Some versions of a popular Wi-Fi router sold under the Linksys brand expose users to a variety of exploits that allow remote attackers to take full control of the devices, a security expert said.
The most severe of the vulnerabilities in the "classic firmware" for the Linksys EA2700 Network Manager is a cross-site request forgery weakness in the browser-based administration panel, according to Phil Purviance, an information security specialist at AppSec Consulting. He said routers running the software also don't require the current password to be entered when the passcode is changed. By exploiting the two weaknesses together, attackers can take full control of the router by luring anyone connected to it to a booby-trapped website. Malicious JavaScript in the end-user's browser resets the password and turns on remote management capabilities. The attacker can then gain administrative privileges over the device.
"If you have this router on your network and you browse [a] malicious website, five seconds later your router now has a new password and is available from the Internet," Purviance told Ars. "So [an attacker] can just log into it as if [he] was on your network." From there, an attacker could do anything a normal administrator could do, including installing a version of the device firmware that contains a backdoor and changing settings to use malicious domain name lookup servers. The security consultant documented more of his findings in a recently published blog post.
Because there's no need for authentication to change passwords, vulnerable routers that are already configured to use remote access are susceptible to hacks that allow attackers on the Internet to change the passwords and take administrative control of the devices. Searches such as this one list Internet-routable devices that advertise themselves as EA2700 routers. That makes it easy to find potentially vulnerable targets.
A statement issued by officials from Belkin, which recently acquired the Linksys brand, said the vulnerabilities documented by Purviance had been fixed in the Linksys Smart Wi-Fi Firmware that was released in June.
"Network security is top of mind in everything we do," the statement read. "We have a layered approach via our hardware and software that provides immediate protection for our customers out of the box and enables us to react to new vulnerabilities quickly."
In all, Purviance found four vulnerabilities in the classic firmware for the EA2700 and a separate security bug in the WRT54GL. He said some, but not all, of the exploits require an attacker to know or correctly guess the IP address of the default gateway. This means that one possible mitigation for some kinds of attacks is to change the default address to one that's less widely used, such as 192.168.150.1. Of course, the better precaution is to upgrade the firmware. The link for the Linksys Smart Wi-Fi Firmware is here.
reader comments
73