fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Nine WiFi Routers Used by Millions were Vulnerable to 226 flaws

Nine WiFi Routers Used by Millions were Vulnerable to 226 flaws

Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware.

The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people.

The front-runners in terms of the number of vulnerabilities are the TP-Link Archer AX6000, having 32 flaws, and the Synology RT-2600ac, which has 30 security bugs.

Also Read: Data Protection Framework: Practical Guidance for Businesses

High-severity flaws affecting TP-Link Archer AX6000
High-severity flaws affecting TP-Link Archer AX6000
Source: IoT Inspector

The testing process

Researchers at IoT Inspector carried out the security tests in collaboration with CHIP magazine, focusing on models used mainly by small firms and home users.

“For Chip’s router evaluation, vendors provided them with current models, which were upgrade to the latest firmware version,” Florian Lukavsky, CTO & Founder at IoT Inspector, told BleepingComputer via email.

“The firmware versions were automatically analyzed by IoT Inspector and checked for more than 5,000 CVEs and other security issues.”

Their findings showed that many of the routers were still vulnerable to publicly disclosed vulnerabilities, even when using the latest firmware, as illustrated in the table below.

Router models and flaws categorized as per their severity
Router models and flaws categorized as per their severity
Source: CHIP
Left column translated by BleepingComputer

While not all flaws carried the same risk, the team found some common problems that affected most of the tested models:

  • Outdated Linux kernel in the firmware
  • Outdated multimedia and VPN functions
  • Over-reliance on older versions of BusyBox
  • Use of weak default passwords like “admin”
  • Presence of hardcoded credentials in plain text form

Jan Wendenburg, the CEO of IoT Inspector, noted that one of the most important ways of securing a router is to change the default password when you first configure the device.

Also Read: Top 10 Exceptional And Creative Website Design Guidelines

“Changing passwords on first use and enabling the automatic update function must be standard practice on all IoT devices, whether the device is used at home or in a corporate network.” explained Wendenburg.

“The greatest danger, besides vulnerabilities introduced by manufacturers, is using an IoT device according to the motto ‘plug, play and forget’.”

Extracting an encryption key

The researchers didn’t publish many technical details about their findings, except for one case concerning the extraction of the encryption key for D-Link router firmware images.

The team found a way to gain local privileges on a D-Link DIR-X1560 and get shell access via the physical UART debug interface.

Next, they dumped the whole filesystem using built-in BusyBox commands and then located the binary responsible for the decryption routine.

By analyzing the corresponding variables and functions, the researchers eventually extracted the AES key used for the firmware encryption.

Deriving the AES key on CyberChef
Deriving the AES key on CyberChef
Source: IoT Inspector

Using that key, a threat actor can send malicious firmware image updates to pass verification checks on the device, potentially planting malware on the router.

Such problems can be solved with full-disk encryption that secures locally stored images, but this practice is not common.

Manufacturers responded quickly

All of the affected manufacturers responded to the researchers’ findings and released firmware patches.

CHIP’s author Jörg Geiger commented that the router vendors addressed most of the security flaws identified by the working group, but not all of them.

The researchers have told Bleeping Computer that the unpatched flaws are mostly lower importance vulnerabilities. However, they clarified that no follow-up tests were done to confirm that the security updates fixed the reported issues.

The vendor responses to CHIP (translated) were the following:

  • Asus: Asus examined every single point of the analysis and presented us with a detailed answer. Asus has patched the outdated BusyBox version, and there are also updates for “curl” and the web server. The pointed out that password problems were temp files that the process removes when it is terminated. They do not pose a risk.
  • D-Link: D-Link thanked us briefly for the information and published a firmware update that fixes the problems mentioned.
  • Edimax: Edimax doesn’t seem to have invested too much time in checking the problems, but at the end there was a firmware update that fixed some of the gaps.
  • Linksys: Linksys has taken a position on all issues classified as “high” and “medium”. Default passwords will be avoided in the future; there is a firmware update for the remaining problems.
  • Netgear: At Netgear they worked hard and took a close look at all problems. Netgear sees some of the “high” issues as less of a problem. There are updates for DNSmasq and iPerf, other reported problems should be observed first.
  • Synology: Synology is addressing the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to new versions and Synology will soon be cleaning up the certificates. Incidentally, not only the routers benefit from this, but also other Synology devices.
  • TP-Link: With updates from BusyBox, CURL and DNSmasq, TP-Link eliminates many problems. There is no new kernel, but they plan more than 50 fixes for the operating system

If you are using any of the models mentioned in the report, you are advised to apply the available security updates, enable “automatic updates”, and change the default password to one that is unique and strong.

Additionally, you should disable remote access, UPnP (Universal Plug and Play), and the WPS (WiFi Protected Setup) functions if you’re not actively using them.

Bleeping Computer has contacted all of the affected manufacturers requesting a comment on the above, and we will update this piece as soon as we receive their response.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us