[dba-Tech] Most Brand Name Routers Are Lemons, Claims New Study

Wed Aug 16 22:37:14 CDT 2017

Your trusted home office/small business router is quite likely to be a lemon, according to findings from a new http://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_502618.pdf done by Carnegie Mellon researchers. The study, released this month, found security flaws in all of its test models, all from leading brands.
The flaws included cross-site request forgery vulnerabilities, default login credentials, vulnerability to DNS spoofing and outdated versions of the embedded Linux utility, BusyBox.
The researchers analyzed 13 routers from such manufacturers as Apple, Belkin, Huawei, Motorola and Netgear, between 2014 and 2016.
The researchers said they hoped their study would provide clear metrics about the https://en.wikipedia.org/wiki/The_Market_for_Lemons effect, which refers to the term for how quality products disappear from a market, driving down prices and value.
When vulnerabilities were found in products, Carnegie Mellon contacted the manufacturers, giving them 45 days to work on the issues before publicly releasing the details. In general, the vendors were slow to respond, with some not responding at all.
For example, the study found several issues with Securifi's Almond router, notably that it was vulnerable to clickjacking, cross-site request forgery and, in one older model, didn't deliver firmware updates over HTTPS.
Securifi said it would release an update within 45 days. Although the company provided an update to the researchers, it failed to announce the update on its website. The vendor did not list the update on its support website or on the router's update interface.
The sheer volume of vulnerabilities in routers demands a new approach, one that could more tightly monitor router manufacturers and "help form a clearer picture of how different vendors and products measure up," claimed the study, which was funded by the U.S. Department of Defense.
One solution to router problems is a public database of vulnerabilities that could help clean up the industry, noted the study. Bug reports could be left for open comments, allowing for further validation and providing a clearer picture on how vendors deal with issues.
"Following widely accepted disclosure practices, a vendor would be given 45 days to respond to vulnerability reports," the study observed. "After the 45 days, the report would be added to a public database."
Unfortunately, the study did not recommend any router. So, if you're in the market for a new router or simply want to ditch your present lemon, there's not much left to say, other than to read https://www.pcmag.com/article2/0,2817,2398080,00.asp for possible inspiration.

https://www.vipre.com/blog/brand-name-routers-lemons-claims-new-study/?utm_source=email_VSN_Main_List&utm_medium=email%25(internal)&utm_campaign=Newsletter_08162017&utm_content=Brand_Routers