New SOHO Router Security Audit Uncovers Over 60 Flaws In 22 Models

Home and small-office routers have become a hotbed for security research lately, with vulnerabilities and poor security practices becoming the rule, rather than the exception. A new security audit by researchers from Universidad Europea de Madrid only adds to that list, finding 60 distinct flaws in 22 different device models. They posted details of their research on the Full Disclosure mailing list, and the affected brands include D-Link, Belkin, Linksys, Huawei, and others. Many of the models they examined had been distributed to internet customers across Spain by their ISPs. About half of the flaws involve Cross Site Scripting and Cross Site Request Forgery capabilities, though there is at least one backdoor with a hard-coded password. Several routers allow external attackers to delete files on USB storage devices, and others facilitate DDoS attacks.

They are missing a few.

Netgear has some major security flaws they they've refused to address for a long time. Mainly direct remote access. I'm not sure if this is by design via the NSA or because they are horrifically lazy, but I stopped caring what they thought and installed Linux on my router. Openwrt and dd-wrt work better than the original in most cases, except in the realm of tx power modification. That seems to have sucked since people started frying their antenna's and the dev's stopped pursuing it.