Linksys is working on a firmware update for 10 security vulnerabilities affecting its "Smart" Wi-Fi series of routers.
Tao Sauvage, a security consultant for IOActive, came across the flaws after reverse-engineering the firmware for the EA3500 Series, one of more than 20 Linksys Smart Wi-Fi router models which use the 802.11N and 802.11AC standards.
Sauvage and his friend Antide Petit discovered 10 bugs in total. Six of those are vulnerable to exploitation by an unauthenticated attacker.The security holes break down as follows:
- An unauthenticated actor can exploit two of the flaws to create a denial of service (DoS) condition and thereby render the router unresponsive. Until the individual ceases their attack, an admin can't access the router's web interface and users can't connect to the network.
- Attackers can bypass the authentication measures protecting the Common Gateway Interface (CGI) scripts to collect information from the router. Vulnerable data includes the router's firmware version, running processes, as well as all connected devices and their respective operating systems.
- It's possible for an actor to execute commands with root privileges on the operating system of the router. The attacker can leverage this unintended functionality to create a backdoor or gain persistent access to the router.
Here's a list of the vulnerable models:
To evaluate the impact of the vulnerabilities, Sauvage and Petit used Shodan to identify vulnerable devices exposed on the web. The two researchers explain in a blog post what they discovered:
"We found about 7,000 vulnerable devices exposed at the time of the search. It should be noted that this number does not take into account vulnerable devices protected by strict firewall rules or running behind another network appliance, which could still be compromised by attackers who have access to the individual or company’s internal network."
The majority (69 percent) of those affected devices identified by the researchers are located in the United States.
IOActive notified Linksys of the flaws back in January 2017. Since then, the two firms have been coordinating responsible disclosure of the security holes. For instance, IOActive has said it won't release a technical write-up of the issues until Linksys publishes an update, which it says it's working on in a security advisory.
While admins await this fix, Linksys recommends they help protect their devices by enabling automatic updates, disabling Wi-Fi guest networks if they're not in use, and changing the default administrator password.
I can't emphasize that last recommendation enough. Not only is it a basic step for protecting all Wi-Fi routers, but it will also help defend against malware like Mirai that compromises IoT devices by brute-forcing their default login credentials.