More than 20 models of Linksys Smart Wi-Fi routers have been found vulnerable to attacks that could obtain potentially sensitive information from their configurations, deny legitimate user access, change restricted settings, cause them to become unresponsive and even completely take them over.
Researchers at IOActive have disclosed the existence of a total of 10 unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.
Tao Sauvage, a senior security consultant for IOActive, along with Antide Petit, an independent researcher, published a blog post revealing the existence of these bugs that were first discovered last year.
IOActive will not be disclosing any specific information until Linksys releases firmware updates and users have had a chance to patch their devices. However, the experts have provided an overview of their results, as well as key metrics to evaluate the overall impact of the identified vulnerabilities.
According to the blog post, the researchers identified a total of 10 security vulnerabilities, ranging from low- to high-risk issues, six of which can be exploited remotely by unauthenticated attackers. When exploited, the security flaws permit attackers to overload routers and force reboots by creating denial-of-service (DoS) conditions, denying access to legitimate users.
“Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router. By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.”
IOActive also warned that it is also possible for attackers to bypass CGI scripts to collect technical and sensitive information about the router,such as firmware versions, Linux kernel versions, the list of running processes, the list of connected USB devices, or the WPS pin for the Wi-Fi connection, as well as manipulate restricted settings.
In addition, the authenticated attackers can inject and execute commands on the OS of the router with root privileges. This allows them to create backdoor accounts that are not visible to legitimate administrators.
However, researchers pointed out that they did not manage to find an authentication bypass that can allow an attacker to exploit this vulnerability – the authentication bypass they did find only provides access to some CGI scripts, not the API that enables these more damaging attacks.
Meanwhile, Linksys has provided a list of all affected models:
List of vulnerable Linksys Routers:
EA2700, EA2750, EA3500, EA4500v3, EA6100,EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS and WRT3200ACM.
A Shodan search conducted by IOActive revealed 7,000 vulnerable devices that can be accessed directly from the Internet. The majority of the exposed devices (nearly 69%) are located in in the United States, and others are spread across the world, including Canada (nearly 10%), Hong Kong (nearly 1.8%), Chile (~1.5%), and the Netherlands (~1.4%). Venezuela, Argentina, Russia, Sweden, Norway, China, India, UK, Australia, and many other countries are representing a small percentage (< 1% each) of vulnerable Linksys routers.
While researchers have not found a way to bypass authentication in order to exploit the command injection vulnerability, they did determine that 11 percent of the 7,000 exposed devices had been using default credentials.
IOActive reported the vulnerabilities to Linksys in mid-January. The vendor is working on releasing firmware updates for affected devices and, in the meantime, it has provided some mitigation advice.
Mitigate Attacks originating from these Flaws:
As temporary mitigation, Linksys recommended its customers to disable the Guest Network feature on any of its affected products to avoid any attempts at the malicious activity.
The company also advised customers to change the default admin password in order to protect the web admin interface.
The Linksys advisory also recommends turning on the automatic update feature in order to receive the firmware patches when they become available.