Research firm IOActive recently released a an article that revealed some serious security deficiencies on popular Linksys Smart Wi-Fi products. They have notified Linksys, and Linksys is working on the firmware upgrades that will be necessary to fix these issue, and they have issued a security advisory.
Among the vulnerabilities discovered:
- Unauthenticated attacker can create a denial-of-service condition by manipulating an API in the firmware.
- Attackers can bypass authentication for the CGI scrpts, and collect information about the system, including the WPS passcode used to connect to the router.
- Authenticated attackers can execute commands with root privileges, and create undetectible backdoor accounts
The Linksys advisory recommends that product owners do the following to protect themselves in the interim.
- Enable Automatic Updates. Linksys Smart Wi-Fi devices include a feature to automatically update the firmware when new versions are available.
- Disable WiFi Guest Network if not in use.
- Change the default Administrator password.
For a list of affected models, see the advisory.