Over 20 models of Linksys Smart Wi-Fi routers have been found to have vulnerabilities that, if exploited, could allow attackers to overload a router and force a reboot, deny user access, leak sensitive information about the router and connected devices, change restricted settings, and inject and execute commands on the operating system of the router with root privileges.
The discovery was made by IOActive senior security consultant Tao Sauvage and independent security researcher Antide Petit, and the vulnerabilities responsibly disclosed to Linksys in January 27.
While Linksys acknowledged the existence of the flaws and has been working with IOActive on plugging them, they are still there and open to exploitation.
“As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature to avoid any attempts at malicious activity,” Linksys noted in a security advisory.
They also offered instructions on how to do that, as well as instructions on how to change the devices’ admin password and how to enable automatic firmware updates.
The Linksys Smart Wi-Fi router models affected by the vulnerabilities are: WRT1200AC, WRT1900AC, WRT1900ACS, WRT3200ACM, EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, and EA9500.
Sauvage and Petit used Shodan to identify vulnerable devices currently exposed on the Internet, and found 7,000 of them.
“It should be noted that this number does not take into account vulnerable devices protected by strict firewall rules or running behind another network appliance, which could still be compromised by attackers who have access to the individual or company’s internal network,” they pointed out.
Their search also revealed that 11 percent of the active devices exposed were using default credentials, “making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.”
They refrained from sharing more technical details about the flaws until firmware updates are pushed out and users have had enough time to implement them.