Got one of these 20+ models of Linksys Smart Wi-Fi routers? Bad news. 10 security holes discovered

Flaws enable DoS conditions, data harvesting, and more.

Linksys router

Linksys is working on a firmware update for 10 security vulnerabilities affecting its "Smart" Wi-Fi series of routers.

Tao Sauvage, a security consultant for IOActive, came across the flaws after reverse-engineering the firmware for the EA3500 Series, one of more than 20 Linksys Smart Wi-Fi router models which use the 802.11N and 802.11AC standards.

Sauvage and his friend Antide Petit discovered 10 bugs in total. Six of those are vulnerable to exploitation by an unauthenticated attacker.

Linksys EA3500 Series UART connection. (Source: IOActive)

Linksys EA3500 Series UART connection. (Source: IOActive)

The security holes break down as follows:

  • An unauthenticated actor can exploit two of the flaws to create a denial of service (DoS) condition and thereby render the router unresponsive. Until the individual ceases their attack, an admin can't access the router's web interface and users can't connect to the network.
  • Attackers can bypass the authentication measures protecting the Common Gateway Interface (CGI) scripts to collect information from the router. Vulnerable data includes the router's firmware version, running processes, as well as all connected devices and their respective operating systems.
  • It's possible for an actor to execute commands with root privileges on the operating system of the router. The attacker can leverage this unintended functionality to create a backdoor or gain persistent access to the router.

Here's a list of the vulnerable models:

  • EA2700
  • EA2750
  • EA3500
  • EA4500v3
  • EA6100
  • EA6200
  • EA6300
  • EA6350v2
  • EA6350v3
  • EA6400
  • EA6500
  • EA6700
  • EA6900
  • EA7300
  • EA7400
  • EA7500
  • EA8300
  • EA8500
  • EA9200
  • EA9400
  • EA9500
  • WRT1200AC
  • WRT1900AC
  • WRT1900ACS
  • WRT3200ACM

To evaluate the impact of the vulnerabilities, Sauvage and Petit used Shodan to identify vulnerable devices exposed on the web. The two researchers explain in a blog post what they discovered:

"We found about 7,000 vulnerable devices exposed at the time of the search. It should be noted that this number does not take into account vulnerable devices protected by strict firewall rules or running behind another network appliance, which could still be compromised by attackers who have access to the individual or company’s internal network."

The majority (69 percent) of those affected devices identified by the researchers are located in the United States.

Chart

IOActive notified Linksys of the flaws back in January 2017. Since then, the two firms have been coordinating responsible disclosure of the security holes. For instance, IOActive has said it won't release a technical write-up of the issues until Linksys publishes an update, which it says it's working on in a security advisory.

While admins await this fix, Linksys recommends they help protect their devices by enabling automatic updates, disabling Wi-Fi guest networks if they're not in use, and changing the default administrator password.

I can't emphasize that last recommendation enough. Not only is it a basic step for protecting all Wi-Fi routers, but it will also help defend against malware like Mirai that compromises IoT devices by brute-forcing their default login credentials.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

3 Responses

  1. Lisa B

    April 25, 2017 at 1:37 pm #

    I found not a hint of a problem on the US Linksys website. There is no mention of any of this on their main page, support page, resource center or press room. Yet again, another company pretends nothing is wrong as they poke their head in the sand.

    The very least they could do is post a bulletin on their site indicating they are aware of the situation and are diligently working to protect its customers and in the meantime, customers should take the precautions outlined in the article.

    • Nick in reply to Lisa B.

      April 25, 2017 at 7:04 pm #

      There's a link to the Linksys response in the original article that David mentions: http://www.linksys.com/us/support-article?articleNum=246427

  2. Rick

    April 26, 2017 at 6:18 pm #

    If you are concerned about good security, do not look to Linksys. They have no commitment to maintain firmware updates for any known period of time and while their technical support is very nice, they have very limited expertise. I recently purchased a WRT1900AC, had connections problems and found it was an older version that they are no longer updating. Fortunately, I was able to return it.

    Unless you can get open source firmware updates for a Linksys router, would seriously recommend replacing it. In any case, you could still repurpose it as a access point but, unless Linksys changes their support plans, would avoid relying on it as your primary router.

Leave a Reply