Researchers find 10 vulnerabilities in 25 network routers supplied by Linksys

Linksys Max-Stream EA8300 review
Kevin Parrish/Digital Trends
After we pointed out a security issue with the web-based interface in our recent Linksys EA8300 router review, IOActive Labs reports it discovered 10 security vulnerabilities across 25 different Linksys routers, including the EA8300 unit we just reviewed. The issues range from low to high on a security level, six of which grant remote access to “unauthenticated” attackers.

In one example, hackers can use an affected router as a Denial-of-Service (DoS) tool. The hacker merely sends a few requests or “abuse” a specific API used by the browser-based backend. The router will then either become unresponsive or will reboot altogether. When that happens, router owners are locked out of the web-based interface and connected client devices can’t access the internet until the hacker stops the DoS attack.

Firmware flaws also enable hackers to collect “technical and sensitive” information about the router itself by bypassing the authentication protecting the onboard Common Gateway Interface (CGI) scripts, which enables the router to generate the browser-based interface. Information collected through this vulnerability include the firmware version, a list of connected USB devices, the firewall configuration, and more.

“Authenticated attackers can inject and execute commands on the operating system of the router with root privileges,” reports IOActive’s Taeo Sauvage. “One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.”

Sauvage and his co-researcher used the Shodan tool to discover that only around 7,000 vulnerable Linksys routers accessed the internet at the time of the report. However, that number does not include vulnerable routers that are running behind another network appliance or governed by strict firewall rules. That is also a global number spanning 25 different models, too.

That said, the majority of the vulnerable routers resides within the United States at 69 percent. Canada falls into second place with 10 percent while Hong Kong, Chile, Netherlands, Venezuela, Argentina, and Russia are each around one to two percent. The remaining 13 percent of the affected units fall within the “others” group.

What is not surprising is that around 11 percent of these devices rely on the default credentials provided by Belkin/Linksys, opening the door for hackers to simply log into the router and get full root access remotely. Most if not all of the affected routers are linked to a cloud account.

Belkin/Linksys is working on a firmware fix now. They provide a security advisory regarding the discovery although you will not find it splashed on the front cover of the Linksys website. It is also not openly listed on the website’s Support section. The only way we found the advisory was through a Google search, or by clicking on the link within Sauvage’s report.

Here are the routers in question:

EAxxxx Series

EA2700 EA2750 EA3500 EA4500 v3 EA6100
EA6200 EA6300 EA6350 v2 EA6350 v3 EA6400
EA6500 EA6700 EA6900 EA7300 EA7400
EA7500 EA8300 EA8500 EA9200 EA9400

WRT Series

WRT 1200AC WRT 1900AC WRT 1900ACS WRT 3200ACM
Smart Home

1 in 4 people plan to buy a smart lock this year, study says

According to new research published by Parks Associates, one in four households in the United States are planning to purchase as smart door lock within the next 12 months to protect their home.

Everything you need to know about routers, modems, combos, and mesh networks

Modem vs. router: what's the difference? We explain their functions so you can better diagnose any issues prior to contacting technical support. We also talk about a few variants you'll see offered by ISPs and retailers.

Lost your router? Here's how to find its IP address to help track it down

Changing the login information for your router isn't always easy, that's why so many have that little card on the back. But in order to use it, you need to know where to go. Here's how to find the IP address of your router.
Smart Home

After camera hacks, Nest locks customers out until they change their password

Nest is locking people out of their accounts if it believes there may have been a breach. Users will have to set up a new, secure password before they are able to regain access to their account.

Intel expects Apple to transition Macs to ARM processors in 2020, report says

It has been rumored for some time that Apple could transition away from Intel to ARM processors, but a new report now claims that Intel is aware of the decision and that it could happen in 2020.

Still miss Windows 7? Here's how to make Windows 10 look more like it

There's no simple way of switching on a Windows 7 mode in Windows 10. Instead, you can install third-party software, manually tweak settings, and edit the registry. We provide instructions for using these tweaks and tools.

The rumors were true. Nvidia’s 1660 Ti GPU, a $280 powerhouse, has arrived

Nvidia has officially launched the GTX 1660 Ti, its next-generation, Turing-based GPU. It promises to deliver all the performance and efficiency for all modern games, but without stepping into the high price range of the RTX series. 

Dodge the biggest laptop-buying mistakes with these handy tips

Buying a new laptop is exciting, but you need to watch your footing. There are a number of pitfalls you need to avoid and we're here to help. Check out these top-10 laptop buying mistakes and how to avoid them.

Great PC speakers don't need to break the bank. These are our favorites

Not sure which PC speakers work best with your computer? Here are the best computer speakers on the market, whether you're working with a tight budget or looking to rattle your workstation with top-of-the-line audio components.

Confused about RSS? Don't be. Here's what it is and how to use it

What is an RSS feed, anyway? This traditional method of following online news is still plenty useful. Let's take a look at what RSS means, and what advantages it has in today's busy world.

Metro Exodus update brings DLSS improvements to Nvidia RTX 20-series PCs

Having issues in Metro Exodus? A February 21 update for the title recently delivered enhancements to Nvidia’s deep learning supersampling feature and other fixes for low-specced PCs. 

Limited-time sale knocks $500 off the price of the Razer Blade Pro 17

Looking for an ultra-powerful laptop for yourself or someone else? You're in for some luck. Razer is running a sale on some of its best gaming laptops, cutting down pricing on the Razer Blade 15 and the Razer Blade Pro 17. 
Emerging Tech

Engineer turns his old Apple lle into an wheeled robot, and even gives it a sword

How do you give new life to a 30-year-old computer? Software engineer Mike Kohn found a way by transforming his old Apple IIe into a wheeled robot. Check it out in all its 1980s glory.

Want to play as Iron Man or Waluigi in GTA V? Our favorite mods make it possible

Grand Theft Auto V is best on the PC for many reasons, and modifications may be the most important. You can cause riots, spawn unique cars, and play as a cop with just a few extra files.