Consumer Reports Finds Numerous Home Routers Lack Even Basic Security Protections
Furnished content.
For years now many hardware vendors have failed utterly to implement even basic security protections on most consumer-grade routers. D-Link, for example, just settled with the FTC after being sued for shipping routers with numerous vulnerabilities and default username/password combinations, despite advertising its products as "easy to secure" and replete with "advanced network security." Asus was similarly dinged by the FTC for shipping gear with numerous flaws and easily-guessed default username and password combinations.As such, it's not too surprising to see a new Consumer Reports study that found that a large number of mainstream residential routers lack even rudimentary security protections. 11 of the 26 major router brands examined by the organization came with flimsy password protection. 20 of the routers let users only change the password, but not the username of web-based router management clients. 20 of the routers also failed to protect users from repeated failed password login attempts, now commonplace on most apps, phones, and other services.Two thirds of the routers tested came with UDP enabled by default:
"Unless you have a device or some software that specifically asks for it, it's smart to turn this off, because UPnP has a history of serious security vulnerabilities. But our recent survey found that most people who buy a router don't adjust the settings, and even fewer may think to turn off UPnP."Many attacks are made easier thanks to Luddite users. But there's a universe of steps these vendors could be taking that would make a dramatic impact, such as requiring that users change the default username and password before they're able to actually use the router. But, just like the security and privacy apathy seen in the IOT space, many vendors don't want to spend the money necessary to fix older gear, or even implement meaningful improvements in new kit. As a result, much of this gear is easily hijacked and integrated into botnets within minutes of being connected to the internet. Hardware vendors don't care as they've already made a sale, and consumers often lack the technical know-how to even know they've been compromised.As Consumer Reports notes, given the router's integral role in everything done in your home, it remains fairly dumbfounding that we're still collectively begging router manufacturers to give a damn:
"Routers are a critical part of our homes, says Robert Richter, who oversees security and privacy testing for Consumer Reports. They are the conduit through which all of your data travels, so it's crucial that we look closely at how they handle security. We hope both consumers and the industry pay close attention to our findings."Of course if you've checked in with the dumpster fire that is security and privacy standards in the IOT space, shoddy routers are just one small part of a much broader problem. To that end Consumer Reports has done some really stellar work trying to create an open standards system that can be used to include security and privacy vulnerabilities in product reviews, helping to steer consumers away from buying gear from vendors who pretty clearly couldn't give a damn about consumer security and privacy.
edit: Policy/auto___consumer_reports_finds_numerous_home_routers_lack_even_basic_security_protections.wikieditish...