Conference item
But is it exploitable? Exploring how router vendors manage and patch security vulnerabilities in consumer-grade routers
- Abstract:
-
Millions of consumer-grade routers are vulnerable to security attacks. Router network attacks are dangerous and infections, presenting a serious security threat. They account for 80% of infected devices in the market, posing a greater threat than infected IoT devices and desktop computers. Routers offer an attractive target of attacks due to their gateway function to home networks, internet accessibility, and higher likelihood of having vulnerabilities. A major problem with these routers is their unpatched and unaddressed security vulnerabilities. Reports show that 30% of critical router vulnerabilities discovered in 2021 have not received any response from vendors. Why?
To better understand how router vendors manage and patch vulnerabilities in consumer-grade routers, and the accompanying challenges, we conducted 30 semi-structured interviews with professionals in router vendor companies selling broadband and retail routers in the UK. We found that router professionals prioritize vulnerability patching based on customer impact rather than vulnerability severity score. However, they experienced obstacles in patching vulnerabilities due to outsourcing development to third parties and the inability to support outdated models. To address these challenges, they developed workarounds such as offering replacement routers and releasing security advisories. However, they received pushback from customers who were not technically capable or concerned about security. Based on our results, we concluded with recommendations to improve security practice in routers.
- Publication status:
- Published
- Peer review status:
- Peer reviewed
Actions
Access Document
- Files:
-
-
(Preview, Accepted manuscript, pdf, 683.7KB, Terms of use)
-
- Publisher copy:
- 10.1145/3617072.3617110
Authors
- Publisher:
- Association for Computing Machinery
- Host title:
- EuroUSEC '23: Proceedings of the 2023 European Symposium on Usable Security
- Pages:
- 277-295
- Publication date:
- 2023-10-16
- Acceptance date:
- 2023-07-17
- Event title:
- 2023 European Symposium on Usable Security (EuroUSEC 2023)
- Event location:
- Copenhagen, Denmark
- Event website:
- https://eurousec23.itu.dk/#
- Event start date:
- 2023-10-16
- Event end date:
- 2023-10-17
- DOI:
- ISBN:
- 9798400708145
- Language:
-
English
- Pubs id:
-
1518223
- Local pid:
-
pubs:1518223
- Deposit date:
-
2023-09-01
Terms of use
- Copyright holder:
- Chalhoub and Martin
- Copyright date:
- 2023
- Rights statement:
- © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.
- Notes:
- This is the accepted manuscript version of the article. The final version is available online from Association for Computing Machinery at https://dx.doi.org/10.1145/3617072.3617110
If you are the owner of this record, you can report an update to it here: Report update to this record