Linksys Routers Vulnerable to Invisible Backdoor Accounts, Reveal Sensitive Internal Info

Security vulnerabilities in multiple Linksys router models can be exploited to extract sensitive information about their network ecosystem, knock users offline or take complete control over them. Affected devices puts are estimated to number 7,000, but these are only the units with their administrative panel exposed to the Internet.

Tao Sauvage, a researcher at security consultancy firm IOActive, and security aficionado Antide Petit, discovered 10 flaws in 25 router models from Linksys by analyzing the firmware of an EA3500 series product. The severity of the findings ranges from low to high, including six bugs exploitable remotely without authentication. Two can force the router to deny connection to clients and prevent access to the administrative interface.

An attacker could leverage other glitches in the affected routers to gather technical details about their versions of firmware and Linux kernel, running processes, connected devices and the operating systems powering them. Even the Wi-Fi Protected Setup (WPS) code can be extracted, which would allow an attacker to connect to the network and compromise it from within.

“Unauthenticated attackers can also harvest sensitive information, for instance using a set of APIs to list all connected devices and their respective operating systems, access the firewall configuration, read the FTP configuration settings, or extract the SMB server settings,” Sauvage writes in his advisory.

One of the most serious vulnerabilities uncovered by the researchers in Linksys routers is command injection and execution with the highest privileges (root), if authentication is provided, a false restriction when the default credentials have not been changed. Using the Shodan search engine, Sauvage found that 11% of the 7,000 vulnerable Linksys routers exposed to the web were still using the initial credentials from the manufacturer. This would allow an attacker to define a backdoor account invisible in the admin interface, granting permanent access to the product.

Linksys has not released a fix for these vulnerabilities, but has published a security advisory that recommends turning off the Guest Network feature, enabling automatic updates and changing the default administrator password on affected products. These are interim solutions until a patch becomes available.