A large majority of Wi-Fi routers in U.S. homes and offices are vulnerable to cyberattacks because their firmware isn’t updated frequently enough, according to a new study by the nonprofit American Consumer Institute Center for Citizen Research.
About 83 percent of routers are “inadequately updated for known security flaws, leaving connected devices open to cyber attacks that can compromise consumer privacy and lead to financial loss,” the report says. Among the risks include information theft and attacks that commandeer internet of things (IoT) devices for botnets.
The study was completed in response to an FBI warning in May about Russian hackers compromising hundreds of thousands of home and office routers. To protect the public from potential risks, the FBI warned users to turn routers off and on again and to download firmware updates.
Much of the problem stems from the fact that companies often base their IoT firmware — the software that provides low-level control for a device’s hardware — on open-source code, meaning that there is no central source for warnings about vulnerabilities and the resulting patches. “Protecting firmware is the key to reducing cyber risks,” the report stated. “Fixing vulnerabilities lies partly in the hands of consumers who must do their homework and install firmware (software) updates.”
The study found more than 32,000 vulnerabilities in a sample of 186 routers with 28 percent categorized as “high risk” or “critical.”
While the report urges device users to update their firmware, manufacturers often do not make it so easy on the consumer. Some router producers will neglect user-friendly ways to update firmware, leaving consumers in the dark about when they should update their software. In turn, consumers rarely consider the idea of updating firmware.
High-risk and critical vulnerabilities are easily exploitable and do not require much knowledge or skill to be exploited. However, unlike critical vulnerabilities, high-risk vulnerabilities will not entirely compromise the system if hacked. According to the study, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities. However, medium-risk vulnerabilities appeared the most with an average of 103 vulnerabilities per router.
“The security we want for our devices and software is rather simple,” the report stated. “We want these electronic devices to be free from intrusion, and we want the data to be secure, not corruptible and certainly not distributable without the owner’s authorization.”
While router manufacturers continue to make efforts to find better ways to protect IoT devices stored information, cyber risks do not seem to be going away any time soon.