New Firmware for Zyxel WiFi Access Points Removes Embedded Credentials

Hackers targeting connected devices typically prey on lax security that translates to default configuration. Sometimes, though, an oversight from the manufacturer could help attackers compromise an IoT system. A recent example is a hardcoded credential vulnerability in multiple access points from Zyxel used to extend wireless connection coverage.

Almost two dozen products from Zyxel’s NWA, NAP and WAC series are affected, used to ensure undisturbed connectivity in a larger office or outside. Despite some of them being available for prices above $900, security researchers discovered that they expose sensitive information that can be used to hop to a protected network.

Researchers at security consulting company SEC Consult found that multiple WiFi access points from Zyxel had an active File Transfer Protocol (FTP) server that contained the configuration file for the WiFi network. FTP permits transferring from one computer system to another any type of files, including settings necessary for quick installation of a device.

The problem is that connecting to the FTP server on affected Zyxel access points was possible with credentials embedded in the firmware. Anyone analyzing the firmware could extract the username and password, connect to the FTP server and extract the sensitive configuration file with WiFi network names (SSIDs) and their passwords.

An attacker can use this information to hop to a protected network and reach critical computer systems, the researchers warn, adding that they found the username “devicehaecived” and the password “1234,” which allow access to the FTP server of the AP on port 21. These details are enough for a bad actor to probe the internet for vulnerable devices.

“When the wireless network is connected to another VLAN, the vulnerability could allow an unauthenticated individual to use the FTP service to gain access to a file containing network credentials,” reads the advisory from Zyxel.

Zyxel collaborated with SEC Consult and identified 21 access point models that were affected by the oversight. The manufacturer released new firmware versions that fix the issue. Customers can check the company’s page to learn how their device can receive the patch.

This was not the only vulnerability discovered and disclosed by Thomas Weber of SEC Consult. In another report to Zyxel, the researcher revealed a glitch in the Web Common Gateway Interface (CGI) that could be used to check if specific domains are present on the local network, behind the firewall.

Following an investigation, Zyxel determined that more than two dozens of its USG, UAG, ATP, VPN and NXC series devices are impacted. These are unified access and security gateways, used mostly at enterprise level.

Image credit: Zyxel