83% of all consumer routers vulnerable, offer no protection for ePHI

Does your office use a consumer router from one of the following vendors as its access to the Internet?

  • D-Link
  • TP-Link
  • Netgear
  • Linksys
  • Asus
  • AVM
  • Belkin
  • Cerio
  • TrendNet
  • Zyxel

A new report form The American Consumer Institute will make you wish you weren’t using one. A sampling of 186 routers were taken from the manufacturers above and they found an astonishing 83% were vulnerable to remote attack. This means attacks from outside your network, or across the Internet. A total of 32,003 vulnerabilities were found with an average of 172 PER router.

What this means is that just about any consumer router you can buy online, at Best Buy, Walmart, or similar locations is vulnerable.

What is a vulnerable consumer router?

This means that the router has a vulnerability that allows a remote attacker to compromise the device. This would allow remote attackers to gain access to your practice’s network. These devices weren’t designed with in depth logging or ways to alert users of an attack. An attacker would be able to bypass the router and steal ePHI without a practice ever knowing.

The main reason for these issues is that consumer routers were never intended to protect a business or practice. They were originally designed to provide internet access to a home. No effort was made to add security to these devices and, over time,  the threats have become more plentiful and dangerous.

These devices are not firewalls and won’t protect you from the bad things on the Internet. For that, a business level firewall is required.

Another issue is that when these routers have updates, most practices don’t install them. That means that even though a vulnerability has been patched, most offices still run on unpatched software. Its not something most people think about, keeping their routers up to date.

What is a firewall?

Firewalls are central points for the the protection of computer networks. These devices are the gatekeepers to your network, protecting it from attacks from the Internet. While not specifically required under HIPAA law, HIPAA does require that all Covered Entities and Business Associates do what is reasonable and appropriate to protect electronic protected health information (ePHI). The Department of Health and Human Services (HHS)  defaults to the NIST Cybersecurity Framework for network security recommendations. The NIST framework does require network firewalls to be in place. HHS may not require them, but they have fined Covered Entities for not using them. You can’t achieve HIPAA network security without a firewall. If you can’t have a secure network, then you can’t be HIPAA compliant.

Summary

Consumer routers are completely unsafe and should not be used for small businesses or practices. Especially not in cases where ePHI is involved. These devices have been found to contain, on average, 172 vulnerabilities per device. some of these vulnerabilities would give a remote attacker complete access to your network. 83% of the consumer routers tested were found to be vulnerable. Chances are, if you are using one, yours is vulnerable as well.

Here is a list of the consumer routers that were tested for this report:

TP-Link

TL-WR94N V3
TL-WR94N V6
TL-WR845
TL-WR843
TL-WR843ND
TL-WR843ND
TL-WR841N
TL-WR840N
TL-WR802N
TL-WR743ND
TL-WR741ND
TL-WR740N
TL-WR710N
TL-WR702N
TL-WR1042ND
TL-WDR4300
TL-WDR3600
TL-WDR3500
ARCHER_C8
ARCHER_C7
ARCHER_C5
ARCHER_C50
ARCHER_C3200
ARCHER_C2
ARCHER_C20i
ARCHER_C20

ASUS

RT_N66R
RT_N600
RT_N16
RT_N56
RT_N12D1
RT_ACRH13
RT_AC5300
RT_AC3200
RT_AC1900
RT_AC3100
RT_AC1750
RT_AC1200G
RT_AC88U
RT_AC1200
RT_AC87U
RT_AC86U
RT_AC68U
RT_AC68P
RT_AC66U_B1
RT_AC66R
RT_AC66U
RT_AC56U
RT_AC56R
RT_AC55U
RT_AC51U
RT_GT_AC5300
RT_MAP_AC2200
BLUECAVE

AVM

FRITZBOX_6890
FRITZBOX_7590
FRITZBOX_7490

Belkin

F9K1124
F9K1119
F9K1123
F9K1116
F9K1118V2
F9K1115
F9K1102
F9K1113
F9K1105
F9K1103
F9K1009
F9K1010
F9K1002

Cerio

WP-300N
WMR-200N
IW-100
WM-200N
DT-300N_OS30
DT-100G-N
DT-300N
CW-400NAC_A2
CW-400NAC_A1

D-Link

DIR-878_REVA
DIR-882_REVA
DIR-867_REVA
DIR-859_REVA
DIR-842_REVERSIONB
DIR-842_REVERSIONC
COVR-3902
DIR-822-REVERSION2
DIR-605L_VERSIONB
DIR-605L_VERSIONA

HPE

VSR1000
MSR954

Linksys

WRT1900AC_V2
WRT3200ACM
WRT1900ACSV2
WRT1200ACV2
WRT54GL
WRT32X
EA9300
EA9500V2
EA9200
EA8300
EA8500
EA7500V2
EA7300
EA6900
EA6500V2
EA6400
EA6350V3
EA6300
EA6200
EA6100
EA5800
EA4500V3
EA3500
EA2750
EA2700
E8400
E2500
E1700
E1200
E900

NETGEAR

WNR3500L
WNR2200
WNR2500
WNR1000V3
WNR2000V3
WNDR4700
WNDR4500
WNDR3700
WNDR3400
R8900
R9000
R8300
R8500
R8000P
R8000
R7900P
R7900
R7800
R7300
R7500
R7000
R700P
R6900
R6700
R6900P
R6400
R6250
R6220
R6200
R6120
R6100
R6080
R6020
PR2000
N300
JR6150
AC1450
JNR3210

Sierra Wireless

MP70
RV50
LX60
GX450
ES450

TRENDnet

TEW-829DRU
TEW-812DRU
TEW-721BRM
TW-100
TEW-827DRU
TEW-818DRU
tew-817dtr
TEW-816DRM
TEW-731BR
TEW-714TRU
TEW-655BR3G

Ubiquiti Networks

UGW3
XG_8U_GWXG
PRO4_UGW4

Yamaha

RT810
FWX120

Zyxel

NBG6815
NBG6617
NBG6515
ARMOR_Z2_NBG6817
NBG-418N
ARMOR_Z1_NBG6816

 

 

 

 

Please follow and like us: