Zyxel security advisory for the Fraunhofer Home Router Security Report 2020
FKIE Germany recently published a white paper analyzing 127 home routers sold by seven brands in Europe and suggesting that most home routers on the market have security flaws. FKIE used its Firmware Analysis and Comparison Tool (FACT) to analyze router firmware images based on firmware update frequency, operating system version, exploit mitigation, private cryptographic key material, and hardcoded login credentials.
What should you do?
As the report provides only a general firmware analysis and doesn’t identify or validate any specific vulnerabilities, we urge users to exercise good general security practices by following the guidance below for optimal protection.
- Update your device to its latest available firmware.
- Change the default password when logging in to a new device for the first time.
- Use strong, unique passwords for every device and change them regularly.
- Log out of the graphical user interface (GUI) after every use.
- Don't enable remote access unless it's absolutely necessary. If you do enable it, make sure to only allow IP addresses from secure clients.
- Don’t log in to a device from a public computer, the cookies on which are more vulnerable to exposure and may be used by an attacker to forge requests.
- Don’t disable your router’s default firewall rules, if any.
Which Zyxel models are listed?
Ten Zyxel routers are listed in the report; however, many of them are outdated products that have already entered end-of-life status.
- NBG6616 – currently end-of-life
- NBG6617 – currently end-of-life
- NBG6815 – currently end-of-life
- NBG6816 – currently end-of-life
- NBG-418N V2
- WAP3205 V3
Got a question or a tipoff?
Please contact your local service rep for further information or assistance. If you’ve found a vulnerability, we want to work with you to fix it—contact email@example.com and we’ll get right back to you.
Fraunhofer Institute for Communication, Information Processing and Ergonomics of Germany (FKIE)
2020-7-8: Initial release