Exposed by Default:

A Security Analysis of Home Router Default Settings

Junjian Ye Xavier de Carné de Carnavalet Lianying Zhao
Nanjing University of Posts and The Hong Kong Polytechnic Carleton University
Telecommunications University Ottawa, Canada
Nanjing, China Hong Kong SAR, China [email protected]
[email protected] [email protected]

Mengyuan Zhang Lifa Wu Wei Zhang

Vrije Universiteit Amsterdam Nanjing University of Posts and Nanjing University of Posts and
Amsterdam, Netherlands Telecommunications Telecommunications
[email protected] Nanjing, China Nanjing, China
[email protected] [email protected]

ABSTRACT ACM Reference Format:

With ubiquitous Internet connectivity, home routers have become Junjian Ye, Xavier de Carné de Carnavalet, Lianying Zhao, Mengyuan Zhang,
Lifa Wu, and Wei Zhang. 2024. Exposed by Default: A Security Analysis of
a cornerstone of our digital lives, often deployed with minimal
Home Router Default Settings. In ACM Asia Conference on Computer and
changes to the factory default settings. However, if left unexam- Communications Security (ASIA CCS ’24), July 1–5, 2024, Singapore, Singapore.
ined, these settings can pose risks to user security and privacy. ACM, New York, NY, USA, 17 pages. https://doi.org/10.1145/3634737.3637671
To systematically evaluate potential risks, we developed a threat
model-based framework and conducted a comprehensive analysis of
40 commercial off-the-shelf home routers, representative of recent 1 INTRODUCTION
models across 14 brands. We surveyed 81 parameters and behaviors By the end of April 2023, the number of Internet users worldwide
including default and deep default settings. We identified a variety has reached 5.18 billion, accounting for 64.6% of the global popula-
of security flaws including the exposure of IPv6 local devices due tion [53]. By 2019, most households in developed regions already
to a lack of firewall protection, vulnerable Wi-Fi security protocols, had access to the Internet [62]. Traditionally, Internet access at
open Wi-Fi networks and trivial admin passwords for “plug-and- home is provided by a modem together with a router to support
play” routers, and unencrypted firmware update communications. a range of devices, from laptops to IoT devices, through wired or
We also discovered concealed WPS PIN support — at times asso- wireless communication. Home routers come with different charac-
ciated with a trivial PIN. In total, we are reporting 30 exploitable teristics and features and offer numerous customizable settings, e.g.,
vulnerabilities to the vendors. This paper highlights the need for Wi-Fi passphrase and protocol, admin password, remote control
heightened scrutiny of default router settings, providing valuable options, firewall, external storage support.
insights to both manufacturers and consumers for enhancing home Numerous attacks target home routers, including botnet malware
network security. Our findings underscore the importance of metic- infections [3, 23, 39] and attacks on wireless protocol implemen-
ulous device configuration, advocating for proactive measures from tations [66, 69]. A body of research also aims at automating the
all stakeholders to mitigate the threats posed by insecure router discovery of vulnerabilities in routers from firmware images to un-
default settings. cover authentication issues [58], privilege escalation [15], command
injection [33], and information disclosure [74]. However, a less stud-
CCS CONCEPTS ied issue stems from the quality of the settings being applied to the
• Security and privacy → Network security; Embedded systems routers. For instance, home routers used to support the deprecated
security. WEP (Wired Equivalent Privacy) protocol years after a powerful
attack offering to recover the shared key was published [6, 20].
KEYWORDS Nthala et al. [50] found many UK home users assume network
devices are already secure when purchased, and can simply be
Home router, Default settings, Manual analysis plugged to work. This behavior is comparable and similar to inter-
action blindness [51] or banner blindness. A study by Ho et al. [24]
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed has shown that users tend to keep default settings provided by the
for profit or commercial advantage and that copies bear this notice and the full citation router’s configuration wizard. Even for trained personnel (e.g. sys-
on the first page. Copyrights for components of this work owned by others than the tem administrators [40]), default settings are also important because
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission they are either directly adopted or depict an important orientation.
and/or a fee. Request permissions from [email protected]. We consider the resulting configuration as the initial default settings.
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore In turn, this configuration may not provide adequate security, e.g.,
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 979-8-4007-0482-6/24/07. . . $15.00 leaving weak/well-known credentials unchanged. This will very
https://doi.org/10.1145/3634737.3637671 likely be what the users end up with when using the router until

63
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Adv_NET Adv_WAN
a future event brings attention to the router again. Therefore, any
insecurity left in such initial default settings will possibly affect
a large population. For instance, users may assume a secure con- Adv_LAN

nection when they are required to enter a “security key” before

connecting but if the router’s Wi-Fi security protocol defaults to a
weak/vulnerable one (despite supporting stronger up-to-date pro-
Adv_PHY
tocols), the attacker can still eavesdrop on or intercept network
traffic containing user sensitive data. This could be even worse
than unprotected connection as the user is unaware and may take
Figure 1: Threat model
decisions based on wrong assumptions (e.g., otherwise sensitive
transactions could have been avoided). Our main contributions are as follows:
Concerns also arise from initially disabled features that, when • We introduce an 81-criteria security evaluation framework
activated by a single click, impose a multitude of additional default for default settings in home routers, with a focus on deep
settings, which we term deep default settings. Similarly, as these settings, while factoring in four types of adversaries.
settings become functional immediately upon activation, users are • We demonstrate that firmware emulation has significant limi-
less likely to modify them. If overlooked, such settings could obscure tations as a solution to default setting analysis, and choose to
a comprehensive security analysis of home router default settings. conduct a comprehensive analysis with 40 real-world home
As an example, a typical feature which is usually disabled by default routers using our proposed evaluation framework.
is guest network (to give temporary network access to a visitor). • We are the first to draw attention to what we call deep default
This disabled feature might not catch the attention of a security settings in a security context, which take effect only when
analysis but once enabled by the user (e.g., a friend drops by), guest the corresponding feature is enabled and often neglected in
network may default to improper settings and issues from the initial regular security analysis, and we target such deep defaults
defaults would suddenly apply. in the conducted analysis.
In this paper, we seek the answers to two questions: “Will the • We uncover numerous security issues and shed light on
default settings of home routers pose any security risks?” (initial de- weak default security protocols, incorrect implementation of
faults) and “Will the default settings of initially-deactivated features TLS, improper configuration guidance for users, unencrypted
of home routers pose any security risks once activated?” (“deep” de- firmware updates, IPv6 without NAT and default firewall,
faults). Note that certain features may or may not be enabled by and concealed WPS support. We are currently reporting
default, and thus we determine whether a feature is considered 30 exploitable vulnerabilities to the vendors (9 have been
“deep” based on common practice (i.e., by most models). We clarify assigned CNVD/CVE IDs).
whether a feature is enabled by default if relevant in our results.
To answer these two questions, emulation-based large-scale anal- 2 ANALYSIS SCOPE
ysis would appear to be a good choice because functional emulation
This section defines the scope of our home router defaults analysis,
of the firmware image is a promising direction to conduct security
which is twofold: the types of attacker capabilities (considered
analyses (albeit with numerous challenges [17]). However, we found
threats), and the individual router default settings which may lead
that it is inherently limited in its ability to yield faithful results.
to security implications if not properly set (considered features).
We show how the state-of-the-art emulators could not meet our
requirements to retrieve the actual default settings in Section 3.1.
Consequently, automating the analysis of merely available router
2.1 Threat Model
firmware images is not a reliable method to survey their default When a router is powered on and connected to the Internet, it may
settings. Moreover, a few popular brands obfuscate their firmware face potential threats from various adversaries. To better study the
images in an attempt to thwart such analysis [56], not to mention a security implications of various default settings in home routers,
non-negligible number of router models do not even have available we divide the adversaries into the following four types:
firmware images to be downloaded. • Adv_WAN: Adversaries on the Internet. As the WAN interface
With emulation confirmed to be infeasible for our purpose, we of routers is exposed on the Internet, adversaries can discover
purchased 40 home routers available at flagship stores on popular open services (notably through specialized search engines e.g.,
shopping platforms that still receive firmware updates in the past Shodan [57], Zoomeye [77]) and try to exploit them.
four years (2018–2022) to represent as many recent routers as possi- • Adv_LAN: Adversaries in the LAN. Compromised user devices
ble. Based on our defined threat model of home routers (Section 2.1), (e.g., by malware), or simply curious guests that are already
we designed a comprehensive router default settings security anal- connected to the router’s local network have access to certain
ysis framework to analyze the selected home routers. By system- of the router’s features. Also, adversaries who have managed
atically testing the routers, we found insecure default settings and to get connected to Wi-Fi (LAN) are included.
behaviors related to Wi-Fi security protocols, setup wizard, guest • Adv_PHY: Adversaries physically close to the router. The Wi-Fi
network, WPS, IPv6, TLS, router reset. We also found a hard-coded signal coverage of the router is usually sufficient for adversaries
WPS PIN in a router allegedly not supporting WPS (this case is to mount attacks to exploit wireless protocols from outside the
assigned a CNVD ID), as well as several instances of unprotected user’s home. For instance, adversaries in close proximity can
firmware update mechanisms (pending vendor acknowledgment). attempt to break the security protocol to connect to Wi-Fi [63].

64
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Table 1: Categories of settings considered and related threats communicate through encryption protocols such as Wired Equiv-
alent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, and

Adv_WAN
more recently WPA3 (standardized in 2018). Vulnerabilities and
Adv_LAN
Adv_PHY
Adv_NET
Categories of settings flaws have been discovered in WEP [6, 20], WPA and WPA2 (based
Common issues/vulnerabilities
considered on TKIP [59, 65, 66], e.g., CVE-2017-13086), and WPA3 [64, 67] (e.g.
Initial Defaults
CVE-2019-9494 and CVE-2020-24586). Thus, when checking router
Wi-Fi and admin Weak hard-coded default passphrases, lack of
pass-phrase/word
✓ ✓
proper guidance for setting strong passphrases default settings, only WPA2-CCMP and updated implementations
Wi-Fi security
✓
Support for outdated protocols of WPA3 are considered secure choices in this paper.
protocol (e.g. WEP, WPA, WPA2-TKIP)
WPS ✓
Hard-coded WPS PINs, WPS. Wi-Fi Protected Setup (WPS) is a simplified Wi-Fi connection
absence of attempt rate-limiting
Absence of TLS and login method. Typically, users can either enter an 8-digit PIN displayed
Local web access ✓
attempt rate-limiting/CAPTCHAs by the router or press a WPS button physically or in a management
Firmware update Absence or incorrect implementation of TLS or
mechanisms
✓ ✓ ✓
integrity verification page (PBC) to connect to Wi-Fi without entering the passphrase.
Exposed services ✓ ✓
Concealed sensitive services The PIN method brings additional security risks as it lets attackers
(e.g. Telnet, FTP, UPnP, HTTP)
Deep Defaults
attempt to connect at any time, and flaws were found in the design
The same issues as Wi-Fi, of the PIN verification that lower the number of attempts needed to
Guest network ✓
absence of isolation from main network find the correct PIN to a mere 11,000 [25, 27, 69] (e.g. CVE-2016-1206
The same issues as local web access,
Remote web access ✓ ✓
self-signed TLS certificates and CVE-2020-15023). Hard-coded WPS PIN is also a serious issue
Telnet/SSH ✓ ✓ Weak hard-coded default passphrases because it can be exploited by Adv_PHY to connect to the Wi-Fi
IPv6 ✓ Lack of IPv6 NAT or firewall
Absence or incorrect implementation of TLS, lack of
and access the LAN easily (e.g. CVE-2013-5037). Countermeasures
Cloud account ✓
proper guidance for setting strong passphrases include a significant timeout period between failed attempts.
App ✓ ✓ Absence or incorrect implementation of TLS
UPnP ✓ ✓ Vulnerable port mapping function Local web access. A router’s management webpage is normally
Weak hard-coded default passphrases, absence or
External storage ✓ ✓ ✓
incorrect implementation of FTP over TLS accessible by anyone on the LAN side including via Wi-Fi, though
Reset special case Incomplete reset access restrictions can be configured. Devices on the LAN side could
be infected by malware that tries to access the router’s configura-
• Adv_NET: Adversaries on the network path. Adversaries such tion. The authentication mechanism should resist malicious login
as the ISP can passively eavesdrop on the outgoing traffic and attempts. Besides the weak admin password issue mentioned above,
mount man-in-the-middle attacks to tamper with traffic. Such relying on an unencrypted HTTP connection by default can also
adversaries are in line with the Dolev-Yao model [13], where help Adv_LAN obtain the admin password by ARP spoofing [72]
they are capable of accessing arbitrary messages sent on the and log in to the management page [22, 27, 48] (e.g. CVE-2020-9420).
network, only limited by cryptographic capabilities, e.g., can’t Similar to WPS, login attempt rate-limiting and CAPTCHAs are also
break encryption with a high-entropy key. necessary for countering brute-force attacks (e.g. CVE-2021-38474).
Curious router manufacturers/vendors may also threaten users’ Firmware update mechanisms. Routers receive firmware up-
security and privacy e.g., by implementing backdoors; we do not dates that can fix security vulnerabilities and improve security.
consider them in our threat model. There are three ways to update router firmware: automatic update,
user-initiated update and manual update. Automatic update means
2.2 Risk-Prone Features Under Consideration that the router will check and automatically update to the latest
version at regular intervals. User-initiated update means that users
Home routers, as the bridge between the home network and the in-
can click on the “check firmware version” or “update firmware”
ternet, come with a range of features. While these features enhance
buttons in the management page to trigger the same process. Both
user experience, they also introduce potential security vulnerabili-
of the above methods need to interact with servers on the Internet.
ties. Below, we provide a list of features of home routers with a track
If HTTPS is not employed or the TLS certificate is not properly vali-
record of security issues. We categorize them based on our threat
dated, Adv_NET may tamper with the update files through man-in-
model in Table 1. This serves as the motivation for our analysis.
the-middle (MITM) attacks and downgrade router firmware [5, 70]
Wi-Fi and admin passwords/passphrases. Wi-Fi password is the (e.g. CVE-2020-10925 and CVE-2020-15498). Lack of authentica-
password required for users to connect to the Wi-Fi of the router, tion and integrity verification allows attackers to potentially write
while admin password is required to log in to the management page malicious firmware into the router (e.g. CVE-2014-2718) [10].
of the router. Passphrases could be preset and printed on the router’s
Exposed services. Each exposed service increases the attack sur-
label. Lorente et al. [37] found that certain routers generate default
face [38] of home routers. In particular, a service exposed on the
Wi-Fi passphrases based on their MAC addresses (e.g. CVE-2012-
WAN interface will be indexed by search engines such as Shodan
4366), making them predictable to Adv_PHY. Niemietz et al. [48]
and might be scrutinized by malicious individuals. It poses a perma-
found 10 routers with weak default admin passphrases. Adv_LAN
nent risk to users if the exposed service cannot be disabled through
may conduct brute-force attacks to crack them and control routers.
a setting. Adv_LAN and Adv_WAN can discover the open ports
Wi-Fi security protocol. Wi-Fi is a Wireless Local Area Network on routers’ LAN and WAN interfaces, respectively, and exploit
(WLAN) technology based on the IEEE 802.11 standard [29]. Due vulnerabilities to attack routers [35].
to the open nature of wireless communications, wireless devices

65
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Guest network. A guest network is a separate wireless SSID ad- routers directly by Wi-Fi or through a server from the Internet.
vertised by the router with limited functionalities and targeted for Wi-Fi is used near the router and only vulnerable to Adv_LAN (e.g.
a user’s guests. The network usually provides isolation from other CVE-2022-23000). If users want to rely on the app to remotely con-
clients of the main network, inter-client isolation, and prevents trol the router, the manufacturer’s server needs to be involved to
guests from accessing the management webpage [27]. There are forward packets to the router. Similar to firmware update, Adv_NET
two types of guest networks: open networks without Wi-Fi pass- can control the router by hijacking the packets between the router
word that instead leverage a captive portal to ask for the guest and the server [2, 31] (e.g. CVE-2022-41540).
password after users connect to it; and secured network protected
UPnP. Universal Plug and Play (UPnP) is an architecture for easy
by the guest Wi-Fi password. The former type may carry various
and robust connectivity of many sorts of devices in homes, of-
security risks [26] while the latter type is similar to the main Wi-Fi
fices, and elsewhere [43]. For routers, UPnP can help peer-to-peer
network and relies on the default Wi-Fi security protocols [19].
software in the LAN access the Internet more smoothly by auto-
Remote web access. Remote web access is a feature that allows matically configuring port mapping. Esnaashari et al. [16] found
users to access management pages from the WAN side. It should be that adversaries can exploit UPnP to carry out MITM attacks by
disabled by default because it exposes web interfaces to the internet, adding port mappings.
which can bring security risks [45, 60] (e.g. CVE-2012-2440). The
External storage. External storage is a feature that supports users
security concerns for remote web access are similar to local web
to access the content in USB devices connected to the router. Gen-
access [27] (e.g. CVE-2013-6918). In addition, when users remotely
erally, there are three different access methods: SMB-based, web-
access management pages with HTTPS, routers act as TLS servers
based over HTTP or HTTPS, and FTP-based. SMB is limited to file
and users may still be vulnerable to MITM attacks if the certificates
sharing within the local area network (LAN), while the latter two
provided by routers are self-signed [9].
methods support remote access. For FTP, Kumar et al. [35] discover
Telnet and SSH. Telnet and SSH are commonly used protocols a number of devices support FTP with weak hard-coded credentials
for remote management. Routers support them for remote debug- (e.g. CVE-2022-46637) or without authentication (e.g. CVE-2008-
ging; Therefore, they tend to hide the status of Telnet and SSH 1268). Strong credentials are also necessary for SMB-based and
(the default usernames and passwords of these services) from the web-based access methods. Additionally, similar to remote web ac-
users. However, the manufacturers may employ weak hard-coded cess, properly implemented TLS is important for remote web-based
passwords [35] (e.g. CVE-2016-10177, CVE-2018-10532, and CVE- and FTP-based access methods to prevent attacks from Adv_WAN
2022-38452) for such services. The Mirai botnet, which was once and Adv_NET.
used for large-scale DDoS attacks, also infects devices by attempting
Reset. Router refurbishment and second-hand router trading are
Telnet and SSH logins with a static set of passwords [39].
very common. Usually, users reset routers to dispose of their sensi-
IPv6. In IPv4, Network Address Translation (NAT) is a mechanism tive data. However, there may be residual data in the router due to
that is often seen as necessary due to the scarcity of global IPv4 improper implementations of the reset function. Hard reset means
address space. Though not a primary purpose of NAT, it provides a pressing and holding the physical “RESET” button, while soft reset
“better-than-nothing” security boundary as well by translating and means clicking the “reset to factory default settings” button in the
masking private IP addresses, thereby making it more challenging management page. For a soft reset, routers may offer different reset
for outside attackers to initiate connections to internal devices [34]. options to help users dispose of their data selectively, which may
IPv6 eliminates the need for NAT thanks to globally unique ad- result in users unintentionally retaining sensitive information. Ad-
dresses, making internal hosts directly reachable via the internet ditionally, sensitive information may remain on the flash memory
and poses new security risks. RFC 4864 [34] recommends home after a device reset [21, 36], which allows adversaries to recover
routers apply IPv6 stateful packet filtering that “conforms to the the previous owner’s data from second-hand devices.
user expectations already in place” [73] with IPv4 NAT. One re-
maining barrier for attackers is to find active hosts within the large 3 ANALYSIS DESIGN
IPv6 address space [28, 44], especially due to (partially) random We justify below why firmware emulation is unfit for our task. We
64-bit suffixes in certain settings [47]. then describe our methodology to extract default settings from real
Cloud account. Certain router manufacturers provide cloud ac- routers and measure their behaviors. We not only collect the settings
count services for users. These accounts can be bound with routers shown in the web management page, but also verify whether critical
and their companion apps for remote access and management settings are properly applied. In doing so, we also launch active
or used for Dynamic DNS (DDNS). Therefore, account password tests such as port scanning.
strength requirements should be very strict. Similar to firmware
update, routers also need to communicate with servers when users 3.1 An Attempt with Emulation
log in to their cloud accounts; a process that could be vulnerable to An intuitive choice for large-scale firmware analysis would be em-
MITM attacks [2]. ulation, with both minimal cost and better flexibility. We show
why it is not the case for our purpose. We found that only Firma-
App. To facilitate accessing and managing the router, manufactur-
dyne [7] and FirmAE [33] can automatically run router firmware
ers develop companion apps for their routers. These apps can be
without hardware information or manual configuration. So, we
bound to routers or manufacturer accounts and communicate with
chose FirmAE as it is an improved version of Firmadyne with a

66
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Table 2: Outcome of 320 emulated images with FirmAE 1 int wanIsConnected(int a1) {
2 // ...
Emulation outcome Count 3 char v1[16] = "eth0";
4 int v2 = socket(2, 1, 0);
Failed 3 5 if ( v2 == -1 ) {
“Unable to connect” 41 6 perror("Socket creation faild\n");
management page

404 error 37 7 return 0;

No access to

“Page not found” 3 8 }

Blank page 33 9 strncpy(v3, v1, 16);
Appears “successful”

“The connection was reset” 6 10 v4 = ioctl(v2, 0x89F7, v3); // query SIOCGLINKSTATUS

11 if ( v4 >= 0 ) {
Infinite waiting 9
12 // ...
Jump to the official website 12 13 }
Others* 10 14 else {
Cannot login or set password 16 15 perror("SIOCGLINKSTATUS");
setup wizard

“Cable is unplugged” 56 close(v2);

Disrupted

16

“Require admin privilege” 5 17 return 0;

Infinite waiting 8 18 }
19 }
“Invalid MAC address” 1
“Searching PVC” 1 Listing 1: Decompiled code of the funtion that returns the
Appears “functional” 79 cable status in the firmware of TP-Link TL-WR940N
Total 320
*Examples include 400 error, 500 error, “Time out”, “Unsupported browser”, “Checking
JavaScript support”, Blank, “Need upgrade”.

Figure 2: The error page of TP-Link TL-WR940N

Figure 3: The Wi-Fi configuration page of TP-Link TL-
79.36% success rate. We tested the firmware images of 320 routers WR940N in FirmAE and a real device
FirmAE claims to support, and tabulated the results in Table 2. We
identified two main types of issues that prevent us from relying on issues primarily due to the absence of required values normally
emulation altogether. found in flash.
This issue is more critical than failed firmware emulation. Dis-
Non-functional emulation. The definition of “successful” emu- crepancies in default settings between successful setup wizards and
lation varies with purposes. FirmAE assumes that as long as the actual devices may go unnoticed, compromising the accuracy of the
host can successfully ping the IP address of router’s LAN interface, analysis. For instance, after we fixed the error mentioned above in
the emulation is successful (which is why there are only 3 failed TP-Link TL-WR940N, the setup wizard proposes the default Wi-Fi
cases in Table 2). However, in numerous cases we cannot access the passphrase 12345670. However, as shown in Figure 3, a physical
management page or complete the initial setup, let alone extract router running this firmware proposes a less-trivial passphrase:
the default settings. Through our investigation, the main reasons 77070180. We confirmed by reverse-engineering the firmware im-
for these failures are the lack of important information from flash age that in the absence of a value in flash, the passphrase will fall
or NVRAM storage, incorrect speculation about network interfaces, back to 12345670. See Appendix A for more details.
and the lack of customized Linux kernel hardware drivers. For in- In conclusion, missing important information in the firmware
stance, the setup wizard was interrupted for TP-Link TL-WR940N images makes it impossible for emulators to properly emulate real
due to an error: “The cable is unplugged” as shown in Figure 2. This devices while preserving realistic default settings. Due to this in-
error is due to the Web application relying on ioctl() to obtain trinsic limitation, we resorted to purchasing physical routers.
the connection status, as shown in Listing 1. FirmAE was unable
to provide a correct response because its Linux kernel (which is 3.2 Overview and Analysis Environment
not the original one) did not support the private command code
To conduct a comprehensive analysis of both the LAN and WAN
0x89F7. We can add this command into the Linux kernel of FirmAE
sides of the router, we build an analysis environment based on
and return 1 to allow the setup wizard to continue; however, this
real routers. We first interpose the WAN interface of the router to
approach does not generalize to other routers.
observe outgoing traffic, provide a realistic network configuration
Default values not in the firmware. Table 2 shows 79 routers out to the router (especially with regard to IPv6), and conduct port
of 320 (24%) appear to be functional during the emulation. However, scanning. Our position is thus representative of Adv_WAN and
those “functional” emulated firmware images still suffer from other Adv_NET. Then, we connect to the Wi-Fi network of the home

67
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

LAN side WAN side

WAN Ethernet WLAN
Wi-Fi interface interface interface

LAN side test machine Router WAN side test machine Internet

Figure 4: Environment setup in the analysis framework.

router to access the web management page, complete the setup wiz-
ard, and conduct further analysis from the perspective of Adv_LAN
and Adv_PHY; see illustration in Figure 4. (a)
Based on this environment, we designed a comprehensive router
default settings security analysis framework according to Section 2.
This is a minimal security testing framework that may not cover
all potential security issues (which is also impossible), but routers
should pass these tests to ensure a minimal level of security. This
framework can be divided into two stages: initial analysis and
deep analysis. The initial analysis is concerned about obtaining the
initial defaults of the router, while the deep analysis focuses on the (b)
sensitive features supported by the router, after we enable them.
The tested items are listed in Table 1 with their potential ex- Figure 5: Setup Wizard inviting the user to check for and
ploiters. Additionally, we designed a report template containing 81 apply firmware update now: (a) skip is the user’s most likely
items to fill in the analysis results based on this analysis framework, choice (“Done”); (b) proceed is the user’s most likely choice
as shown in Table 4 in Appendix C. (“Firmware Upgrade”)

3.3 Setup Wizard

Routers may not be fully operational after getting plugged in for Wi-Fi and admin passwords/passphrases. We first record the
the first time. In this case, users will be invited to manually visit the default password/passphrase in each router (if any, and usually
management page of the router, or automatically redirected there provided on the label) to evaluate their strength. Then, to check
by their browser. In Appendix B, we show an example of a setup whether routers can guide users to set strong passwords/passphrases,
wizard in Figure 6. we record whether changing the default password is required and
Our initial approach involves connecting to the router’s Wi-Fi try to set the shortest and simplest password that can be accepted
network with the credentials provided on the router’s label. We during password change to test strength requirements. Routers may
evaluate whether the router can be plug-and-play, disregarding in- also offer a password strength meter (informative only).
stances where routers that could be plug-and-play include a “quick Wi-Fi security protocol. We record the default security protocol
setup” guide that, despite recommendations, is not necessary for set to protect Wi-Fi communications. Sometimes, a hybrid mode
completing the setup process. is supported to provide backward compatibility with older client
The setup wizard guides users to configure the network, set the devices. We also measure the effective protocols supported by the
Wi-Fi and admin passwords, and update firmware. We expect users router by examining beacon frames sent by the router. Beacons
may try to avoid making decisions and simply click “next” or “skip” carry information about the supported WPA version ciphersuite
when possible. When users without necessary knowledge have (TKIP or CCMP). We check both the main and guest networks as
to make decisions, visual hierarchical design [52] can affect their well as all frequency bands (2.4 and 5GHz).
decisions. Therefore, when a page of the setup wizard requires to
take an action, e.g., update the router firmware now, we can use the WPS. WPS PIN is vulnerable to brute force attacks. We can extract
principle of visual hierarchy to infer the buttons that manufacturers the status of WPS from the beacon frames advertised by the router
want users to click on and the behavior of most real users, see to verify its support for WPS PIN and whether the status is “Config-
illustrations in Figures 5a, 5b. Our goal is to complete the setup ured” (functional) or “Locked” (non-functional) [1]. In the former
wizard as the average user and record default settings and behaviors. case, we attempt to record and test the given PIN (printed on the
label or available in the relevant configuration page) or launch a
3.4 Initial Settings Analysis brute-force attack leveraging Reaver [61] when no PIN is known to
check the usability of WPS. We also detect whether a rate-limiting
After completing the setup wizard (if any, and when necessary), we
mechanism is in place, imposing restrictions on brute-force attacks.
traverse all management pages of the router and record the settings
for sensitive features and whether these features are enabled by Local web access. We first record the protocol employed to access
default. We also verify whether Wi-Fi settings are applied correctly the management page (HTTP or HTTPS, and TLS version), which
and perform a port scan on both the LAN and WAN sides to detect could allow adversaries (Adv_LAN), when vulnerabilities exploited,
exposed services. We discuss these tested items as follows. to eavesdrop on the traffic and learn sensitive information such as

68
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

the admin password. Then, we also measure countermeasures to IPv6. The security of IPv6 depends on whether the IPv6 addresses
brute-force login attempts, through rate-limiting or CAPTCHAs. of connected devices are generated by the router, whether they
are predictable, whether IPv6 NAT is leveraged by default, and
Firmware update mechanisms. During the setup wizard, we
whether the IPv6 firewall blocks IPv6 packets from the WAN side.
record whether routers notify or force users to update the firmware
We leverage dhcpd6 and radvd to build a virtual stateless DHCPv6
as a one-time action, or if the router indicates it is running the latest
environment to assign IPv6 address to the router and capture traffic
version (so we cannot test which way it is). If the setup wizard is
between the router and the connected device when connecting
not required, this step can be skipped by users. Automatic update
to the router’s Wi-Fi. Then, we can find out whether the router
can help users update firmware regularly, so we check whether it
employs SLAAC, stateful DHCPv6 or stateless DHCPv6 to assign
is enabled by default in the management page. For user-initiated
IPv6 addresses. Only in the stateful DHCPv6 IPv6 addresses are gen-
update, we run Wireshark and mitmproxy [8] to capture firmware
erated by the router, and in the other two methods IPv6 addresses
update packets and check whether TLS is correctly implemented. In
are generated by the device itself. We can record the WAN IPv6
addition, we also check whether the firmware update will modify
addresses and MAC addresses of the router and connected devices
or reset the router settings without prompting the user, which may
to check whether the generated addresses are predictable. Usually,
cause the user’s security settings to become invalid.
the generation algorithms of different devices are different.
Exposed services. To discover hidden services (not mentioned To check whether IPv6 NAT is leveraged by default, we can
in the management page), we leverage Nmap [49] to scan for the ping the Internet from the LAN side and compare the source IPv6
router’s open ports and corresponding services and their versions addresses of ping request packets captured on the LAN side and
on the WAN and LAN interfaces. To speed up scanning of 65,535 WAN side. If they are different, it means that the router employs
ports, we run Nmap in parallel on smaller port ranges.1 NAT, and the IPv6 address of the device is only used in the LAN,
so the adversary cannot directly connect to the device with the
3.5 Deep Settings Analysis IPv6 address. When there is no NAT, we set up a simple Web server
on the LAN side and try to access it based on the IPv6 address
After completing the initial analysis, we have collected default
of the WAN side to check whether an IPv6 firewall that blocks
settings about all generally-supported features. Next, we focus
incoming connections from the Internet is enabled by default. If
on deep defaults, which often require an action to turn on the
not, it means that the connected devices are being exposed to the
corresponding features.
Internet, bringing potential security risks to users. To check the
Guest network. We record the type of the guest network first. If it blocking range of the firewall, we can deploy the server on the
is protected by a Wi-Fi security protocol, we will investigate its Wi- common port 80 and the private port 8000 for testing.
Fi configurations and passphrase requirements as mentioned earlier.
Cloud account. If the cloud account is compromised, the bound
To test the privileges of the guest network, we check whether we
router may be controlled by adversaries. Therefore, there is a need
can log in to the management page as an administrator from the
to examine its password strength requirements. Additionally, we
guest network.
capture login packets and check whether the password of the ac-
Remote web access. Remote management via the Internet usually count can be intercepted by Adv_NET.
requires the help of companion apps or remote web access. In the
App. We capture the traffic between the router and the server to
case of remote web access, the public IP address of the router’s
check whether HTTPS is employed and the TLS certificate is vali-
WAN interface with a designated port number allows access to
dated properly when binding the app with the router and leveraging
the management page from the WAN side directly. As with local
the app to remotely manage the router.
web access, we can examine the security of remote web access the
same way, but with additional considerations since it is exposed UPnP. The main security risk of UPnP comes from the port forward-
to the Internet. We also check whether the TLS certificate of the ing function. PortMapper [32] can be leveraged to detect whether
router is self-signed. If the subject and issuer of a certificate are the the router supports UPnP port forwarding and whether new port
same, it means that this certificate is self-signed. Additionally, we mappings can be added.
record the version of TLS because older versions may have known
External Storage. To prevent exposure of the user’s private data
vulnerabilities.
stored in the external storage, we check whether authentication is
Telnet/SSH. Adv_WAN and Adv_LAN can exploit Telnet or SSH enabled and verify the strength of default passwords. Additionally,
to access the terminal of the router if it is not configured properly. for remote FTP, we capture the traffic on the WAN side when
We can check whether Telnet or SSH is enabled by default on the leveraging FileZilla [18] to connect to the FTP server on the router’s
LAN or WAN interfaces of the router according to management WAN interface. Similar to remote web access, the captured traffic
pages and the results of port scanning. If the router supports Telnet allows us to validate whether the remote FTP traffic is encrypted
or SSH, we try to connect to it and check whether a username and by TLS and whether the router’s TLS certificate is valid. We also
password are required to login and whether the default username record the version of TLS. Remote storage access over HTTPS also
and password are weak. relies on TLS for secure communication over the Internet, so we
apply the same evaluation methods to assess its security.

1 nmap -sV -T5 -p 1-100, then -p 101-1000, -p 1001-5000, etc.

69
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Reset. We check what information will be retained after a device re- purchased in a previous study [30]) according to their series names,
set. Given the data extraction cost, we do not consider the sensitive regions, price range, and popularity, under a budget of $3,000 USD.
information left in the flash chip of the router, but only focus on Although some of them are not the latest models, they still received
the information available in the management page, including Wi-Fi updates in recent years and appear to be popular on those platforms.
SSID & password, admin username & password, cloud account, Consumers might buy them especially since they may be cheaper
third-party accounts (e.g., DDNS, VPN, PPPoE, email, and FTP) and and thus more attractive. Therefore, including them is essential to
logs. Additionally, the binding status between the companion app reflect the actual status of the router market.
and the router is also sensitive, and it is necessary to ensure that
the router is automatically unbound from the app when reset. We 4.2 Key Findings
can reset the router after modifying and recording all sensitive in-
4.2.1 Finding 1: IPv6 support without firewall. 37 routers support
formation. If the router offers different reset options, we will record
IPv6 (but only 25 can work) and 11 of them have it enabled by
them and select the default recommended options. Thereafter, we
default. Nearly all of the routers with a functional IPv6 stack do
try to skip the setup wizard and check whether such sensitive infor-
not implement IPv6 NAT (24/25), as expected. However, 5 of them
mation is retained and whether we can still use the app to remotely
also do not implement an IPv6 firewall to block incoming connec-
manage the router. If the wizard cannot be skipped, we will pay
tions from the internet by default. Adv_WAN can directly reach
additional attention to whether the sensitive information is kept as
devices located in the local network using their (public) IPv6 ad-
default values in the setup wizard. Note that we consider the reset
dress. This behavior is a violation of RFC 4864 [34], and dangerous
feature as a special case as it is expected to restore to the default
in a home network environment as it exposes printers, IoT and
settings (which is our focus) and may pose a security risk; however,
other devices that are not designed to be publicly reachable. Two
it does not map to any of our four types of adversaries.
of the 5 routers enable IPv6 by default and can simply work as
plug-and-play, leaving customers of IPv6-enabled ISPs exposed out
4 ANALYSIS RESULTS of the box.
We analyzed 40 home routers based on a selection detailed in Sec- Worse, a router implements stateful DHCPv6 and attributes full
tion 4.1, by following our analysis framework (Section 3). The IPv6 addresses to connected devices by following simple and pre-
routers were running the factory firmware unless the setup wizard dictable suffixes such as “1000”, “1001”, “1002”. Fortunately, this
explicitly recommends updating the firmware before continuing, router does not enable IPv6 by default.
mimicking common user behaviors. The factory version will also The other 4 routers rely on stateless DHCPv6 to assign IPv6
run for a period of time until the router automatically updates the addresses to devices, which means that the IPv6 addresses are
firmware (if supported). generated by the devices themselves rather than the routers. Note
We share below the essential findings from the analysis. The key that modern operating systems generate random interface IDs [12,
results are summarized in Table 3 by brand and model (we have 47], making it difficult for adversaries to predict the IPv6 address of
anonymized the models with unpatched vulnerabilities for ethical a specific computer. However, we cannot guarantee that all devices,
reasons). We found a total of 46 potential vulnerabilities (marked especially IoT devices, can generate an unpredictable IPv6 address
with “!!” in Table 3), out of which, we have confirmed 30 to be for themselves.
exploitable in the latest version and reported them to manufacturers We are working with the affected vendors to fix these vulner-
or CNVD/CVE (marked with “*” in Table 3). More information abilities. At present, two of them have been assigned CVE IDs
about our vulnerability reporting will be updated at https://github. (CVE-2023-41603 and CVE-2023-41604) and D-Link has released a
com/YjjNJUPT/AsiaCCS2024_vul_report. The detailed results are hotfix for D-Link R15.
tabulated in Appendix C.
It is noteworthy that our analysis may have covered only a small 4.2.2 Finding 2: Insecure Wi-Fi security protocols still supported by
portion of all available routers on the market. Our research objective default. 13 routers still support WPA (version 1) with AES-CCMP
is to understand trends to help manufacturers improve home router encryption by default. Although AES-CCMP is relatively secure, it
security, rather than guiding consumers in choosing a router. is susceptible to KRACK attacks [65, 66] that can replay and decrypt
packets. More worryingly, 2 routers still support the outdated TKIP
encryption by default, a protocol vulnerable to both replay and
4.1 Router Selection forgery of packets via KRACK attacks. Out of the 40 routers we
Home routers are diverse in vendors, regional markets, popularity, purchased, 17 do not support WPA3, while the remaining 23 routers
and firmware filesystems. Due to the prohibitive cost of buying do not default to WPA3 although supported. This shows a slow
all available router models, we choose to evaluate a selection of adoption of new standards among router manufacturers.
commercially off-the-shelf routers that can reflect both popularity Furthermore, we encountered a router that initially supports
and diversity. WPA/WPA2-PSK-(TKIP|CCMP) before the setup wizard finishes
Brands included in our selection are from both the global mar- then transitions to only supporting WPA2-PSK-CCMP. However,
ket [41] and, in consideration of the huge user base in China, the it is functional without the setup wizard, and thus could run with
Chinese market [76]. We purchased the routers from Amazon US, less secure configuration in a plug-and-play scenario.
Taobao, and JD (two largest online shopping platforms in China),
which we believe are representative of what most end users are 4.2.3 Finding 3: Insecure default settings for plug-and-play. Plug-
exposed to. We selected 40 home routers (for scale, 35 routers were and-play functionality allows users to start enjoying their router

70
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Table 3: Summary of potential and confirmed security issues from our analysis of 40 routers

e
d

fte t pag
pw
mg y
ts

rel

t
mt
mp

no e app ge in ely

ese
s
d

n
wd
ss

Al orts PA netw ain

rem ecu
zar

m
mi l t

mi
r
att sers

tte

rr
dre

ad efau

cu
pts
np

mg
rk
set ion

n
PA IPv ed

em
/ad
-Fi p wi

PS

s
Do s ver ed P IN a

sen to a yptio
ote
e
ad

o
u
m
bl

s
W
Off op uire rypt

ss
d

Su ports gues i to r
eak d

-Fi
n

oa
rom

e
isa
rew able

u
6

s in s FW o i
IN

cce
P
y

ed

ers pen e Wi
b

sts encr
ma

inf
eck d-cod mit
ld

Ha load n inf
c

en i-F
nf
ur
Off ot r IP en

t
is

TK 1

s g KIP 1
PIN

i
l

v
s W ble

ive
Pv AT d

fig

li

ng
op W
no Wi

e
w

-
d

sio
ort ta

Ha rate
on

sit
PS

ha
cep hid
eq

W
ers en
pp dic
Ha v6 N

ue
low T
6 fi

cu
sW
Us rts c

tc
r
PIN
Do orts

Us not

Off s o
e
Su pre

s
n

es
P

o
ers

low
wn
sI
sI

pp

pp

pp
es

es

es

av
es

es

es

p
Ch
Ha

Do

Do
Ac
Us

Su

Su

Su
Al

Le
Brand Model name IPv6 WiFi Plug&Play WPS TLS Setup Guest
360 T— - - - ! - - - - - - - - - !! - - ! - ! - - - -
ASUS R— ! - - - - ! - ! ! - ! - - - !!* - - - - - - - -
ASUS T— - - - - - - - - ! - ! - - - !!* - - - ! - - - -
ASUS T— - - - - - - - - ! - ! - - - !!* - - - ! - - - -
D-Link D— ! - - ! ! ! - ! ! ! - - - !!* - - - - - ! ! - -
D-Link D—† ! - - ! - - - - ! - ! - - !! - - ! - ! - - - -
D-Link D— - - - - - ! - ! ! - - - - - - - - - ! - - !!* -
D-Link R15 ! !!* - - - ! - - ! ! ! - !!* - - - - - - - - - -
H3C N— ! - ! - - - - - ! ! - - - !!* !!* - ! - ! - - - -
HUAWEI AX3 Pro ! - - - - - - - ! ! - - - - - - - - ! - - - -
HUAWEI WS7002 ! - - - - - - - ! ! - - - - - - - - ! - - - -
Linksys E— ! - - - - - - - ! - ! - - - !!* - - - C - - - -
Linksys E— - - - - - - - - ! - ! - - !! !!* - - - C - - - -
Linksys E— ! - - - - - - - ! - ! - - - !!* - - - C - - - -
Linksys E— - - - - - - - - ! - ! - - !! - - - - C - - - -
Linksys EA5800 - - - - - - - - ! - ! - - - - - ! - C - - - -
Linksys MR6350 - - - - - ! - ! ! - ! - - - - - - - - - - - -
Linksys W— ! - ! - - - - - ! - ! - - !! - - - - - - - !!* -
Mercury X30G ! - ! ! - - - - - - - - - - - - ! ! ! - - - -
Netcore N— - - - ! - - - - ! ! ! - - !!* !!* - ! - ! - - - -
Netcore N— ! - - ! ! ! ! - ! ! ! - - !!* !!* - - - - ! - - -
Netcore N— ! - - ! - ! - - ! ! ! - - !! - - - - - ! - - !!*
Netcore P— ! !!* - ! - ! ! - ! ! - - - !! - - - - ! - - - -
NETGEAR R6120 - - - - - - - - ! - ! - - - - - ! - ! - - - -
NETGEAR R—† - - - - - - - - ! - ! - - !! !! - ! - ! - - - -
NETGEAR RAX40 - - - - - - - - - - - - - - - - ! - ! - - - -
NETGEAR R— - - - - - - - - - - - - - !! - - ! - ! - - - -
NETGEAR R— - - - - - - - - - - - - - !! - - ! - ! - - - -
Ruijie X— ! - ! ! - - - - - - - - - !!* !!* !!* - - ! - - !!* -
Tenda A— - - - - - ! ! - ! - ! - - !! !! !!* - - ! - - - -
Tenda A— ! !!* - - - ! ! - ! - ! - - !! !! !!* - - ! - - - -
Tenda F3 - - - ! - ! ! ! - - - - - - - - - - - - - - -
TP-Link Archer-AX23† ! - - - - - - - ! - ! - - - - - ! - ! - - - -
TP-Link T— ! !!* ! ! - - - - - - - - - - - - ! ! ! - - - -
TP-Link T— ! !!* - - - - - - ! - ! - - - - - ! - ! - - - -
TP-Link TL-WR940N† ! - - ! - - - - ! - ! - - - - - ! - - - - - -
TP-Link TL-XDR3010 ! - ! ! - - - - - - - - - - - - ! ! ! - - - -
Xiaomi 4— ! - ! ! - - - - ! ! - - - !!* !!* - ! - - - - - -
Xiaomi Redmi AX3000 ! - ! - - - - - ! ! - - - - - - ! - - - - - -
ZTE A— ! - - ! - ! - ! ! ! ! - - - - - - - - ! - - !!
Total 40 routers 24 5 8 15 2 12 5 6 31 12 23 0 1 18 14 3 18 3 23 4 1 3 2
Legend: “!” indicates the presence of an issue/feature that may be a prerequisite for security issues (e.g. no IPv6 NAT is not a vulnerability by itself unless IPv6 firewall is not working).
“!!” indicates the presence of a potential vulnerability and “*” means we have confirmed it to be exploitable in the latest version. “C” under “Open guest network” represents a captive
portal. “† ” marks the 4 routers purchased between Dec 2021 and Oct 2022 for preliminary (other routers were purchased in Oct 2022, Feb 2023 and May 2023).

71
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

without accessing the management page or completing the setup External storage and remote web access also require the TLS
wizard, which poses security risks. Out of the 12 plug-and-play protection. However, we can only find two routers employing non-
routers studied, 5 lack a default Wi-Fi password, making the Wi-Fi self signed TLS certificates: one served a public certificate for a real
network open and vulnerable. Furthermore, if the setup wizard domain, and leaked the key in firmware, however this problem has
is never completed, accessing the management page will redirect already been fixed in later versions of the firmware; the other one
to this wizard that lacks any admin password in two routers, or includes an untrusted certificate issued by “ZTE-ROOT-CA”, which
expects simple passwords, e.g., “admin”, “password”, in 4 routers. is not better than self-signed certificates. In addition, we find one
Adv_LAN could easily take control of the router in such cases. Linksys router employing an expired self-signed TLS certificate
Finally, 5 other routers ask for the Wi-Fi passphrase as an initial after we update its firmware. The incorrect use of TLS certificates
admin password, which Adv_LAN might already know. may result in Adv_NET being able to conduct MITM attacks. DDNS
can alleviate this issue as it attaches the router to a domain name
4.2.4 Finding 4: WPS PIN still supported by default, sometimes with and could facilitate the issuance of browser-trusted certificates;
unknown PINs. Despite the known susceptibility of the WPS PIN however, it is always disabled by default.
authentication method to brute-force attacks, 31 routers appear to
4.2.6 Finding 6: Setup wizards fail to guarantee strong passwords.
still support this feature as advertised by a “Configured” status. The
Although 28 routers require users to complete the setup wizard,
concern is heightened as 12 of these routers do not tell users the
18 of them do not force users to set Wi-Fi or admin passwords
expected PIN.
during the setup wizard. Similarly, all 11 routers with optional
Out of these 31 “configured” routers, 23 routers can theoretically
setup wizards fail to enforce the change of either passwords. After
be cracked as reaver can successfully complete several WPS PIN
going through all setup wizards, 4 routers end up not having a
attempts. To prevent brute force attacks, all of them get locked after
default Wi-Fi password and do not force users to set it (i.e., Wi-
several failed WPS PIN attempts, but the locking time varies among
Fi network remains open). The same applies to admin passwords
routers. Seven routers are only locked for 1 minute per failure and
for two routers. If the user is not paying attention, these routers
one router is only locked for 2 minutes. Other routers are locked
may run without a password. Additionally, two routers employ
for a long time and difficult to crack.
"admin" as the default admin password and do not require users
As brute-forcing is time-consuming, we only cracked D-Link
to change it, which is also insecure. We also find that 10 routers
R15 successfully. We find that the hidden WPS PIN code of this
employ the Wi-Fi password as the admin password by default and
router is very simple. We purchased another router of the same
inconspicuously remind users during the setup wizard. If Adv_LAN
model and confirmed the PIN works successfully, meaning that it is
can obtain the Wi-Fi password, he can also access the management
hard-coded and likely to be the same for all such routers, which is a
page and control such routers easily.
serious vulnerability. We reported this issue to D-Link and received
10 routers require users to set both Wi-Fi and admin passwords,
a confirmation. At present, this vulnerability has been assigned a
but the requirements for password strength are very low. All of
CNVD ID (CNVD-2023-59339) and D-Link has fixed it by a hotfix.
the selected routers only require users to set a Wi-Fi password
that contains more than 8 characters and don’t have any other
4.2.5 Finding 5: TLS not used when needed or without certificate
requirement. In this case, users may prefer to set 8-digit numeric
validation. Several routers were found to communicate with servers
passwords [68], which are not so difficult for Adv_PHY to crack.
over HTTP instead of HTTPS when checking firmware versions or
In addition, there are 8 routers that do not even have any admin
downloading firmware update files. This practice exposes routers
password strength requirements.
to MITM attacks. In addition, certain routers failed to validate TLS
certificates properly. 4.2.7 Finding 7: Poorly protected guest network. As guest network
Checking firmware version, performing firmware update, bind- is an optional feature, only one router has it enabled by default,
ing to the companion app and remote management with the app which might be why not much attention has been given to the
all require routers to communicate with servers on the Internet. security of this feature. However, we find that 23 routers do not
We find that 7 routers rely on HTTP to check firmware version enforce a Wi-Fi security protocol by default, which means that
and 7 rely on HTTP to download firmware update files. Moreover, the guest network is open if the user simply enables it by a click.
among routers that do leverage TLS, 9 of them do not validate Among the routers that enable Wi-Fi security protocols by default,
TLS certificates properly for version checking, and 5 routers when we also find 4 routers support WPA and one of them still support
downloading update files. Adv_NET can easily replace update files TKIP by default.
to downgrade the router or write malicious firmware into the router, In addition, 5 routers offer a captive portal with an open (unen-
if no further integrity or authenticity check is performed. crypted) Wi-Fi configuration by default. Those routers’ strength
Also, a router did not perform certificate validation when being requirements only impose a 4 character minimum limit and their
remotely managed by the companion app, i.e., Adv_NET can use a login interfaces do not seem to limit password attempts.
self-signed certificate to intercept traffic between the router and the To protect the main network, the guest network is generally
server and carry out MITM attacks. Additionally, we find that two isolated from the host network. However, 3 routers allow access
routers implement a custom protocol over TCP to check firmware to the management page from the guest network, unnecessarily
version, perform update and communicate with the companion app exposing the router to (untrusted) guests. Among them, a “plug-
server, but sensitive information is transmitted in plaintext, which and-play” router has “password” as default admin password, which
leads to information being exposed on the internet to Adv_NET. makes it even more vulnerable.

72
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

Given these heterogeneous results, we note that a standard defi- protocol for web access, which means that Adv_LAN can eavesdrop
nition of the characteristics of “guest networks” is missing. the password when users log in to the management page.
When analyzing the open ports of the LAN interface, we discov-
4.2.8 Finding 8: Reset options requiring user diligence. It is common ered that 2 routers have an open but undocumented Telnet service,
for routers to support resetting through the management page by while 4 routers have an undocumented SSH service. However, only
clicking on a button, which is also known as soft reset. We find 2 one router allows connection with the admin password, with lim-
routers retaining sensitive information after reset. One retains logs. ited functionality. Our speculation is that the Telnet/SSH service
The other one is still bound with the companion app after reset and might be intended for debugging purposes and was not fully re-
the app can remotely manage the router. This may undermine user moved or disabled thereafter. Additionally, we observed that all
privacy when second-hand routers are traded. routers supporting Telnet/SSH in the management page have these
Additionally, we find 7 routers provide different reset options services disabled by default and utilize the admin password for
for users to keep some data, but enable them by default. If the login, which is relatively secure.
user is not aware, some sensitive information may be retained. For Adv_LAN can exploit UPnP to mount MITM attacks by adding
example, 2 routers have “Preserve network configuration when port mappings [16]. Unfortunately, 18 routers have UPnP enabled
restoring factory settings” enabled by default and will retain Wi-Fi by default on the LAN interface and support adding port mappings,
passwords after reset. If users reset the router in this way, sensitive making them vulnerable to Adv_LAN.
information will remain in the router. If Adv_LAN is interested in compromising user privacy, external
storage would be a good target. In our analysis results, 10 routers
do not enable authentication for SMB and 6 routers do not enable
4.3 Discussion authentication for local FTP by default. 5 routers support local
In this section, we discuss the security implications of home router HTTP/HTTPS access and none of them enable authentication by
default settings from the perspective of various types of adversary default. Also, 3 routers use very weak default credentials for SMB
and provide recommendations to make home routers more secure. and local FTP (2 “admin/admin” and 1 “user/password”).
Recommendation. To defend against Adv_LAN, manufacturers
Adv_WAN. The security of IPv6 has not received sufficient atten-
should make the setup wizard mandatory and enforce password
tion from manufacturers, compared to its predecessor. As shown in
strength requirements and leverage proper meters to guide users to
Finding 1, an attacker on the Internet could directly access devices
set a strong password. Rate-limiting should be employed to counter
on the local network of the 5 routers without IPv6 NAT and firewall
brute-forcing. Manufacturers also need to protect services on the
with their public IPv6 addresses, if no other protection in place.
LAN interface (e.g., restrict/disable UPnP port mapping, and authen-
Although none of the analyzed routers leave any port open on the
ticate users from Telnet/SSH and external storage). Home router
WAN interface by default, certain features that are initially disabled
users should set a strong admin password, disable unnecessary ser-
may pose security risks from the Internet when turned on without
vices, or when necessary, enable them with strong authentication.
changes to the related default settings. For remote web access, our
analysis reveals that 5 routers employ the insecure HTTP protocol Adv_PHY. Adversaries physically close to the router can receive
as the default option. Even for the routers that support the TLS Wi-Fi signals and their main goal is usually to become Adv_LAN. As
protocol, Finding 5 indicates that it is not implemented properly. shown in Finding 2, routers still employing insecure Wi-Fi security
Regarding remote FTP, authentication passwords are required by protocols by default will be vulnerable to KRACKs. Findings 3 and
all 10 routers supporting this feature. However, only one router 6 also indicate weak Wi-Fi authentication on certain routers. The
implements TLS encryption for FTP traffic. On a positive note, guest network is even less protected according to Finding 7. In
we observed that only ASUS routers support SSH, and no router addition, WPS PIN is one of the WPS modes we confirmed to be
enables Telnet or UPnP on the WAN interface. insecure in Finding 4, but still sometimes supported.
Recommendation. To defend against Adv_WAN, manufacturers Recommendation. To prevent Adv_PHY, manufacturers should
should avoid exposing unnecessary services on the WAN inter- employ WPA3 as the default Wi-Fi security protocol and guide
face, and only support TLS-based services when needed. If IPv6 is users to set a strong Wi-Fi password via the setup wizard for both
required, an IPv6 firewall should be enabled and properly config- host and guest networks. Manufacturers also need to ensure that
ured to reject inbound connections by default, as it is the current the guest network is isolated from the host network. In addition,
behavior in IPv4 (either due to a firewall or a NAT). support for WPS PIN and the relevant code should also be removed
to prevent undesired effects. Home router users should select WPA3
Adv_LAN. Although the LAN is not as exposed to the Internet
and set strong passwords for the host and guest networks.
as the WAN side, its security still needs attention. Adv_LAN (e.g.,
compromised devices) is likely to try to access the management Adv_NET. Adversaries already able to plug into the network com-
page first because this is the easiest way to control the router. As munication between the router and the Internet can mainly be
shown in Finding 6, the setup wizard does not always guide users to prevented by the TLS protocol from implementing MITM attacks.
set a strong password and accessing the management page may not However, Finding 5 indicates that TLS is not always implemented
even require a password in the case of plug-and-play (Finding 3). properly. This means that Adv_NET can eavesdrop on and tamper
To mitigate brute force attacks, 25 routers rate-limit the login with packets between the router and servers/clients when users
attempts to the management page, and 4 routers support CAPTCHA. update firmware, leverage the companion app to remotely manage
However, all of the analyzed routers choose HTTP as the default

73
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

the router, or remotely access the management page or the external Although home routers are also a type of IoT devices, the security
storage over the Internet. implications of their default settings is tightly coupled with the
We find 8 routers using custom protocols to communicate with users’ perception and usage habits and how they use the routers
their servers and 2 of them do not encrypt the packets because we — involving sociotechnical factors. Therefore, a tailored study like
are able to extract key information (e.g., Wi-Fi passwords) when ours is necessary. Nonetheless, these aforementioned studies can
remotely modifying the settings via the companion app. still be good references for evaluating home router security.
Recommendation. To counter Adv_NET, manufacturers should
Router security analysis. Visoottiviseth et al. [70] proposed an
rely on TLS with browser-trusted certificates and validate it prop-
emulation-based firmware analysis tool that can perform both static
erly to encrypt the traffic between routers and servers/clients.
and dynamic large-scale analyses for router firmware. It includes
Ways forward. Despite the various issues being case-specific, our several open-source automated tools to test the security of pass-
generalized vision is that both the initial and the deep default set- words, SSL, web application and firmware update to find vulnerabil-
tings need to be secure. In particular, with the motivation and ities in the router firmware. However, emulation-based analysis is
assumption mentioned in Section 1, i.e., end users tend to leave limited to only router models with publicly available firmware and
default settings as is, the burden to improve is first on device manu- subject to potential low fidelity as we demonstrated in Section 3.1.
facturers, e.g., certain settings are not always shown, not to mention Along this direction, similar to our work, Jeitner et al. [30] and
updatable in the management page (hence not an action users are Niemietz et al. [48] chose to evaluate real-world home routers, but
able to take). This is further reflected in our observation that in they only focus on the DNS service or web interface of routers.
certain cases after a firmware update, the default settings become Currently, there is no comprehensive security assessment work for
more secure, which means that the security of default settings is the default settings of various features of home routers.
gradually receiving attention from manufacturers. Still, as the last
Human-computer interaction. To understand the impact of UI
line of defense, security awareness among users should also be
design on user behavior, research in human-computer interaction
enhanced to be vigilant on the defaults, not just to ignore and skip.
such as visual hierarchy [14, 52], dark pattern [42, 46] and banner
Although we believe these 40 routers can represent the majority
blindness [4, 51] has received immense attention. In addition to
of routers in the current international and Chinese home router
Web page/advertising design, these paradigms can also be applied
markets, the results may not accurately profile the actual situa-
to improve device setup wizards. Prange et al. [54] studied the effect
tion, as our selection methods are not based on all the routers in
of “nudges” based on the Protection Motivation Theory in the setup
active use (about which we do not have access to the information).
wizard of smart home devices on increasing users’ motivation to
Nonetheless, our results can be considered an approximation of the
employ effective threat prevention. Ho et al. [24] performed a city-
actual situation and help researchers better understand potential
wide survey and several interviews and found that home router
risks of home router default settings.
users commonly adopt the default settings provided by the setup
wizard. They designed and implemented a new set of configuration
5 RELATED WORK steps to secure routers, but only considered password management
and MAC address filtering.
In this section, we revisit several previous efforts similar or compa-
rable to our work.
IoT security analysis. Wang et al. [71] and Zhao et al. [75] con-
ducted large-scale security analyses of IoT devices on the Inter-
net. They leverage search engines such as Shodan [57] and Zoom-
eye [77] or custom search tools [11] to test active IoT devices on the 6 CONCLUSION
Internet, which means only devices with exposed services (open In this paper, we brought attention to the various security-related
ports) to the Internet were covered in the analysis. They focus default settings of home routers, and designed a comprehensive
on the distribution information of device firmware versions and router default settings security analysis framework and leveraged
known vulnerabilities on the Internet without covering other types it to analyze 40 home routers from the global and Chinese mar-
of attackers discussed in Section 2.1. kets. To our surprise, although our analysis methodology is quite
Taking a step further, there are also projects/studies focusing on straightforward (we merely verify whether the settings and basic
IoT devices in home networks. For instance, Kumar et al. [35] ana- functions are configured properly), we found numerous security
lyzed the user’s home network information collected by Avast’s tool issues, resulting in up to 30 exploitable vulnerabilities. We discussed
called Wi-Fi Inspector (where users could upload their scan results potential improvements for users and especially manufacturers to
for insecure IoT devices), and found that many IoT devices employed make home routers more secure. Although default settings have
weak passwords on FTP and Telnet, and default admin passwords received gradual attention from manufacturers, e.g., we noticed
that were left unchanged by users. Alrawi et al. [2] systematized improvements after a firmware update, there is still a long way to
the literature for home-based IoT security and, similar to our work, go according to our findings. This framework can also be applied to
evaluated 45 IoT devices and proposed mitigation recommendations analyze home routers from other sources (such as ISPs [55]), which
based on an abstract model that segments IoT deployments into are popular in certain regions. We hope our analysis can shed some
components, including the IoT device, the companion mobile app, light on the user-centric security research of home routers in the
the cloud endpoints, and the associated communication channels. community.

74
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

ACKNOWLEDGMENTS [24] Justin T. Ho, David Dearman, and Khai N. Truong. 2010. Improving Users’
Security Choices on Home Wireless Networks. In Symposium on Usable Privacy
This work is supported by the National Key Research and Develop- and Security (SOUPS’10). 1–12.
ment Program of China with 2019YFB2101704. [25] Chris Hoffman. 2013. Wi-Fi Protected Setup (WPS) is Insecure: Here’s Why You
Should Disable It. https://www.howtogeek.com/176124/wi-fi-protected-setup-
wps-is-insecure-heres-why-you-should-disable-it/.
[26] Michael Horowitz. 2015. Linksys Smart Wi-Fi Makes A Stupid Guest Net-
work. https://www.computerworld.com/article/2940566/linksys-smart-wi-
REFERENCES fi-makes-a-stupid-guest-network.html.
[1] Wi-Fi Alliance. 2020. Wi-Fi Protected Setup Specification v2.0.8. [27] Michael Horowitz. 2015. Router Security. https://www.routersecurity.org/
https://www.wi-fi.org/downloads-registered-guest/Wi-Fi_Protected_Setup_ checklist.php.
Specification_v2.0.8.pdf. [28] Amanda Hsu, Frank Li, and Paul Pearce. 2023. Fiat Lux: Illuminating IPv6
[2] Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. SoK: Apportionment with Different Datasets. In ACM international conference on
Security Evaluation of Home-Based IoT Deployments. In IEEE Symposium on Measurement and modeling of computer systems (SIGMETRICS’23). 1–24.
Security and Privacy (S&P’19). 1362–1380. [29] IEEE. 2021. IEEE Standard for Information Technology–Telecommunications and
[3] Baran, Guru. 2019. New Mozi P2P Botnet Attacks Netgear, GPON, D-Link and Information Exchange between Systems - Local and Metropolitan Area Networks–
Huawei Routers Using Weak Passwords and Some Known Exploits. https: Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC)
//gbhackers.com/new-mozi-botnet/. and Physical Layer (PHY) Specifications. IEEE Std 802.11-2020 (Revision of IEEE
[4] Jan Panero Benway. 1998. Banner Blindness: The Irony of Attention Grabbing on Std 802.11-2016) (2021), 1–4379.
The World Wide Web. In Human Factors and Ergonomics Society Annual Meeting [30] Philipp Jeitner, Haya Shulman, Lucas Teichmann, and Michael Waidner. 2022.
(HFES), Vol. 42. 463–467. XDRI Attacks - and - How to Enhance Resilience of Residential Routers. In
[5] Meriem Bettayeb, Qassim Nasir, and Manar Abu Talib. 2019. Firmware Update USENIX Security Symposium (USENIX Security). 4473–4490.
Attacks and Security for IoT Devices: Survey. In Annual International Conference [31] Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash.
on Arab Women in Computing (ArabWIC’19). 1–6. 2019. Beware of the App! On the Vulnerability Surface of Smart Devices through
[6] Nancy Cam-Winget, Russ Housley, David Wagner, and Jesse Walker. 2003. Secu- their Companion Apps. arXiv:1901.10062 [cs.CR]
rity Flaws in 802.11 Data Link Protocols. Communications of the ACM (CACM’3) [32] kaklakariada. 2015. UPnP PortMapper. https://github.com/kaklakariada/
46, 5 (2003), 35–39. portmapper.
[7] Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. To- [33] Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and
wards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Yongdae Kim. 2020. FirmAE: Towards Large-Scale Emulation of IoT Firmware
Network and Distributed System Security Symposium (NDSS’16). 1–16. for Dynamic Analysis. In Annual Computer Security Applications Conference
[8] Aldo Cortesi, Maximilian Hils, Thomas Kriechbaumer, and contributors. 2010. (ACSAC’20). 733–745.
Mitmproxy: A Free and Open Source Interactive HTTPS Proxy. https: [34] Eric Klein, Gunter Van de Velde, Ralph Droms, Tony L. Hain, and Brian E.
//mitmproxy.org/ [Version 9.0]. Carpenter. 2007. Local Network Protection for IPv6. https://www.rfc-
[9] Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A editor.org/info/rfc4864.
Large-scale Analysis of the Security of Embedded Firmwares. In USENIX Security [35] Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry
Symposium (USENIX Security). 95–110. Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. 2019. All Things Considered:
[10] Ang Cui, Michael Costello, and Salvatore J Stolfo. 2013. When Firmware Modifica- An Analysis of IoT Devices on Home Networks. In USENIX Security Symposium
tions Attack: A Case Study of Embedded Exploitation. In Network and Distributed (USENIX Security). 1169–1185.
System Security Symposium (NDSS’13). 1–13. [36] Peiyu Liu, Shouling Ji, Lirong Fu, Kangjie Lu, Xuhong Zhang, Jingchang Qin,
[11] Ang Cui and Salvatore J. Stolfo. 2010. A Quantitative Analysis of the Insecurity Wenhai Wang, and Wenzhi Chen. 2023. How IoT Re-using Threatens Your
of Embedded Network Devices: Results of a Wide-area Scan. In Annual Computer Sensitive Data: Exploring the User-Data Disposal in Used IoT Devices. In IEEE
Security Applications Conference (ACSAC’10). 97–106. Symposium on Security and Privacy (S&P’23). 1845–1861.
[12] Joseph Davies. 2007. The Cable Guy IPv6 Autoconfiguration in Windows [37] Eduardo Novella Lorente, Carlo Meijer, and Roel Verdult. 2015. Scrutinizing WPA2
Vista. https://learn.microsoft.com/en-us/previous-versions/technet-magazine/ Password Generating Algorithms in Wireless Routers. In USENIX Workshop on
cc137983(v=msdn.10)?redirectedfrom=MSDN. Offensive Technologies (WOOT’15). 1–13.
[13] Danny Dolev and Andrew Yao. 1983. On the Security of Public Key Protocols. [38] Pratyusa K Manadhata and Jeannette M Wing. 2010. An Attack Surface Metric.
IEEE Transactions on Information Theory (TIT) 29, 2 (1983), 198–208. IEEE Transactions on Software Engineering (TSE’10) 37, 3 (2010), 371–386.
[14] Doaa Farouk Badawy Eldesouky. 2013. Visual Hierarchy and Mind Motion in [39] Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein,
Advertising Design. Journal of Arts and Humanities 2, 2 (2013), 148–162. Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis
[15] Mohamed Elsabagh, Ryan Johnson, Angelos Stavrou, Chaoshun Zuo, Qingchuan Kallitsis, Deepak Kumar, Chaz Lever Zane Ma, Joshua Mason, Damian Menscher,
Zhao, and Zhiqiang Lin. 2020. FIRMSCOPE: Automatic Uncovering of Privilege- Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding
Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware. In USENIX the Mirai Botnet. In USENIX Security Symposium (USENIX Security). 1093–1110.
Security Symposium (USENIX Security). 2379–2396. [40] Philipp Markert, Theodor Schnitzler, Maximilian Golla, and Markus Dürmuth.
[16] Shadi Esnaashari, Ian Welch, and Peter Komisarczuk. 2013. Determining Home 2022. "As soon as it’s a risk, I want to require MFA": How Administrators Con-
Users’ Vulnerability to Universal Plug and Play (UPnP) Attacks. In International figure Risk-based Authentication. In Symposium on Usable Privacy and Security
Conference on Advanced Information Networking and Applications Workshops (SOUPS’22). 483–501.
(WAINA’13). 725–729. [41] MarketWatch. 2023. Home Wireless Router Market Size 2023-2030 | Detailed
[17] Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Analysis of Market Size and Growth Rate. https://www.marketwatch.com/press-
Brendan Dolan-Gavitt, Manuel Egele, Aurélien Francillon, Long Lu, Nick Gregory, release/home-wireless-router-market-size-2023-2030-detailed-analysis-of-
Davide Balzarotti, and William Robertson. 2021. SoK: Enabling Security Analyses market-size-and-growth-rate-2023-05-08.
of Embedded Systems via Rehosting. In ACM Asia Conference on Computer and [42] Arunesh Mathur, Mihir Kshirsagar, and Jonathan Mayer. 2021. What Makes a Dark
Communications Security (ASIACCS’21). 687–701. Pattern... Dark? Design Attributes, Normative Considerations, and Measurement
[18] FileZilla. 2023. FileZilla - The Free FTP Solution. https://filezilla-project.org/. Methods. In Conference on Human Factors in Computing Systems (CHI’21). 1–18.
[19] Jason Fitzpatrick. 2022. Use a Wi-Fi Guest Network? Check These Set- [43] B.A. Miller, T. Nixon, C. Tai, and M.D. Wood. 2001. Home Networking with
tings. https://www.howtogeek.com/832507/use-a-wi-fi-guest-network-check- Universal Plug and Play. IEEE Communications Magazine (IEEE COMMUN MAG)
these-settings/. 39, 12 (2001), 104–109.
[20] Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. 2001. Weaknesses in the Key [44] Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson.
Scheduling Algorithm of RC4. In Annual International Workshop on Selected Areas 2017. Target Generation for Internet-wide IPv6 Scanning. In Internet Measurement
in Cryptography (SAC’1). 1–24. Conference (IMC’17). 242–253.
[21] Dennis Giese and Guevara Noubir. 2021. Amazon Echo Dot or the Reverberating [45] David Murphy. 2020. You Need to Lock Down Your Router’s Remote Management
Secrets of IoT Devices. In ACM Conference on Security and Privacy in Wireless Options. https://lifehacker.com/you-need-to-lock-down-your-routers-remote-
and Mobile Networks (WiSec’21). 13–24. management-op-1842525275.
[22] Baptiste Gourdin, Chinmay Soman, Hristo Bojinov, and Elie Bursztein. 2011. To- [46] Arvind Narayanan, Arunesh Mathur, Marshini Chetty, and Mihir Kshirsagar.
ward Secure Embedded Web Interfaces. In USENIX Security Symposium (USENIX 2020. Dark Patterns: Past, Present, and Future: The Evolution of Tricky User
Security). 17–32. Interfaces. Queue 18, 2 (2020), 67–92.
[23] Hilt, Stephen and Merces, Fernando. 2021. VPNFilter Two Years Later: Routers [47] Dr. Thomas Narten, Richard P. Draves, and Suresh Krishnan. 2007. Privacy
Still Compromised. https://www.trendmicro.com/en_us/research/21/a/vpnfilter- Extensions for Stateless Address Autoconfiguration in IPv6. https://www.rfc-
two-years-later-routers-still-compromised-.html. editor.org/info/rfc4941.

75
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

[48] Marcus Niemietz and Joerg Schwenk. 2015. Owning Your Home Network: Router [75] Binbin Zhao, Shouling Ji, Wei-Han Lee, Changting Lin, Haiqin Weng, Jingzheng
Security Revisited. arXiv:1506.04112 [cs.CR] Wu, Pan Zhou, Liming Fang, and Raheem Beyah. 2022. A Large-Scale Empiri-
[49] Nmap. 2023. Nmap: the Network Mapper - Free Security Scanner. https: cal Study on the Vulnerability of Deployed IoT Devices. IEEE Transactions on
//nmap.org/. Dependable and Secure Computing (TDSC’22) 19, 3 (2022), 1826–1840.
[50] Norbert Nthala and Ivan Flechais. 2018. Rethinking Home Network Security. In [76] ZOL. 2023. 2023 Wireless Router Brand Rankings. (in Chinese) https://top.zol.
European Workshop on Usable Security (EuroUSEC’18). 1–11. com.cn/compositor/227/manu_attention.html.
[51] Timo Ojala, Vassilis Kostakos, Hannu Kukka, Tommi Heikkinen, Tomas Linden, [77] Zoomeye. 2023. Zoomeye. https://zoomeye.org/.
Marko Jurmu, Simo Hosio, Fabio Kruger, and Daniele Zanni. 2012. Multipurpose
Interactive Public Displays in the Wild: Three Years Later. Computer 45, 5 (2012),
42–49.
[52] James O’Flaherty. 2012. Hierarchy – What Do You Want People to See? Where
Do You Want Them to Go? https://www.datadial.net/blog/hierarchy-what-do-
you-want-people-to-see-where-do-you-want-them-to-go/.
[53] Petrosyan, Ani. 2023. Number of Internet and Social Media Users Worldwide as
of April 2023. https://www.statista.com/statistics/617136/digital-population-
worldwide/.
[54] Sarah Prange, Niklas Thiem, Michael Fröhlich, and Florian Alt. 2022. “Secure
Settings Are Quick and Easy!” – Motivating End-Users to Choose Secure Smart
Home Configurations. In International Conference on Advanced Visual Interfaces
(AVI’22). 1–9.
[55] Z. Cliffe Schreuders and Adil M. Bhat. 2013. Not all ISPs equally secure home
users: An empirical study comparing Wi-Fi security provided by UK ISPs. In
International Conference on Security and Cryptography (SECRYPT’13). 1–6.
[56] Ax Sharma. 2020. D-Link Blunder: Firmware Encryption Key Exposed in Un-
encrypted Image. https://www.bleepingcomputer.com/news/security/d-link-
blunder-firmware-encryption-key-exposed-in-unencrypted-image/.
[57] Shodan. 2023. Shodan. https://www.shodan.io/.
[58] Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and
Giovanni Vigna. 2015. Firmalice - Automatic Detection of Authentication Bypass
Vulnerabilities in Binary Firmware. In Network and Distributed System Security
Symposium (NDSS’15). 1–15.
[59] Chris McMahon Stone, Tom Chothia, and Joeri de Ruiter. 2018. Extending
Automated Protocol State Learning for the 802.11 4-Way Handshake. In European
Symposium on Research in Computer Security (ESORICS’18). 325–345.
[60] Patryk Szewczyk and Rose Macdonald. 2017. Broadband Router Security: History,
Challenges and Future Implications. Journal of Digital Forensics, Security and
Law (JDFSL’17) 12, 4 (2017), 55–74.
[61] t6x. 2015. reaver-wps-fork-t6x. https://github.com/t6x/reaver-wps-fork-t6x.
[62] Taylor, Petroc. 2023. Households with Internet Access Worldwide 2019, by
Region. https://www.statista.com/statistics/249830/households-with-internet-
access-worldwide-by-region/.
[63] Erik Tews and Martin Beck. 2009. Practical attacks against WEP and WPA. In
ACM conference on Wireless network security (WiSec’09). 79–86.
[64] Mathy Vanhoef. 2021. Fragment and Forge: Breaking Wi-Fi Through Frame Ag-
gregation and Fragmentation. In USENIX Security Symposium (USENIX Security).
161–178.
[65] Mathy Vanhoef and Frank Piessens. 2017. Key reinstallation attacks: Forcing
nonce Reuse in WPA2. In ACM SIGSAC Conference on Computer and Communi-
cations Security (CCS’17). 1313–1328.
[66] Mathy Vanhoef and Frank Piessens. 2018. Release The Kraken: New Kracks in the
802.11 Standard. In ACM SIGSAC Conference on Computer and Communications
Security (CCS’18). 299–314.
[67] Mathy Vanhoef and Eyal Ronen. 2020. Dragonblood: Analyzing the Dragonfly
Handshake of WPA3 and EAP-pwd. In IEEE Symposium on Security and Privacy
(S&P’20). 517–533.
[68] Eleni Veroni, Christoforos Ntantogian, and Christos Xenakis. 2022. A Large-scale
Analysis of Wi-Fi Passwords. Journal of Information Security and Applications
(JISA’22) 67 (2022), 103190.
[69] Stefan Viehböck. 2011. Brute Forcing Wi-Fi Protected Setup. https://www.cs.
cmu.edu/~rdriley/330/papers/viehboeck_wps.pdf.
[70] Vasaka Visoottiviseth, Pongnapat Jutadhammakorn, Natthamon Pongchanchai,
and Pongjarun Kosolyudhthasarn. 2018. Firmaster: Analysis Tool for Home
Router Firmware. In International Joint Conference on Computer Science and
Software Engineering (JCSSE’18). 1–6.
[71] Dingding Wang, Muhui Jiang, Rui Chang, Yajin Zhou, Baolei Hou, Xiapu Luo, Lei
Wu, and Kui Ren. 2021. A Measurement Study on the (In)security of End-of-Life
(EoL) Embedded Devices. arXiv:2105.14298 [cs.CR]
[72] Sean Whalen, Sophie Engle, and Dominic Romeo. 2001. An Introduction to ARP
Spoofing. https://api.semanticscholar.org/CorpusID:59638215.
[73] James Woodyatt. 2011. Recommended Simple Security Capabilities in Customer
Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. https:
//www.rfc-editor.org/info/rfc6092.
[74] Yu Zhang, Wei Huo, Kunpeng Jian, Ji Shi, Longquan Liu, Yanyan Zou, Chao
Zhang, and Baoxu Liu. 2019. SRFuzzer: An Automatic Fuzzing Framework for
Physical SOHO Router Devices to Discover Multi-Type Vulnerabilities. In Annual
Computer Security Applications Conference (ACSAC’19). 544–556.

76
Exposed by Default: A Security Analysis of Home Router Default Settings ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

A SOURCE OF DEFAULT WI-FI PASSWORD IN TP-LINK TL-WR940N

1 int sub_4A2844(){
2 //...
3 int v1 = 0;
4 if ( usrconf_bManufactory() > 0){
5 HTTP_DEBUG_PRINT("ucWlan.c:722", "load Manufactory configure!");
6 *(dword_5F0460 + 0xE0) = getMFWLAN_chan_width();
7 if ( readPinFlash() < 0 || !swWlanWpsCheckPIN(dword_5F046C + 8, v61) ){
8 *(dword_5F046C + 0x8) = '1234';
9 *(dword_5F046C + 0xC) = '5670';
10 }
11 sscanf(dword_5F046C + 0x8, "%d", &v1);
12 *(dword_5F0460 + 0xD0) = v1 % 9 + 2; // save pwd to dword_5F0460
13 // Finally, "12345670" is saved to dword_5F0464
14 //...
15 }
16 }
17 // sub_44AD58 call swWlanSecurityCfgGet to set httpWlanSecCfg_newForAp from dword_5F0464
18 int sub_46AC18(int a1, int a2){
19 //...
20 int v1[95],v2[120],v3[84];
21 if ( !httpGetEnv(a2, "Next") ){
22 if ( !httpGetEnv(a2, "Return") ){
23 memcpy(v1, &httpWlanBasicCfg_newForAp, sizeof(v1));
24 memcpy(v2, &httpWlanModeCfg_newForAp, sizeof(v2));
25 memcpy(v3, &httpWlanSecCfg_newForAp, sizeof(v3));
26 OUTPUT_ARRAY_HEAD(a2, "wzdWlanInf", 0, 1);
27 //...
28 writePageParamSet(a2, "\"%s\",", (const char *)&v3[40]);
29 //...
30 // wzdWlanInf[17] get default password from httpWlanSecCfg_newForAp
31 }
32 }
33 }
34 // Finally, WzdWlanRpm.htm get default password from wzdWlanInf[17]
Listing 2: Decompiled code of the funtions that set default Wi-Fi password from Flash in the firmware of TP-Link TL-WR940N

B AN EXAMPLE OF SETUP WIZARD

Figure 6: Setup Wizard detecting the Internet and configuring network automatically (Left), guiding user to set Wi-Fi password
(Middle), guiding user to set administration password (Right)

C STATISTICS OF ANALYSIS RESULTS

77
 Table 4: The statistical results of analysis results. The statistical results of each item are in parentheses after it.

Items Attributes Situations

Default
Wi-Fi security WPA/WPA2-TKIP&CCM (2) WPA/WPA2-CCMP (13) WPA2-CCMP (25)
Wi-Fi security protocols
protocol
Consistency
Not consistent (0) Consistent (40)
between UI and reality
Plug and play Supported (12) Not supported (28)
Setup wizard
Skip setup wizard No setup wizard (1) Supported (8) Not supported (31)
Default Wi-Fi password NULL (19) Same as WPS PIN (3) Randomly generated (18)
Must change Wi-Fi SSID No (32) Yes (7)
Must change Wi-Fi password No (18) Yes (21)
Wi-Fi password
Wi-Fi and No (21) Yes (18)
strength meter
administration
Wi-Fi password
password At least 8 characters (5) 8-16 characters (1) 8-32 characters (2) 8-63 characters (31)
strength requirements
settings
Default admin password NULL (22) Hard-coded (6) Same as Wi-Fi password (10) Randomly generated (2)
Must change admin username No (36) Yes (3)
Must change admin password No (15) Yes (24)
Admin password
No (19) Yes (20)
strength meter
Minimum length of
1 character (8) 5 characters (7) 6 characters (13) 8 characters (10) 10 characters (1)
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore

admin password
Admin password At least 2 types No more than two identical
At least one number (3) At least one letter (1) Upper and lowercase letters (2)
strength requirements of characters (3) characters in a row (5)
Setup wizard
No (28) Force update (1) Remind update (5) Remind update/recommend (4) Latest (2)
reminds users to update
Automatic update Not supported (12) Disabled (6) Enabled (22)
Firmware
Trigger self update Not supported (3) Supported (37)
update
Settings change or reset
Can’t update firmware (17) No (23) Yes (0)
after update
Communication security
HTTPS/no validation (9) HTTPS/validation (19) HTTP (7) Custom Protocol/plaintext (2) Custom Protocol/encoded (0)
(check version)
Communication security
Can’t update firmware (17) HTTPS/validation (9) HTTP (7) HTTPS/no validation (5) Custom Protocol (2)
(download firmware)
The number on the WAN 0 (40) 1-5 (0) 5+ (0)
Open ports
The number on the LAN 0 (0) 1-5 (22) 5+ (18)
HTTP/HTTPS support Only HTTP (21) Only HTTPS (0) HTTP&HTTPS (19)
Local web
Limit for password attempts No (15) Yes (25)
access
CAPTCHA No (36) Yes (4)
Telnet support on UI Not supported (37) Disabled (3) Enabled (0)

78
Telnet Telnet (LAN, WAN) Not supported (35) Only LAN (5) Only WAN (0) LAN&WAN (0)
Default username/password Unknown (1) Hard-coded (0) Same as admin password (4) Randomly generated (0)
SSH support on UI Not supported (37) Disabled (3) Enabled (0)
SSH SSH (LAN, WAN) Not supported (33) Only LAN (4) Only WAN (0) LAN&WAN (3)
Default username/password Unknown (1) Hard-coded (0) Same as admin password (6) Randomly generated (0)
UPnP support on UI Not supported (1) Disabled (8) Enabled (31)
UPnP Add UPnP port mapping (LAN) Can’t connect (8) Can’t add (11) Can add (20)
Add UPnP port mapping (WAN) Can’t connect (39) Can’t add (0) Can add (0)
Guest network support on UI Not supported (3) Disabled (36) Enabled (1)
Default guest password NULL (23) Hard-coded (8) Randomly generated (6)
Must change guest password No (36) Yes (1)
Guest Guest password
No (30) Yes (7)
network strength meter
Guest password
4-32 characters (5) At least 8 characters (2) 8-16 characters (1) 8-63 characters (29)
strength requirements
Default
Open (28) WPA/WPA2-TKIP&CCMP (1) WPA/WPA2-CCMP (3) WPA2-CCMP (5)
Wi-Fi security protocols
Guest network mode Captive portal mode (5) Normal mode (32)
Can access management page No (34) Yes (3)
WPS support on UI Not supported (13) Push button (27) Client PIN code (19) Router PIN code/disabled (0) Router PIN code/enabled (16)
WPS status "No" (6) "Not Configured" (0) "Locked" (3) "Configured" (31)
WPS Can find WPS PIN code
No (21) Yes (19)
on the label or UI
Feasibility of
No (8) Yes (23)
brute force attack
Limit for
No (0) Yes (23)
WPS PIN code attempts
IPv6 support on UI Not supported (3) Disabled (26) Enabled (11)
IPv6 addresses
IPv6 SLAAC (0) Stateful DHCPv6 (12) Stateless DHCPv6 (25)
assignment method
IPv6 NAT IPv6 can’t work (12) No (24) Yes (1)
IPv6 firewall IPv6 can’t work (12) Not block (5) Block (20)
External storage
Not supported (27) Supported (13)
support on UI
SMB Not supported (0) Disabled/no authentication (1) Disabled/authentication (1) Enabled/no authentication (9) Enabled/authentication (2)
Local HTTP access Not supported (8) Disabled/no authentication (0) Disabled/authentication (0) Enabled/no authentication (5) Enabled/authentication (0)
Local HTTPS access Not supported (8) Disabled/no authentication (0) Disabled/authentication (0) Enabled/no authentication (5) Enabled/authentication (0)
Local FTP Not supported (0) Disabled/no authentication (6) Disabled/authentication (5) Enabled/no authentication (0) Enabled/authentication (2)
External Remote HTTP access Not supported (13) Disabled/no authentication (0) Disabled/authentication (0) Enabled/no authentication (0) Enabled/authentication (0)
storage Remote HTTPS access Not supported (8) Disabled/no authentication (0) Disabled/authentication (5) Enabled/no authentication (0) Enabled/authentication (0)
 Table 4: The statistical results of analysis results. The statistical results of each item are in parentheses after it.

Items Attributes Situations

Self-signed TLS certificate
No (1) Yes (4)
(HTTPS)
Version of TLS (HTTPS) v1.2 (1) v1.3 (4)
Remote FTP Not supported (3) Disabled/no authentication (0) Disabled/authentication (10) Enabled/no authentication (0) Enabled/authentication (0)
Self-signed TLS certificate
Not over TLS (9) No (0) Yes (1)
(FTP)
Version of TLS (FTP) Not over TLS (9) v1.2 (0) v1.3 (1)
Default username/password Hard-coded (3) Same as admin password (10) Randomly generated (0)
Cloud account
Not supported (35) Supported (5)
support on UI
Cloud Minimum length of
6 characters (8) 8 characters (3) 10 characters (2)
account account password
Account password At least one At least 2 types
At least one number (7) Upper and lowercase letters (7)
strength requirements special character (2) of characters (2)
Supported functions
Web access (3) App (13) DDNS (3)
of cloud account
Communication security
HTTP (0) HTTPS/no validation (0) HTTPS/validation (5) Custom Protocol/plaintext (0) Custom Protocol/encoded (0)
(login account on UI)
App support on UI Not supported (11) Supported (29)
Supported
Over Wi-Fi (29) Over the Internet (25)
Companion App communication methods
Remotely manage the router Not supported (4) Disabled (3) Enabled (22)
Communication security
HTTP (0) HTTPS/no validation (0) HTTPS/validation (23) Custom Protocol/plaintext (2) Custom Protocol/encoded (0)
(bind)
Communication security
HTTP (0) HTTPS/no validation (1) HTTPS/validation (16) Custom Protocol/plaintext (2) Custom Protocol/encoded (6)
(remote management)
Remote web access
Not supported (24) Disabled (16) Enabled (0)
support on UI
Remote web
HTTP/HTTPS support Only HTTP (5) Only HTTPS (10) HTTP&HTTPS (0) Set by users (1)
access
Self-signed TLS certificate
No (2) Yes (12)
Exposed by Default: A Security Analysis of Home Router Default Settings

(HTTPS)
Version of TLS
v1.2 (8) v1.3 (6)
(HTTPS)
Reset options Not supported (33) Supported (7)
Reset
Retain sensitive information
No (31) Yes (9)
after reset

79
ASIA CCS ’24, July 1–5, 2024, Singapore, Singapore