After we pointed out a security issue with the web-based interface in our recent Linksys EA8300 router review, IOActive Labs reports it discovered 10 security vulnerabilities across 25 different Linksys routers, including the EA8300 unit we just reviewed. The issues range from low to high on a security level, six of which grant remote access to “unauthenticated” attackers.
In one example, hackers can use an affected router as a Denial-of-Service (DoS) tool. The hacker merely sends a few requests or “abuse” a specific API used by the browser-based backend. The router will then either become unresponsive or will reboot altogether. When that happens, router owners are locked out of the web-based interface and connected client devices can’t access the internet until the hacker stops the DoS attack.
Firmware flaws also enable hackers to collect “technical and sensitive” information about the router itself by bypassing the authentication protecting the onboard Common Gateway Interface (CGI) scripts, which enables the router to generate the browser-based interface. Information collected through this vulnerability include the firmware version, a list of connected USB devices, the firewall configuration, and more.
“Authenticated attackers can inject and execute commands on the operating system of the router with root privileges,” reports IOActive’s Taeo Sauvage. “One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.”
Sauvage and his co-researcher used the Shodan tool to discover that only around 7,000 vulnerable Linksys routers accessed the internet at the time of the report. However, that number does not include vulnerable routers that are running behind another network appliance or governed by strict firewall rules. That is also a global number spanning 25 different models, too.
That said, the majority of the vulnerable routers resides within the United States at 69 percent. Canada falls into second place with 10 percent while Hong Kong, Chile, Netherlands, Venezuela, Argentina, and Russia are each around one to two percent. The remaining 13 percent of the affected units fall within the “others” group.
What is not surprising is that around 11 percent of these devices rely on the default credentials provided by Belkin/Linksys, opening the door for hackers to simply log into the router and get full root access remotely. Most if not all of the affected routers are linked to a cloud account.
Belkin/Linksys is working on a firmware fix now. They provide a security advisory regarding the discovery although you will not find it splashed on the front cover of the Linksys website. It is also not openly listed on the website’s Support section. The only way we found the advisory was through a Google search, or by clicking on the link within Sauvage’s report.
Here are the routers in question:
EAxxxx Series
| EA2700 | EA2750 | EA3500 | EA4500 v3 | EA6100 |
| EA6200 | EA6300 | EA6350 v2 | EA6350 v3 | EA6400 |
| EA6500 | EA6700 | EA6900 | EA7300 | EA7400 |
| EA7500 | EA8300 | EA8500 | EA9200 | EA9400 |
| EA9500 |
WRT Series
| WRT 1200AC | WRT 1900AC | WRT 1900ACS | WRT 3200ACM |
