Nine WiFi routers used by millions were vulnerable to 226 flaws

Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware.

The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology and Linksys and are used by millions of people.

The frontrunners in terms of the number of vulnerabilities are the TP-Link Archer AX6000, which has 32 errors, and the Synology RT-2600ac, which has 30 security errors.

Highly serious errors affecting TP-Link Archer AX6000
Highly serious errors affecting TP-Link Archer AX6000
Source: IoT Inspector

The test process

Researchers at IoT Inspector conducted the safety tests in collaboration with CHIP magazine, focusing on models used primarily by small businesses and home users.

“For Chips router evaluation, vendors provided them with current models that had been upgraded to the latest firmware version,” Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email.

“The firmware versions were automatically analyzed by the IoT Inspector and checked for more than 5,000 CVEs and other security issues.”

Their results showed that many of the routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware, as illustrated in the table below.

Router models and errors categorized according to their severity
Router models and errors categorized according to their severity
Source: IT inspector
Left column translated by BleepingComputer

Although not all faults had the same risk, the team found some common problems that affected most of the models tested:

  • Outdated Linux kernel in firmware
  • Outdated multimedia and VPN features
  • Excessive reliance on older versions of BusyBox
  • Use of weak default passwords as “admin”
  • Presence of hard-coded credentials in plain text form

Jan Wendenburg, CEO of IoT Inspector, noted that one of the most important ways to secure a router is to change the default password once you configure the device.

“Changing passwords on first use and enabling the automatic update feature should be standard practice on all IoT devices, whether used at home or on a corporate network.” explained Wendenburg.

“The biggest danger, besides vulnerabilities introduced by manufacturers, is to use an IoT device according to the motto ‘plug, play and forget’.”

Unpacking an encryption key

The researchers did not release many technical details about their results, except for one case of extracting the encryption key for D-Link router firmware images.

The team found a way to gain local privileges on a D-Link DIR-X1560 and gain shell access via the physical UART bug fix interface.

Next, they dumped the entire file system using built-in BusyBox commands and then found the binary that was responsible for the decryption routine.

By analyzing the corresponding variables and functions, the researchers finally extracted the AES key used for the firmware encryption.

Derives the AES key on CyberChef
Derives the AES key on CyberChef
Source: IoT Inspector

Using this key, a threat actor can send malicious firmware image updates to pass verification checks on the device, which could potentially plant malware on the router.

Such problems can be solved with full-disk encryption that secures locally stored images, but this practice is not common.

The manufacturers responded quickly

All the affected manufacturers responded to the researchers’ results and released firmware patches.

CHIP author Jörg Geiger commented that the router providers addressed most of the security flaws that the working group had identified, but not all of them.

Researchers have told Bleeping Computer that the bug fixes are mostly minor vulnerabilities. However, they clarified that no follow-up tests were performed to confirm that the security updates resolved the reported issues.

The supplier’s response to CHIP (translated) was as follows:

  • Asus: Asus examined each point of the analysis and presented us with a detailed answer. Asus has patched the outdated BusyBox version, and there are also updates to the “curl” and the web server. It pointed out that password problems were temporary files that the process removes when it ends. They do not pose a risk.
  • D-Link: D-Link thanked us briefly for the information and released a firmware update that addresses the issues mentioned.
  • Edimax: Edimax does not seem to have invested too much time in checking the issues, but eventually there was a firmware update that fixed some of the holes.
  • Linksys: Linksys has commented on all topics classified as “high” and “medium”. Default passwords will be avoided in the future; there is a firmware update for the remaining issues.
  • Netgear: At Netgear, they worked hard and took a closer look at all the issues. Netgear sees some of the “high” issues as a minor issue. There are updates for DNSmasq and iPerf, other reported issues should be observed first.
  • Synology: Synology solves the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to new versions, and Synology will soon clean up the certificates. Incidentally, not only the routers benefit from this, but also other Synology devices.
  • TP-Link: With updates from BusyBox, CURL and DNSmasq, TP-Link eliminates many problems. There is no new kernel, but they are planning more than 50 fixes for the operating system

If you use one of the models mentioned in the report, you are advised to apply the available security updates, enable “automatic updates” and change the default password to one that is unique and strong.

Additionally, you should disable Remote Access, Universal Plug and Play (UPnP), and WiFi Protected Setup (WPS) if you are not actively using them.

Bleeping Computer has contacted all of the affected manufacturers and requested a comment on the above and we will update this piece as soon as we receive their response.


Leave a Reply

Your email address will not be published.