Menu
Flaws let attackers hijack multiple Linksys router models

Flaws let attackers hijack multiple Linksys router models

Attackers could exploit the vulnerabilities to crash routers, extract sensitive information from them or take them over

Two dozen Linksys router models are vulnerable to attacks that could extract sensitive information from their configurations, cause them to become unresponsive and even completely take them over.

The vulnerabilities were discovered by senior security consultant Tao Sauvage from IOActive and independent security researcher Antide Petit while working together to analyze the Linksys EA3500 Smart Wi-Fi wireless router.

The two researchers found a total of 10 vulnerabilities that affect not only the EA3500, but two dozen different router models from Linksys' Smart Wi-Fi, WRT and Wireless-AC series. Even though these devices are marketed as consumer products, it's not unusual to find them running in small business and home office environments.

The flaws range from low to high severity and directly impact over 7,000 routers that have their web-based administrative interfaces exposed to the Internet. Countless more are vulnerable to attacks launched over local area networks from compromised computers, phones or other devices.

Two vulnerabilities allow remote unauthenticated attackers to cause a denial-of-service condition on the affected routers by sending specifically crafted requests to one of their application programming interfaces (APIs). This can result in devices becoming unresponsive and preventing users from accessing the internet.

Other flaws in the web interfaces of the affected Linksys routers allow attackers to bypass authentication and access several CGI scripts that can reveal sensitive information about the devices and their configurations. The exposed information includes the Wi-Fi Protected Setup (WPS) PIN that can allow attackers to access the wireless network and attack an affected router from within.

These vulnerabilities can also be used to obtain the router's firmware and kernel versions, a list of running processes, information about computers connected to the routers, a list of USB devices and the configuration settings for the FTP and SMB file-sharing servers.

Finally, the most serious vulnerability could allow attackers to inject and execute shell commands with root privileges on the affected routers. This could be used to set up a backdoor administrative account that wouldn't be listed in the web interface.

Unlike the other flaws, the command injection vulnerability requires authentication to exploit, meaning that attackers need to have access to an existing account. Fortunately, the Linksys routers have protection against cross-site request forgery (CSRF) attacks that would otherwise allow attackers to hijack a router administrator's browser and piggyback on an active logged-in session to exploit this vulnerability.

The only way to exploit this flaw is if the default log-in username and password haven't been changed, which sadly is still a common security oversight on routers. The two researchers determined that 11 percent of the 7,000 internet-exposed Linksys routers they've identified using the Shodan search engine still used default credentials.

The ratio of devices that use the default password and are not internet accessible is probably much higher. That's because people are less conscious about this problem if they don't plan to enable remote administration and don't realize that their routers can still be attacked through the local network.

In February, security researchers found a Windows trojan program that attempts to access routers over LAN by using common default credentials. If successful, it installs Mirai on them, a malware program that enslaves embedded devices and uses them to launch distributed denial-of-service attacks.

In December, researchers from Kaspersky Lab found a malicious application for Android that was also designed to hack into routers over local networks by using default credentials.

The threat of local attacks is increased because people often let friends and family members connect to their wireless networks with their own devices, which might be compromised.

Linksys, a division of Belkin, is working on releasing firmware updates to fix these vulnerabilities. Meanwhile, the company advises users to disable the guest Wi-Fi network feature on their routers to reduce the likelihood of malicious activity and to change their administrator password.

The Linksys advisory lists all of the affected models and recommends turning on the automatic update feature in order to receive the firmware patches when they become available.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments