Would You Like a Backdoor With That Linksys Router, Sir?

[CrAKeN]

 

Linksys says that 25 router models are vulnerable to remote hacking and could be taken over by an attacker if users still use their default admin credentials.

 

The company issued a security advisory this week, letting customers know that certain products are vulnerable to three vulnerabilities discovered by cyber-security firm IOActive.

 

Linksys, formerly part of Cisco, now a Belkin brand, says it's working on delivering a firmware update to mitigate all three flaws. In the meantime, the company issued a security alert as a warning for customers that might be vulnerable to attacks.

 

Linksys routers affected by three major issues

IOActive, who published a report on their blog, restrained from publishing any technical details about how an attacker could exploit the three issues, but only vaguely described them. The issues are as follow.

 

(1) An attacker can send malformed requests to the router that causes a denial-of-service state which freezes or reboots the router until the attacker stops his malformed requests.

 

(2) An attacker can bypass authentication procedures and collect information on the router and its users, such as firmware version, Linux kernel version, a list of running processes, a list of connected USB devices, the WPS PIN for the Wi-Fi connection, firewall configurations, FTP settings, and SMB server settings.

 

(3) An attacker can execute code on the router. One of the uses for this flaw is that it allows an attacker to create a secret root-level backdoor account that does not appear in the router's web-based configuration panel.

 

Linksys urges customers to change default passwords

By far the most dangerous flaw is the last. Fortunately, this flaw can only be exploited by an authenticated user, meaning the attacker must first gain access to one of the Linksys configuration accounts.

 

This is why Linksys is warning customers who are still using default credentials. Such routers are vulnerable and are now sitting ducks until the company releases a firmware update in the coming days or weeks.

 

Besides changing default passwords, Linksys security engineers are also recommending that users disable the Wi-Fi guest network and urge users to turn on the router's built-in automatic updates setting, so the router fetches and installs the new firmware whenever it becomes available.

 

Over 7,000 Linksys routers exposed online

IOActive researchers said that an Internet-wide scan for vulnerable Linksys routers discovered 7,000 devices exposed to the Internet, with over 700 routers still using the default password.

 

"It should be noted that this number does not take into account vulnerable devices protected by strict firewall rules or running behind another network appliance, which could still be compromised by attackers who have access to the individual or company’s internal network," IOActive added.

 

Below is the list of vulnerable Linksys router models:

 

Quote

WRT Series

• WRT1200AC
• WRT1900AC
• WRT1900ACS
• WRT3200ACM

 

EAxxxx Series

• EA2700
• EA2750
• EA3500
• EA4500 v3
• EA6100
• EA6200
• EA6300
• EA6350 v2
• EA6350 v3
• EA6400
• EA6500
• EA6700
• EA6900
• EA7300
• EA7400
• EA7500
• EA8300
• EA8500
• EA9200
• EA9400
• EA9500

 

Source

[straycat19]

1 hour ago, CrAKeN said:

Linksys says that 25 router models are vulnerable to remote hacking and could be taken over by an attacker if users still use their default admin credentials.

 

I don't know about what others do but anyone that I have ever helped with their computer I check their router to make sure that the login has been changed and that remote access is turned off.  That way the only way anyone could get access to the router is if they connected to it directly in the home.  I know a lot of people have absolutely no clue about anything to do with a computer other than turn it on and type.  The same holds true of their routers, as long as they are turned on and they can connect they know absolutely nothing about it.  There really should be training programs and licensing before someone is allowed to own a computer, much like is done for a car, where you have to learn the basics of the rules of the road before you are allowed to drive.  Of course, that would probably take 75% of the users off the internet.

[DKT27]

On 22/4/2017 at 9:23 PM, straycat19 said:

 

I don't know about what others do but anyone that I have ever helped with their computer I check their router to make sure that the login has been changed and that remote access is turned off.  That way the only way anyone could get access to the router is if they connected to it directly in the home.  I know a lot of people have absolutely no clue about anything to do with a computer other than turn it on and type.  The same holds true of their routers, as long as they are turned on and they can connect they know absolutely nothing about it.

 

I for one had no idea until my very first WAN based ASUS forced me to change the password and then it's Android app's security check asking me to disable the WAN based access. I then checked my ADSL router which I now keep as backup incase my current ISP connection is not working, turns out, it was accessible from the internet too, disabled that but due a bug it's still accessible.

 

Eitherway, that android app also suggested me to disable UPNP, which I feel my torrent client only works efficiently when it's enabled, even with port forwarding, what's your views on UPNP and what other router based security changes would you recommend here.