Travel routers are a hot mess of security flaws

One of the worst offenders only needs a text message sent to turn over the router's admin credentials.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

Several popular travel routers are at risk of a slew of vulnerabilities, a researcher has warned.

Jan Hoersch, an IT security consultant, said at a Kaspersky talk last week (via Threatpost) that many of these routers contain easily-exploitable flaws, and warned of the dangers of off-the-shelf Internet of Things devices.


SMS-based credential grabbing (Image: Heise.de)

Hoersch said that one of the routers he dissected, a TP-Link M5250, could be tricked into turning over its plaintext admin credentials and wireless network address, which run as root, with a text message containing a simple line of code.

Another router, made by StarTech, contained hardcoded credentials, which he said can't be changed. He was able to open telnet and get a shell, which could be used to spread malware across a network.

With hardcoded credentials, he said, "most of the time they're just there to be exploited, like a backdoor."

And, in two other cases, with travel routers manufactured by Hootoo and TrendNet, an attacker could elevate privileges, update firmware, and inject unauthenticated commands over a network port.

The list went on -- IP cameras and networked-attached storage devices, which all too often aren't even password protected -- all got a name check.

But routers have long been a security headache. Not only are they the entry point to most networks, the router makers have long shied away from focusing on security -- which more often than not leads to vulnerability disclosures.

Insecure routers don't always lead to unauthorized network access, but can instead be hijacked as part of botnet operations, like Mirai, designed to target and throw offline sites and services.

Hundreds of security experts and leaders have pushed for better security at the router level, but to no avail on the part of router makers.

To Hoersch's point that some companies can't handle the deluge of reported security flaws, he argued that it's of the "utmost importance that companies do bug bounty programs, even if you don't give out bounties, just let them have a way to disclose bugs without having to write five emails," he said during his talk.

"Most of us go full disclosure because it's too much of a hassle to go to the vendors and that's not how it should be," he said.

Editorial standards