Linksys says that 25 router models are vulnerable to remote hacking and could be taken over by an attacker if users still use their default admin credentials.
The company issued a security advisory this week, letting customers know that certain products are vulnerable to three vulnerabilities discovered by cyber-security firm IOActive.
Linksys, formerly part of Cisco, now a Belkin brand, says it's working on delivering a firmware update to mitigate all three flaws. In the meantime, the company issued a security alert as a warning for customers that might be vulnerable to attacks.
IOActive, who published a report on their blog, restrained from publishing any technical details about how an attacker could exploit the three issues, but only vaguely described them. The issues are as follow.
(1) An attacker can send malformed requests to the router that causes a denial-of-service state which freezes or reboots the router until the attacker stops his malformed requests.
(2) An attacker can bypass authentication procedures and collect information on the router and its users, such as firmware version, Linux kernel version, a list of running processes, a list of connected USB devices, the WPS PIN for the Wi-Fi connection, firewall configurations, FTP settings, and SMB server settings.
(3) An attacker can execute code on the router. One of the uses for this flaw is that it allows an attacker to create a secret root-level backdoor account that does not appear in the router's web-based configuration panel.
By far the most dangerous flaw is the last. Fortunately, this flaw can only be exploited by an authenticated user, meaning the attacker must first gain access to one of the Linksys configuration accounts.
This is why Linksys is warning customers who are still using default credentials. Such routers are vulnerable and are now sitting ducks until the company releases a firmware update in the coming days or weeks.
Besides changing default passwords, Linksys security engineers are also recommending that users disable the Wi-Fi guest network and urge users to turn on the router's built-in automatic updates setting, so the router fetches and installs the new firmware whenever it becomes available.
IOActive researchers said that an Internet-wide scan for vulnerable Linksys routers discovered 7,000 devices exposed to the Internet, with over 700 routers still using the default password.
"It should be noted that this number does not take into account vulnerable devices protected by strict firewall rules or running behind another network appliance, which could still be compromised by attackers who have access to the individual or company’s internal network," IOActive added.
Below is the list of vulnerable Linksys router models: