Linksys smart router vulnerability

"Researchers have disclosed the existence of unpatched security flaws in Linksys routers which are exposing thousands of devices to attack.

On Wednesday, IOActive senior security consultant Tao Sauvage and independent security researcher Antide Petit said in a blog post that the bugs, discovered late last year, include 10 vulnerabilities ranging in severity that is present in at least 20 router models widely used today.

When exploited, the low- to high-risk security flaws permit attackers to overload routers and force reboots by creating denial-of-service (DoS) conditions, denying access to legitimate users.

It is also possible for attackers to bypass CGI scripts to collect sensitive information including firmware versions, Linux kernel versions, connected USB device data and WPS pins for Wi-Fi connections, as well as manipulate restricted settings.

In addition, attackers that have gained authentication on the devices can execute commands with root privileges and create backdoor accounts for persistent access that are not viewable in the router smart management console.

The research team found approximately 7,000 devices impacted by the security flaws at the time of the search -- however, this does not include routers protected by firewalls or other network guards.

IOActive says that 11 percent of the exposed devices scanned by Shodan were using default credentials, which also left them open for rooting by attackers.

"A number of the security flaws we found are associated with authentication, data sanitization, privilege escalation, and information disclosure," said Sauvage. "Additionally, 11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai denial-of-service (DoS) attacks."

The Linksys router models affected by the vulnerabilities are: EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.

The majority of vulnerable devices, 69 percent, are located in the United States. In addition, vulnerable routers have also been spotted in countries such as Canada, Hong Kong, Chile, and Russia.

IOActive made Linksys aware of the vulnerabilities in January, warning the company that after a grace period of three months, the findings would be made public.

In March, Linksys drafted a customer advisory to warn users of the bugs and make them aware of ways to protect themselves -- including changing the password in the default account -- until a new firmware update is made available to patch the problems.

The advisory is now released and contains a workaround until a new update will be issued in coming weeks.

"We acknowledge the challenge of reaching out to the end-users with security fixes when dealing with embedded devices," the researchers say. "This is why Linksys is proactively publishing a security advisory to provide temporary solutions to prevent attackers from exploiting the security vulnerabilities we identified until a new firmware version is available for all affected models."

IOActive plans to release the technical details of the vulnerabilities once the patch is made available.

In January, researchers disclosed the existence of 53 vulnerabilities in a range of enterprise D-Link routers which could place corporate networks at risk. Similar bugs were also discovered in household SOHO devices."

TL;DR: The bug(s) range from DDOS vulnerabilities to attackers gaining root access.

Affected devices:

EA2700
EA2750
EA3500
EA4500v3
EA6100
EA6200
EA6300
EA6350v2
EA6350v3
EA6400
EA6500
EA6700
EA6900
EA7300
EA7400
EA7500
EA8300
EA8500
EA9200
EA9400
EA9500
WRT1200AC
WRT1900AC
WRT1900ACS
WRT3200ACM
1 Like

I'm guessing this isn't a problem for DD-WRT users?

These are firmware level bugs, so even WRT won't keep you safe from this one sadly.

Hmm, aren't things like DD-WRT and OpenWRT known as firmwares?

Good point, you're right, I always just think of it as like an OS of sorts. I've never used it myself. So it may very well be that when you flash the WRT onto the router it looks like it takes over the firmware roles as well from what I just read. I'd be interested to see if that would fix those vulnerabilities, actually. Logically it seems like it could.

Well, it is an OS of sorts. But remember that routers are generally embedded devices, so the line between "firmware" and "os" is a little blurry.

Right. I've never really dealt with flashing routers and stuff too much so my knowledge is very limited on it. I know I -could- flash my current ASUS router, but at this point it's just a glorified access point so it doesn't need it. Before I bought that one I never owned a device that I could flash.

Generally, any embedded system is flashable. Your phone, your router, your car, and probably even your radiators if you have electronic ones. Of course, it's not as easy as flashing a router in most cases, but it's possible!

DDWRT, OpenWRT and so on are at the level that deals with all of those security flaws. So this only affects your device if it is running the stock linksys firmware.

Fuck. I have one of those on stock firmware.

Anyone know of a decent firmware where I wont take a "performance hit" by running it over stock? My connection is only ~145/6

Well, DD-WRT and OpenWRT are the most common options. Though I had issues with wireless drivers on OpenWRT with my WRT1200AC. It's been a while since I've last looked at firmware support though.

I have one of these routers. The "smart" wifi routers have remote access capability that seems like IOT crap. You can opt out by not setting that up in the first place. You can also disable UPnP to make it a little harder to gain access from the outside. If you do decide to use DD-WRT or OpenWRT, make sure and disable the automatic firmware update; and keep up.

I have two EA6500 being used as only AP's with sock FW because there is no open FW for them.

Sadly, Linksys is not alone. They are merely the latest in a VERY long line of consumer hardware manufacturers, to take center stage. Drop "router security flaw" into DuckDuckGo and stand back!

I'm not suggesting that enterprise gear is perfect; far from it. But, at least these manufacturers make an effort to patch bugs as they are discovered, else they would not be in business for very long. "But, I can't afford enterprise gear!!!" I hear you say. To that, I would reply with the suggestion that you visit pfSense,org and then explain why you can not afford free, or close to it. Worse case scenario, you may have to buy an extra NIC for that old PC that's collecting dust in the closet.

If you want to broaden your horizons, learn something new and improve your security all at the same time, you can start here.