720-891-1663

Return to list of client alerts

Nine High End WiFi Routers Vulnerable to 226 Bugs

Usually, we hear about bugs in cheap network hardware, but this time we are talking about high end wireless routers.

The routers in question are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology and Linksys. These are well known brands.

Most of these are MIMO routers, which are not cheap.

All of the routers were updated to the most recent available firmware before testing, so you can’t blame the problem on running outdated firmware. Then they were automatically analyzed by IoT Inspector.

Since different routers showed different numbers of bugs, you also cannot attribute this to one bad IoT operating system or a single cheap web server.

Among the problems are:

  • Outdated Linux kernel
  • Outdated multimedia functions
  • Outdated VPN software
  • Reliance on old versions of BusyBox
  • Use of weak default credentials
  • Presence of hardcoded credentials in plain text

The good news is that since these are all reputable vendors (and since they were about to be very publicly outed), they all released updated firmware. BUT, THE RESEARCHERS DID NOT RETEST THE DEVICES TO SEE IF ANY BUGS REMAINED OPEN.

But, what is the probability that your Work-From-Home users have updated their WiFi access points (or, if their WAPs are provided by their ISP, that their ISP updated them). My guess is that NO company knows the answer to that and NO company can say that ALL of their of their employee network hardware, both that supported by their ISP and by the employee, is up to date. I will even predict that most companies don’t even know what network hardware their employees are using. On top of that, I bet that most employees don’t even know what network hardware they are using.

The devices tested are:

  • Asus GT-AX11000
  • AVM 7530 AX and 7590 AX
  • D-Link DIR-X5460
  • Edimax BR-6473AX
  • Linksys MR9600
  • Netgear Nighthawk AX12
  • Synology RT-2600ac
  • TP-Link Archer AX6000

Consider what happens if a key employee’s network is compromised (say, your CEO or CFO).

I think there is some work to be done. Nothing is perfect, but there are definite steps to take to reduce risk.

Credit: Bleeping Computer