Research firm IOActive recently released a an article that revealed some serious security deficiencies on popular Linksys Smart Wi-Fi products. They have notified Linksys, and Linksys is working on the firmware upgrades that will be necessary to fix these issue, and they have issued a security advisory.
Among the vulnerabilities discovered:
- Unauthenticated attacker can create a denial-of-service condition by manipulating an API in the firmware.
- Attackers can bypass authentication for the CGI scrpts, and collect information about the system, including the WPS passcode used to connect to the router.
- Authenticated attackers can execute commands with root privileges, and create undetectible backdoor accounts
The Linksys advisory recommends that product owners do the following to protect themselves in the interim.
- Enable Automatic Updates. Linksys Smart Wi-Fi devices include a feature to automatically update the firmware when new versions are available.
http://www.linksys.com/us/support-article?articleNum=140124#b - Disable WiFi Guest Network if not in use.
http://www.linksys.com/us/support-article?articleNum=140861 - Change the default Administrator password.
http://www.linksys.com/us/support-article?articleNum=142491
For a list of affected models, see the advisory.
More information:
Share
8
MAY
MAY
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com