More disconcerting news for router owners – a new assessment of 28 popular models for home users failed to find a single one with firmware that had fully enabled underlying security hardening features offered by Linux.
CITL (Cyber Independent Testing Laboratories) says it made this unexpected discovery after analysing firmware images from Asus, D-Link, Linksys, Netgear, Synology, TP-Link and Trendnet running versions of the Linux kernel on two microprocessor platforms, MIPS and ARM.
The missing security protections included Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and RELocation Read-Only (RELRO).
Granted, this will sound like a jumble of technical terms to most router owners, but in modern operating systems this layer of security should matter.
Linux pioneered features such as ASLR (Windows added it to Vista in 2007), taking advantage of the memory segmentation features of modern CPUs via something called the NX bit (no-execute).
As its name suggests, ASLR protects against buffer overflow attacks by randomising where system executables are loaded into memory (so attackers don’t know where they are).
Meanwhile, its relative, DEP, is a way of stopping malware from executing from system memory in use by the OS.
The point of security hardening like this is to make it harder for attackers to exploit software flaws as and when they are found.
How does this affect routers?
Router makers base their firmware on a version of the Linux kernel atop which they implement proprietary extensions.
In principle, there is nothing stopping them from implementing features such as ASLR, but according to CITL that doesn’t seem to have been happening.
For ASLR, all models assessed achieved a low score ranging from 0% use to almost 9% in one case, with most around half of that. With the exception of a Linksys model that scored 95%, RELRO implementation wasn’t much better.
For comparison, Ubuntu 16.04 LTS implemented ASLR on 23% of its executables and RELRO protection on 100%.
MIPS vulnerability
A clue as to why this is happening could be the particularly weak scores of the 10 routers running MIPS for protections such as DEP.
This included a weakness in Linux kernels between 2001 and 2016 relating to the implementation of floating-point emulation. The researchers also noticed a potential security-hardening bypass introduced by a 2016 kernel patch.
We also observe a significant lag in adoption of the latest Linux kernels, and related compiler toolchains, in many MIPS devices including end user devices.
The Linux kernel version shouldn’t in itself result in poor security hardening (most of which have been around for many years in Linux) but it does suggest the firmware used by many of these routers was developed at a time when security was a lower priority.
Indeed, the same issue might explain why so many routers still run on the MIPS, an aging platform left over from the early 2000s and Broadcom’s Wi-Fi reference design which came bundled with its chips. For MIPS, the researchers advise:
We believe consumers should avoid purchasing products built on this architecture for the time being.
CITL argues that although ARM-based routers are a more secure choice, even here the security hardening varies widely within the same vendor’s products.
Should we be worried?
Yes, and no. Yes, because a router lacking these basic protections is inherently less secure but no because even if this was fixed, there are still many other security problems within routers for attackers to aim at.
For instance, the router industry has a mixed reputation for fixing security vulnerabilities when they are discovered, in some cases apparently abandoning some models (and their users) to their fate.
In fairness, when it comes to patching, the router industry has improved a lot. However, CITL’s analysis suggests more fundamental work still lies ahead.
Mahhn
Sophos, Is it possible to use your free firewall as a Secure home router? (on an older PC with multiple NICs) Or would the firmware of the PC (BIOS) still be at risk in this situation depending on the PC?
Paul Ducklin
Yes, the free Sophos XG Firewall Home Edition (see https://sophos.com/freetools) makes a great secure gateway because that’s exactly what it’s for!
(In the context of home routers and other IoT devices, the word “firmware” has come to mean more than just “the BIOS” – it’s a general term for the whole OS distro+software+configuration bundle that you flash to the device. So too for the XG Firewall – when you install our distro, it takes over the whole computer, wiping your current OS and installing a Linux distro of its own plus all the software you need for the network filtering and UI.)
Things to bear in mind: as you say, you’ll need a spare Intel x64 PC with two network cards, or a suitable Virtual Machine (VM). You can’t reflash the average SoHo router to turn it it an XG Firewall because the router almost certainly won’t have the right CPU – and even if it did, it probably wouldn’t have enough RAM or disk space/flash storage anyway.
Also if your current home router does all-in-one duty as both your xDSL modem and as your Wi-Fi access point, then you can’t plumb the XG Firewall computer into your network between the wall socket and your access point.
Having said that, a surplus-to-requirements laptop is a great place to start if you want to build up a home XG Firewall – if the laptop only has one network card, $5 will probably get you a cheap USB ethernet dongle to serve as your second NIC. If the laptop still has a bit of battery life left, you even get a built-in UPS for free!
As mentioned above, a VM is a handy way to play with the XG product first to see how you like it…
Bob
Very good article. But, has even one person been affected? what is the likelihood that this can hurt a person substantially.
John E Dunn
Security ‘hardening’ of the sort discussed in this article is about making it harder for attackers to exploit specific vulnerabilities.
Given how aggressively routers are being targeted these days, anything that reduces the chances of an attack succeeding must be a good thing.
Anonymous
I would be interested in comparison with OpenWRT, DD-WRT and Turris OS (for Turris Omnia router).
jc
It would be very interesting if Sophos could put together a full report and test all major uk ISP routers
to see exactly what’s going on best and worst etc,
Alessio
Definitely a worry when you look at the amount of routers with older unpatched firmware. I recommend using an after-market Linux router firmware if your router is a few years old to get some more up-to-date protection. Progress has been made but it would be nice to see more consistent information and updates from some router manufacturers. An interesting article none the less.