83 percent.
That’s the proportion of Wi-Fi routers sold in the United States that are vulnerable to cyber-attack, according to a new study by the American Consumer Institute (ACI).
“Without addressing these known security flaws, consumer devices could be compromised, and data could be stolen, leading to malicious activity, identity theft, fraud or espionage,” according to the study.
In May 2018, the FBI sent out a warning that Russian computer hackers had compromised hundreds of thousands of home and office routers and could collect user information or interfere with network traffic. This attack, as damaging as it was, merely hinted at the magnitude of the security vulnerabilities in Americans’ Wi-Fi routers.
ACI’s analysis included 186 devices from 14 different manufacturers, of which 155 (83%) were found to have vulnerabilities to potential cyberattacks in the router’s software, with an average of 172 vulnerabilities per router. The total number of known vulnerabilities found in the sample is staggering: 32,003.
Not all vulnerabilities are equal, however. The severity of each vulnerability is ranked by the National Vulnerability Database and, based on different scores, each vulnerability is ranked either “low,” “medium,” “high,” or “critical” to reflect the severity of the associated risks.
Within the sample, 28 percent of the vulnerabilities were considered high risk or critical.
High risk vulnerabilities require very little knowledge or skill to exploit, but unlike critical risk vulnerabilities, they will not entirely compromise the system. The potential damage remains high, as exploited high risk vulnerabilities can partially damage the system and cause information disclosure. ACI’s analysis shows that, on average, each router contained 12 critical vulnerabilities and 36 high risk vulnerabilities. The most common vulnerabilities were medium risk, with an average of 103 vulnerabilities per router.
Unfortunately, there are no easy solutions to this problem.
Fixing these vulnerabilities lies partly in the hands of consumers who must learn about their devices and proactively seek software updates to patch known vulnerabilities. This will require a change in mentality — the average consumer has probably never even considered updating their router’s software.
And because most consumers are not even aware of potential security vulnerabilities, they tend not to demand software support from manufacturers. As a result, router makers often do not provide user-friendly ways to update software and may even view building security protocols into their devices as an unnecessary expense. This means that even consumers who are able to figure out how to update the router may face outdated software that is all but useless against vulnerabilities discovered since its sale.
Router manufacturers have a responsibility to track potential security vulnerabilities on their routers and to ensure that consumers are given the tools to keep their devices secure.
Even as inter-connected devices are creating new, exciting opportunities for innovations in our daily lives, the threat of cyberattack has never been more real. One of the leading cybersecurity firms in the U.S. reported a 600% increase in Internet of Things (IoT) attacks in 2017. Routers were the most frequently exploited type of device, making up 33.6% of IoT attacks.
Each of the 32,003 vulnerabilities identified in ACI’s report puts consumers and our economy at risk. If this growing threat is to be countered effectively, manufacturers must commit more resources to identifying and mitigating security vulnerabilities on their devices and consumers must remain vigilant for potential threats that could compromise their personal data.
Earlier this month, ACI released a study showing that many popular smartphone apps contain known vulnerabilities that are not being patched by applications providers, also leaving consumer information and devices at risk. These two studies show the urgency for the industry to take proactive steps to protect consumer privacy, and these risks should not be taken for granted.