Linksys Smart Wi-Fi routers a hotbed of unpatched security flaws

Over 20 models are impacted, exposing thousands of household devices online to exploit.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed the existence of unpatched security flaws in Linksys routers which are exposing thousands of devices to attack.

On Wednesday, IOActive senior security consultant Tao Sauvage and independent security researcher Antide Petit said in a blog post that the bugs, discovered late last year, include 10 vulnerabilities ranging in severity that is present in at least 20 router models widely used today.

When exploited, the low- to high-risk security flaws permit attackers to overload routers and force reboots by creating denial-of-service (DoS) conditions, denying access to legitimate users.

It is also possible for attackers to bypass CGI scripts to collect sensitive information including firmware versions, Linux kernel versions, connected USB device data and WPS pins for Wi-Fi connections, as well as manipulate restricted settings.

In addition, attackers that have gained authentication on the devices can execute commands with root privileges and create backdoor accounts for persistent access that are not viewable in the router smart management console.

The research team found approximately 7,000 devices impacted by the security flaws at the time of the search -- however, this does not include routers protected by firewalls or other network guards.

IOActive says that 11 percent of the exposed devices scanned by Shodan were using default credentials, which also left them open for rooting by attackers.

"A number of the security flaws we found are associated with authentication, data sanitization, privilege escalation, and information disclosure," said Sauvage. "Additionally, 11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai denial-of-service (DoS) attacks."

The Linksys router models affected by the vulnerabilities are: EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.

The majority of vulnerable devices, 69 percent, are located in the United States. In addition, vulnerable routers have also been spotted in countries such as Canada, Hong Kong, Chile, and Russia.


IOActive made Linksys aware of the vulnerabilities in January, warning the company that after a grace period of three months, the findings would be made public.

In March, Linksys drafted a customer advisory to warn users of the bugs and make them aware of ways to protect themselves -- including changing the password in the default account -- until a new firmware update is made available to patch the problems.

The advisory is now released and contains a workaround until a new update will be issued in coming weeks.

"We acknowledge the challenge of reaching out to the end-users with security fixes when dealing with embedded devices," the researchers say. "This is why Linksys is proactively publishing a security advisory to provide temporary solutions to prevent attackers from exploiting the security vulnerabilities we identified until a new firmware version is available for all affected models."

IOActive plans to release the technical details of the vulnerabilities once the patch is made available.

In January, researchers disclosed the existence of 53 vulnerabilities in a range of enterprise D-Link routers which could place corporate networks at risk. Similar bugs were also discovered in household SOHO devices.

The most shocking of Shodan

Editorial standards