Zero-Day Vulnerability Found in TP-Link’s SR20 Smart Home Router

A security developer has disclosed a zero-day vulnerability in TP-Link’s SR20 smart home router that allows code execution with the highest privileges on the device. Details about the bug and proof-of-concept exploit code are currently available, so hackers could change it to run commands of their choosing with the rights of an administrator.

SR20 was introduced to the public three years ago, at the Consumer Electronics Show in Las Vegas. Promoted as a smart home router, the device supports third-party IoT gadgets, doubling as a home hub that unifies the smart home network. Using either its touchscreen or the Kasa Smart app, users can control gadgets that connect to the SR20.

Google security developer Matthew Garrett found that the TP-Link Device Debug Protocol (TDDP) could be used to run commands from a device without asking for authentication. The technical details explain that an attacker can take advantage of the flaw by sending the router a request containing a filename and an argument separated by a semicolon.

The method works as long as the attacker-controlled machine communicates with the target SR20 router over a local connection. This limitation is imposed by the default firewall rules, which block access from outside the local network. There are ways to overcome this restriction, though, by tricking a user into downloading a malicious file.

Cybercriminals will likely pass on the opportunity to actively focus on exploiting this flaw, though, mainly because plenty of other vulnerable connected systems are easier to compromise. However, they might incorporate this method into their attacks, just in case.

The researcher published his findings in a thread on Twitter after shared them with TP-Link via the company’s security disclosure form and a 90-day wait for a reply.  The vendor never responded, says Garrett, prompting him to publicly release the details of his research along with code that demonstrates the vulnerability.

Vendors that don’t acknowledge the vulnerable state of their products and work to improve them contribute to keeping the status of IoT devices at a constant “insecure” rating. Security researchers are frequently compelled to disclose security problems before a solution is available because of silence or lack of cooperation from the responsible party.

Open reports of security issues serve to inspire malicious hackers, and they can damage the vendor’s reputation, forcing them to improve their products. End-users also learn about the risks they run and can take steps to protect their electronic equipment.

Image credit: TP-Link