Why it matters to you
If you own one of the 25 router models with a security flaw, be on the lookout for a firmware fix from Linksys.
After we pointed out a security issue with the web-based interface in our recent Linksys EA8300 router review, IOActive Labs reports it discovered 10 security vulnerabilities across 25 different Linksys routers, including the EA8300 unit we just reviewed. The issues range from low to high on a security level, six of which grant remote access to “unauthenticated” attackers.
In one example, hackers can use an affected router as a Denial-of-Service (DoS) tool. The hacker merely sends a few requests or “abuse” a specific API used by the browser-based backend. The router will then either become unresponsive or will reboot altogether. When that happens, router owners are locked out of the web-based interface and connected client devices can’t access the internet until the hacker stops the DoS attack.
Firmware flaws also enable hackers to collect “technical and sensitive” information about the router itself by bypassing the authentication protecting the onboard Common Gateway Interface (CGI) scripts, which enables the router to generate the browser-based interface. Information collected through this vulnerability include the firmware version, a list of connected USB devices, the firewall configuration, and more.
“Authenticated attackers can inject and execute commands on the operating system of the router with root privileges,” reports IOActive’s Taeo Sauvage. “One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.”
Sauvage and his co-researcher used the Shodan tool to discover that only around 7,000 vulnerable Linksys routers accessed the internet at the time of the report. However, that number does not include vulnerable routers that are running behind another network appliance or governed by strict firewall rules. That is also a global number spanning 25 different models, too.
That said, the majority of the vulnerable routers resides within the United States at 69 percent. Canada falls into second place with 10 percent while Hong Kong, Chile, Netherlands, Venezuela, Argentina, and Russia are each around one to two percent. The remaining 13 percent of the affected units fall within the “others” group.
What is not surprising is that around 11 percent of these devices rely on the default credentials provided by Belkin/Linksys, opening the door for hackers to simply log into the router and get full root access remotely. Most if not all of the affected routers are linked to a cloud account.
Belkin/Linksys is working on a firmware fix now. They provide a security advisory regarding the discovery although you will not find it splashed on the front cover of the Linksys website. It is also not openly listed on the website’s Support section. The only way we found the advisory was through a Google search, or by clicking on the link within Sauvage’s report.
Here are the routers in question:
EAxxxx Series
EA2700
EA2750
EA3500
EA4500 v3
EA6100
EA6200
EA6300
EA6350 v2
EA6350 v3
EA6400
EA6500
EA6700
EA6900
EA7300
EA7400
EA7500
EA8300
EA8500
EA9200
EA9400
EA9500
WRT Series
WRT 1200AC
WRT 1900AC
WRT 1900ACS
WRT 3200ACM