But is it exploitable? Exploring how Router Vendors Manage and Patch Security Vulnerabilities in Consumer-Grade Routers

Loading...
Thumbnail Image
File version

Accepted Manuscript (AM)

Author(s)
Chalhoub, G
Martin, A
Griffith University Author(s)
Primary Supervisor
Other Supervisors
Editor(s)
Date
2023
Size
File type(s)
Location

Copenhagen, Denmark

License
Abstract

Millions of consumer-grade routers are vulnerable to security attacks. Router network attacks are dangerous and infections, presenting a serious security threat. They account for 80% of infected devices in the market, posing a greater threat than infected IoT devices and desktop computers. Routers offer an attractive target of attacks due to their gateway function to home networks, internet accessibility, and higher likelihood of having vulnerabilities. A major problem with these routers is their unpatched and unaddressed security vulnerabilities. Reports show that 30% of critical router vulnerabilities discovered in 2021 have not received any response from vendors. Why? To better understand how router vendors manage and patch vulnerabilities in consumer-grade routers, and the accompanying challenges, we conducted 30 semi-structured interviews with professionals in router vendor companies selling broadband and retail routers in the UK. We found that router professionals prioritize vulnerability patching based on customer impact rather than vulnerability severity score. However, they experienced obstacles in patching vulnerabilities due to outsourcing development to third parties and the inability to support outdated models. To address these challenges, they developed workarounds such as offering replacement routers and releasing security advisories. However, they received pushback from customers who were not technically capable or concerned about security. Based on our results, we concluded with recommendations to improve security practice in routers.

Journal Title
Conference Title

EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable Security

Book Title
Edition
Volume
Issue
Thesis Type
Degree Program
School
Publisher link
Patent number
Funder(s)
Grant identifier(s)
Rights Statement
Rights Statement

This work is covered by copyright. You must assume that re-use is limited to personal use and that permission from the copyright owner must be obtained for all other uses. If the document is available under a specified licence, refer to the licence for details of permitted re-use. If you believe that this work infringes copyright please make a copyright takedown request using the form at https://www.griffith.edu.au/copyright-matters.

Item Access Status
Note
Access the data
Related item(s)
Subject

Information and computing sciences

Persistent link to this record
Citation

Chalhoub, G; Martin, A, But is it exploitable? Exploring how Router Vendors Manage and Patch Security Vulnerabilities in Consumer-Grade Routers, EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable Security, 2023, pp. 277-295