Bot Fodder: 20 Models of Linksys Routers Vulnerable to remote Hacks

In-brief: serious security flaws affect 20 models of wireless routers manufactured by the firm Linksys, just the latest report to underscore security flaws in ubiquitous networking hardware that is used by homes and small businesses, the firm IOActive disclosed on Thursday.

The security firm IOActive on Thursday will publish research that describes serious security flaws in 20 models of wireless routers manufactured by the firm Linksys, just the latest report to underscore security flaws in ubiquitous networking hardware that is used by homes and small businesses.

The vulnerabilities in 25  models of Linksys routers affect thousands of publicly accessible routers and an unknown number of devices on private networks, allow attackers to steal or leak sensitive information, change settings on the router or – possibly – enroll the device in a botnet like Mirai, IOActive said. The company disclosed the flaws to Linksys in January and has worked with the company on mitigations for the flaw, however no software update is available.

In a blog post published Thursday, IOActive researcher Tao Sauvage said that the research began with his purchase of a Linksys EA3500 Smart Wi-Fi router. Working with researcher Antide Petit (@xarkes_), Sauvage analyzed the firmware on the EA3500 router and discovered a range of problems, including 10 security vulnerabilities, six of them remotely exploitable by attackers who lack even a valid user name and password – a serious security risk.

Two of the issues would allow an attacker to knock the router offline (“denial of service”) by sending requests to a specific application programming interface. Other vulnerabilities allow attacker to bypass a log-in feature to access scripts that could yield sensitive technical data about the router like what software it is running. Finally an attacker who was able to log in to the router could inject and execute commands on the operating system of the router with root privileges. For example, an attacker could create a backdoor accounts that would not be shown on the administrative interface of the router and could not be removed using the Admin account, Sauvage wrote.

Linksys has published a security advisory detailing the discoveries by IOActive and providing a workaround to limit the possibility of attacks. Steps include enabling automatic update on the router, disabling the WiFi Guest Network and making sure the default Administrator password is not in use.

“A number of the security flaws we found are associated with authentication, data sanitization, privilege escalation, and information disclosure,” said Sauvage in a statement. “Additionally, 11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.”

This is just the latest report of serious security issues with wi-fi routers, a ubiquitous piece of networking technology found in just about every home and business. In January, for example, the U.S. Federal Trade Commission (FTC) filed a complaint against consumer device maker D-Link, charging that broadband routers and Internet connected cameras the company makes put consumers’ privacy at risk.

The complaint alleges that D-Link and its U.S. subsidiary, D-Link Systems, used “inadequate security measures” to protect its products, leaving its wireless routers and Internet cameras “vulnerable to hackers.” That put “U.S. consumers’ privacy at risk,” the complaint says. All the while, the company promoted its products as having “advanced network security” and being “easy to secure,” claims that the FTC says were not supported by the facts.

 

Security Ledger wants to hear your thoughts! Leave a reply.