HardwareSecurity

Thousands of vulnerable TP-Link routers at risk of remote hijack

Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take regulate of the gagdet, but it took more than a year for the company to announce the patches on its website.

The vulnerability allows any low-skilled attacker to remotely attain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.

In the worst-case scenario, an attacker could target vulnerable devices on a massive scale, using a similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass.”

Andrew Mabbitt, founder of U.K. cybersecurity compact Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.

TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.

When asked, a tp-Link spokesperson said the update was “currently available when requested from tech assist,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.

Top countries with vulnerable WR740N routers (graphic: Shodan)

Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have devastating effects on every connected gagdet. By gaining finish regulate over the router, Mabbitt said an attacker could wreak destruction on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to ruse users into visiting a fake page to steal their login credentials.

TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.

Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech assist.

Both the U.K. and the U.S. state of California are set to soon demand companies to trade devices with exclusive default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to hit websites offline.

The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.

Read more:

Source
TechCrunch
Tags

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Close