More disconcerting news for router owners – a new assessment of 28 popular models for home users failed to find a single one with firmware that had fully enabled underlying security hardening features offered by Linux.
CITL (Cyber Independent Testing Laboratories) says it made this unexpected discovery after analysing firmware images from Asus, D-Link, Linksys, Netgear, Synology, TP-Link and Trendnet running versions of the Linux kernel on two microprocessor platforms, MIPS and ARM.
The missing security protections included Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and RELocation Read-Only (RELRO).
Granted, this will sound like a jumble of technical terms to most router owners, but in modern operating systems this layer of security should matter.
Linux pioneered features such as ASLR (Windows added it to Vista in 2007), taking advantage of the memory segmentation features of modern CPUs via something called the NX bit (no-execute).
As its name suggests, ASLR protects against buffer overflow attacks by randomising where system executables are loaded into memory (so attackers don’t know where they are).
Meanwhile, its relative, DEP, is a way of stopping malware from executing from system memory in use by the OS.
The point of security hardening like this is to make it harder for attackers to exploit software flaws as and when they are found.
How does this affect routers?
Router makers base their firmware on a version of the Linux kernel atop which they implement proprietary extensions.
In principle, there is nothing stopping them from implementing features such as ASLR, but according to CITL that doesn’t seem to have been happening.
For ASLR, all models assessed achieved a low score ranging from 0% use to almost 9% in one case, with most around half of that. With the exception of a Linksys model that scored 95%, RELRO implementation wasn’t much better.
For comparison, Ubuntu 16.04 LTS implemented ASLR on 23% of its executables and RELRO protection on 100%.
A clue as to why this is happening could be the particularly weak scores of the 10 routers running MIPS for protections such as DEP.
This included a weakness in Linux kernels between 2001 and 2016 relating to the implementation of floating-point emulation. The researchers also noticed a potential security-hardening bypass introduced by a 2016 kernel patch.
We also observe a significant lag in adoption of the latest Linux kernels, and related compiler toolchains, in many MIPS devices including end user devices.
The Linux kernel version shouldn’t in itself result in poor security hardening (most of which have been around for many years in Linux) but it does suggest the firmware used by many of these routers was developed at a time when security was a lower priority.
Indeed, the same issue might explain why so many routers still run on the MIPS, an aging platform left over from the early 2000s and Broadcom’s Wi-Fi reference design which came bundled with its chips. For MIPS, the researchers advise:
We believe consumers should avoid purchasing products built on this architecture for the time being.
CITL argues that although ARM-based routers are a more secure choice, even here the security hardening varies widely within the same vendor’s products.
Should we be worried?
Yes, and no. Yes, because a router lacking these basic protections is inherently less secure but no because even if this was fixed, there are still many other security problems within routers for attackers to aim at.
For instance, the router industry has a mixed reputation for fixing security vulnerabilities when they are discovered, in some cases apparently abandoning some models (and their users) to their fate.
In fairness, when it comes to patching, the router industry has improved a lot. However, CITL’s analysis suggests more fundamental work still lies ahead.