Don’t be lulled into a false sense of security by that shiny new router or network-attached storage (NAS) device – the chances are that it’s no more secure than its predecessors. That’s the finding from a new piece of research that tested multiple devices for security bugs.

In 2013, Baltimore-based security consulting company Independent Security Evaluators (ISE) tested 13 small office/home office (SOHO) routers and wireless access points. It found 57 security bugs and was able to take over 11 of them from outside the local network. No wonder it called its report SOHOpelessly Broken.

So, the industry would have taken this to heart and enhanced its security in the last six years, right? Wrong.

In its update to the test, called SOHOpelessly Broken 2.0, ISE tested another 13 devices, some from the same vendors and some new. They found more than double the number of flaws, filing 125 CVE bugs based on their research. This time around, it got remote root access on 12 of the devices.

The team tested equipment from ASUS, Buffalo, Drobo, Lenovo, Netgear, QNAP, TerraMaster, Seagate, Synology, Xiaomi, Zyxel, and Zioncom.

Typical attacks included bypassing authentication mechanisms altogether. On one device, the team was able to hijack a cookie authentication system by changing the IP address to 127.0.0.1 and issue unauthorized requests via the API.

The project found that some things had changed since 2013, and others had not. Device vendors had taken newer steps to try and protect their software. For example, several used address-space layout randomization (ASLR), which randomizes the memory that programs use and is supposed to make memory-based attacks like buffer overflows difficult. However, they could exploit other flaws to break ASLR and launch their buffer overflow attacks anyway.

One device encrypted the PHP files used to process requests through its web interface but had to store the decryption key on the device, which the team used to access the files and exploit those using PHP’s system() function, gaining shell access.

This comment from the report suggests that the manufacturers were running before they could walk:

Perhaps more interesting is the amount of approaches that have not changed since SOHOpelessly Broken 1.0. Features such as anti-CSRF tokens and browser security headers, which are commonplace in mainstream web applications, are still rare among our sample of devices.

If companies had implemented these basic protections, then the team wouldn’t have been able to hack them, it said.