Vulnerability analysis of embedded router firmwares

By: Segiy Sergienko, 18 May 2017
3 minutes

Reading Time: 3 minutes

Sirin Software in partnership with Tactical Network Solutions made a sensibility research of embedded router firmwares, so the following analysis shows the level of security tested by cloud-based firmware analyzer tool of the most popular routers.

Number of routers in our houses and offices

There are a lot of routers in our homes and offices. Regarding the latest report on, the total number of internet users as of the end of 2016 is 3,5 billion. If we make an assumption that there are approximately 4 users behind each router, we get the number 850 millions of routers in use. Of course this is very rough calculations and finally, nobody knows how many routers exactly in use in the world.

Why open source?

First of all, open source software is free. It is free not only to use but to investigate too. There are some companies that offer security audition of the source code. One can purchase one-time audition of existing firmware to make sure of using free of backdoors solution. There is no direct/easy way to investigate proprietary solutions. You should fully trust your vendor or seek justice in a court after data leakage. However, there is a legal disclaimer in the terms of use from the most routers’ suppliers. In fact, there is the tricky way to examine the firmware: search by binary patterns – exactly what Centrifuge do. The centrifuge is a cloud-based firmware analyzer tool developed by Tactical Network Solutions. It uses heuristic analysis to guess library versions, to count possible buffer overflows and potentially dangerous functions in already compiled code.

Security importance

Theoretically, botnet made even of 1% of this number of routers can easily produce a 9 Tbps attack, which will be the largest DDoS attack ever and can cause the denial of service of almost any existing service. From the other side, our personal privacy is the most important thing we should care for.

Direct security comparison using Centrifuge tool

Technically most of the commercial and Open source firmwares are unix-based and use some custom build on top of Linux or FreeBSD kernel. Most of the linux-based firmwares using the same technology stack and similar software bundles. However, they are totally different in kernel and software versions.

Engineers of Sirin Software reviewed few proprietary firmwares of different suppliers in a comparative way. Because of the closed source of proprietary firmware it’s impossible to compare them by code audition. But we can compare them using the Centrifuge binary firmware analyzer by the number of vulnerabilities in the whole firmware, by number of outdated and compromised libraries and so on. The latest firmware bundles were downloaded from the most popular vendors and analyzed by Centrifuge. We need to mention that firmwares also differ by size, so to cover this issue and to be more precise and we are using relative measures to reflect the actual level of security. The final results of the analysis are presented in the table below.

Name Size, MB Buffer overflow
Command injection
Dangerous Functions
Zyxel Keenetic Lite 3.2 155/48.43 13/4.06 168/52.5
Zyxel Ultra 2 12.2 388/31.80 43/3.52 431/35.33
D-link DIR300 3.7 699/188.92 88/23.79 787/213.24
Asus ac68u 40.3 3188/79.11 229/5.68 3417/84.79
Netgear-R7000 28 4229/151.04 534/19.07 4763/170.11
Openwrt – Tp-link TL-WDR3600 3.4 64/18.82 4/1.18 68/20.00

OpenWRT firmware is close to Keenetic Lite and DIR-300 by size but you can note how much it differs from them in security perspective.


There is no any common certification organization that can assess and classify routers by security level. That is why even buying the router from the respectful supplier you cannot be sure that it is safe and secure. It is well known that security by hiding the implementation is the worst approach. It would be nice if all manufacturers provide at least meta-information such as versions of used libraries and kernel, list of fixed security holes or something like that. Alternatively, people can use tools like Centrifuge to analyze the actual level of security.

Sirin Software stays up-to-date on the latest research and technology. If you have any questions, our R&D team is always online – contact us!