discovered vulnerabilities increased to 603, about 3 times as many as the year before that. In 2021, the number of discovered vulnerabilities remained high, at 506. Out of all discovered vulnerabilities in 2021, 87 were critical. Critical vulnerabilities are the most unprotected "holes" through which an attacker can penetrate a home or corporate network. Such vulnerabilities may let the attacker bypass authentication, send remote commands to a router, or even incapacitate it. Doing so, operators are able to steal any data or files transmitted over an infected network, whether it's your personal photos, private information, or even business contracts sent in an email.
Number of router vulnerabilities according to nvd.nist.gov, 2010 – May 2022.
Though researchers are now raising awareness about many more found vulnerabilities than before, routers remain one of the most insecure devices. One of the reasons for this is that not all vendors rush to eliminate the dangers. Almost a third of critical vulnerabilities discovered in 2021 remain without any response from vendors: no patch or commentary with advice has been issued for them. Another 26% of such vulnerabilities received only a comment from the company, which most often include recommendations to contact technical support.
Alongside attackers’ increased activity, consumers and small businesses usually don’t have the expertise or resources to identify or understand a threat before it's too late. User inaction is especially dangerous when routers are used in sensitive environments such as hospitals or government buildings, where a data leak could potentially have a severe impact.
“Despite the speed with which technology is coming into our lives, the level of cybersecurity hasn’t kept pace,” said Maria Namestnikova, head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky. “Many employees have been working from home for the past two years, but the security of routers hasn’t improved over this time – they’re still rarely updated. Therefore, the risk that router vulnerabilities could be abused by cybercriminals remains a concern in 2022. What’s important is to prevent a threat as early as possible, since people usually find out about an attack when it’s too late – after money has been stolen.
“When you buy a router, network security should be as much of a priority as data transfer speed and price. Read reviews and note how quickly the manufacturer resolves reported issues. And don't forget to update your router as soon as the developer releases a patch to avoid losing sensitive data and money.”
Read the full report about router security on Securelist.
To protect your router from cybercriminals’ attacks, Kaspersky recommends:
· Don’t buy smart appliances secondhand. Their firmware could have been modified by previous owners to give a remote attacker full control over your smart home.
· Don’t forget to change the default password. Go for a complex one and change it regularly.
· Don’t share serial numbers, IP addresses or other sensitive information regarding your smart devices on social networks.
· Use WPA2 encryption – it’s the most secure for data transfer.
· Disable remote access in the router's settings. If remote access is still needed, you should disable it when it is not in use.
· For more security, you can select a static IP address and disable DHCP, as well as protect Wi-Fi with a MAC filter. These actions lead to your having to manually configure the connection of various additional devices to the router, so the process becomes longer and more complicated. Nevertheless, it will be much more difficult for an intruder to penetrate the local network. Be aware and always check the latest information on discovered router vulnerabilities.
· Having decided on a particular app or device, be sure to stay in the loop about updates and discovery of vulnerabilities. Install all updates released by the developers in a timely fashion.
· Consider installing a special security solution that can help protect your home network and all connected devices.
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters to them most. Learn more atusa.kaspersky.com.
Sawyer Van Horn