Multiple security holes discovered in Linksys routers

Do home router makers devote enough resources to finding security vulnerabilities in their products before they ship?

One could be forgiven for having doubts after this week’s news that research outfit IOActive had found 10 significant flaws affecting almost every home router currently sold by Linksys.

We don’t know how much effort was expended finding the flaws, but they showed up in 26 models making up the Smart WiFi series (model prefixes EA and and WRT).

The flaws could allow attackers to:

  • Cause a Denial of Service (DoS) by sending requests to an unamed API. Admins would be locked out until the attack stopped.
  • Use CGI web server scripts to reveal connected devices and computers, dump the WPS Wi-Fi PIN code, and list firmware version and configuration settings.
  • Create a hidden “backdoor” account with root privileges and the ability to run commands.

The third flaw requires an attacker to log in first, although that might not be as hard as it sounds: when IoActive ran a Shodan query, it found 7000 vulnerable routers, of which 11% of which were using default credentials.

Linksys, which was told about the flaws in January, has put out an advisory recommending owners turn off the guest Wi-Fi account until a patch is available, and reminding them (facepalm!) to change the default admin password.

As with every router vulnerability, a key issue is, “How many owners will hear about the issue and bother to update?” The patch will be a great thing when it arrives, but only if it is applied.

On that score, things look mixed. On most or all affected Linksys models, owners can check for firmware updates simply by hitting a button in the admin GUI. That does, however, require the owner to get that far, or even know such a button exists.

Linksys owners can enable automatic updates but, as far as we can tell, they have to set up a special cloud account first. There’s also a Linksys Android app for managing parameters on Smart WiFi routers but it’s not clear whether users of the app receive notifications about patches.

In short, a lot of owners might never hear about the update.

Nevertheless, researchers at IOActive did note:

We would like to emphasize that Linksys has been exemplary in handling the disclosure and we are happy to say they are taking security very seriously.

That speaks of progress compared to the old days when many router makers went into “not our problem” when a security issues surfaced. Running unified firmware across multiple products, updates have also become far more regular than in the past.

But it still feels as if home routers are too easy a target for security researchers with time on their hands.