I was also struck by how "positive" AVM seemed to be painted in there...
I have a few problems with their methodology. I can only refer to Asus models because that's those I'm familiar with, but some of these probably also applies to Netgear, TP-Link, etc..
1) Average update time. The number they have for Asus looks completely out of whack. A list of investigated routers would help, because I can tell that any Asus router released in the last 1-2 year does NOT get updates "once every 380 days". The typical average time for updates for their mainstream models is between 1-3 months. So if their list includes 5+ years old or very niche models (like the failed BRT-AC828), then yeah, those results will be very skewed.
2) Kernel. Again, how old are the models they analyzed? I don't think any router released by Asus in the last 2 years has used kernel 2.6. All the recent Broadcom models are based on kernel 4.1 for instance. Qualcomm has been at least 3.x, if not 4.x for quite some time as well. So, the advice should rather be "buy a recent model" rather than a blanket "Manufactuers are still largely using obsolete EOL kernels".
3) Kernel patching: "We do not think that manufacturers backport patches" - that is incorrect. Broadcom probably backported quite a few of their owns. I know Asus has backported quite a few, especially those that are critical to a router. A CVE that targets the video driver section is irrelevant to a router.
This is a frequent mistake done by "Security analysts". I've seen a couple of times where a customer was told by an external security analysts "Oh, your Apache version isn't the latest, it's vulnerable to many security exploits", completely ignoring the fact that Red Hat DOES backport all upstream security fixes, making the Apache version irrelevant to their analysis - a proper analysis must specifically look for known vulnerabilities, not blindly assume that the version number means anything about the state of the software's security.
On the other end, too much emphasis on the kernel and not enough on the components. How up to date are critical components like OpenSSL or dnsmasq? This is an area where most manufacturers are failing badly.
I'm not dismissing that the vast majority of router manufacturers are doing a poor job on the security front, however it's not the apocalypse that this report tries to paint.
See section 3.1 on the bottom of page 7 (according to the page number in the page) or page 11 (based on the page number that the reader software provides) in the report for how the kernel version is determined. It states that a regular expression is used to find version numbers in the non-text files of the kernel. Since I am not a Linux expert, I cannot argue one way or another on whether this method is accurate or not.
Also, see
https://www.kernel.org/ to see which generic Linux kernel versions are not end of life. According to the report, none of the routers are using the latest Linux kernel, and the only versions that belong to an active LTS tree are the 4.4.x versions, and both of the versions shown have really old versions of the LTS Linux kernel versions (e.g. some routers use kernel 4.4.14 or 4.4.60, both which are very out of date compared to the latest LTS kernel versions). Also, many current distributions use customized versions of EOL kernels according to
https://itsfoss.com/why-distros-use-old-kernel/ , and these distributions are responsible for backporting bug fixes to their own customized kernels. However, using kernel versions 1.x or 2.x is just nuts since they have not been maintained since 2011. The only 3.x version that is actively maintained is 3.18, since Google is maintaining that version for Android. Using any other 3.x kernel versions for a new router is just nuts since they have not been maintained since 2015. We just have to hope that each vendor bothers to backport patches to vulnerabilities to these old kernels in their firmware packages.
I understand that since Linux does not natively support hardware TCP/IP offload engines like the ones in routers due to reasons listed in
https://wiki.linuxfoundation.org/networking/toe , so modifying the kernel to support these engines means that one is stuck with that major kernel version since the kernel authors tend to change the kernel APIs between major Linux kernel versions all the time. These maintainers don't care about supporting either TCP/IP offload engines or binary blob drivers, and the maintainers do port free and open source drivers already in the kernel to the new APIs when they change the kernel APIs, so the maintainers see no problem in changing the kernel APIs from major Linux version to major Linux version all the time. However, there is no CPU capable of routing gigabit connections that is inexpensive enough for a consumer-grade gateway's pricing range, so hardware acceleration is a must to reach gigabit speeds with these routers. This is probably the main reason that old Linux kernel versions show up in consumer-grade routers all of the time.
One other test that I think is not getting enough attention in this forum here is the number of hard-coded credentials that the researchers found. Only Asus aced this test with zero throughout all of its models. Netgear had a poor showing with its RAX40 with three account and password pairs that the researchers managed to crack: root : amazon, nobody : password, and admin : password. Other poor showings in the case of crackable passwords included Linksys with models with 0-2 crackable passwords throughout its range, and D-Link with 1 crackable password in an outlier. As for brands with hard-coded passwords whether or not the researchers were able to crack them, TP-Link had a poor showing with 0 to 25 hard-coded login password pairs in its firmware packages throughout its range of models. Linksys was not looking too good here as well. D-Link and AVM also had trouble here.
Another test that is notable is how consistently exploit mitigation techniques are used. AVM looks the best here, but is not perfect. The rest were worse. D-Link is the biggest stinker here.
Based on what I found in the report, I felt that Asus looks like the best vendor whose products are sold in the USA. I think that AVM's routers are designed only for the European Union (and the UK post-Brexit), so I felt that based on the report, Asus looks like the best for US residents.
