Serious Vulnerabilities Found in Popular Home Wireless Routers

Hackers love to attack Java. Why? Well, not only because it is full of holes, but because it’s everywhere, embedded on endpoints, Web browsers, mobile devices and more. The same goes for attacking wireless routers; they’re buggy and they’re everywhere.

Hackers love to attack Java. Why? Well, not only because it is full of holes, but because it’s everywhere, embedded on endpoints, Web browsers, mobile devices and more. The same goes for attacking wireless routers; they’re buggy and they’re everywhere.

A handful of vulnerabilities were identified late last week in the Cisco Linksys EA2700 Network Manager N600 Wireless-N routers, which has been on the market a little more than a year, and is a popular choice not only for home users, but for small businesses.

Pen-tester and researcher Phil Purviance, who has presented similar research at security industry events, reported his findings to Cisco on March 5. No patches are available yet. Cisco did not respond to a request for comment.

“I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again,” Purviance wrote on his blog of the EA2700. “What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!”

His research looked at the administration features on the embedded management website. The vulnerabilities he found range in severity and simplicity to exploit.

A cross-site scripting bug was found on the router’s apply.cgi that works regardless of authentication and would allow an attacker to access the device, change settings or upload modified firmware.

A file path traversal vulnerability was also discovered that would enable an attacker to remotely access password or configuration files without being logged in. “This vulnerability,” Purviance wrote, “tells me that this router’s software was never given a security pen-test because it is just too easy.”

He also found a cross-site request forgery flaw that would allow an attacker on the same network to change log-in information and remotely manage the hardware. He said a remote attacker could also exploit the same vulnerability by luring the user to a website hosting an exploit, which he said, amounts to a POST request to the management page that opens the admin interface and changes the user’s password to “password.”

The final EA2700 bug can lead to source code disclosure. By inserting a particular character into a URL while browsing the admin interface, raw source code is presented. “No I’m not talking the HTML source code, but the actual Web application level source code that is used to convert the page to HTML,” he said.

In addition, Purviance said a Cisco patch released in January for a cross-site request forgery flaw in the Linksys WRT54GL router was incomplete, and patched only an unrelated cross-site scripting flaw. He said the latest firmware version 4.30.16 remains vulnerable to the attack he presented last year at Black Hat and AppSec USA.

Security researchers are starting to look at these vulnerable home customer premise devices as possible launchpads for a variety of attacks. IOActive researchers Sofiane Talmat and Ehab Hussein recently shared research with Threatpost that demonstrated that home routers and modems from ISPs can be chained together to redirect traffic in click-fraud scams, keep blocks of users from reaching the Internet, or launch denial-of-service attacks.

Recently, new modules were added to Metasploit that exploit vulnerabilities in embedded Linux-based routers from Linksys, D-Link and Netgear. The modules fingerprint the devices, retrieve configuration files or enable an attacker to get shell access.

“The major difference between these vulnerabilities and the more traditional PC-based vulnerabilities (such as Java and Windows vulnerabilities) is that the existence of vendor patches doesn’t really matter,” said Tod Beardsley, engineering manager at Rapid7. “Even if vendors release patched firmware for these devices, the vast majority of users will never learn about them. There aren’t automatic update functions on any of these devices, and there is nothing like anti-virus software that can run on these low-memory, low-power devices. As a result, these kinds of bugs are extremely long-lived.”

Talmat and Hussein were also able to take advantage of vulnerable firmware and upload their own in simulated attacks. Their new firmware took the place of factory-installed firmware, rendering factory-reset options useless.

“In addition, if an attacker is able to get control of a device, that attacker has effective control over all the devices that associate with it. He can poison DNS, he can reflect traffic to a malicious site, he can inject phishing links in HTTP sessions, he can disable firewall rules – the number of attack vectors is limited only by imagination,” Beardsley said. “This extends not only to the computers on the internal network, but also phones that associate to the wireless.”


Suggested articles


  • Jeffrey Lebowski on

    Excellent article.  I hope everyone remembers this the next time they hear or read someone arguing that we can safely cast our ballots over the Internet from our home computers.

  • Anonymous on

    Thanks for the information on router vulnerabilities but what about some information on what can be done to protect ourselves.

    • Kevin on

      As mentioned, there certainly are options. I noticed a previous reader mentioned patching. While correct, patching your router doesn't necessarily help. Most of these companies are not even responding to researchers - take a look at exploit-db. My recommendation is, first and foremost, DISABLE the internet-facing web interface (usually on port 80 or 8080). This will certainly make a difference in reducing fingerprinting, and will help keep you off Shodan. Still, this doesn't protect you from CSRF attacks, so it is a good idea to patch when you can, and stay away from legacy devices. Seriously, I wish I had a dime for every time I saw someone (especially small business owners) running an old Linksys with WEP on their "secure" network.
  • Anonymous on

    This is a stagering revalation! The potential for a class action law suit for past damages and criminal neglegence boggles the mind. Are there any wireless routers not affected by this discovery? Can you imagine what our current socialistic politicians can conjure up concerning this? They already are desperate to control or shutdown the Internet... 

  • Anonymous on

    So Linksys, D-Link and Netgear all have issues that can be exploted. Where does that leave us now? What actions can we take to secure our networks?

  • Anonymous on

    There are options.  The issue is that most people do not want to spend the money for REAL security or do not know how to deploy highly secure open-source solutions.  Finding vulnerabilities in nearly anything connected to the Internet these days is common place.  The real problem is that even when these are discovered and fixes are released, users seldom do their part to patch the problems (as the article pointed out).  Real security for your PC or network is a multi-pronged approach that has to be constantly monitored to be effective.  For the home user, this can be fairly easy but likely needs to be put on a calendar of things-to-do each month.  For businesses, even small ones, its best to hire a Managed IT Services Provider and let them monitor your entire network 24/7.  This stuff is only going to get more and more complex.  The days of your neighborhood computer repair guy adequately addressing IT security issues is quickly coming to an end.

  • apple? on

    I wouldn't use a Apple Router if Someone paid me. Same chipset as the Linksys. keep in Mind, Apple was hacked as well. Even their App store was hacked to infect both Apple and PC.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.