Concerns over Asus and Linksys router vulnerabilities

White hat hacker discloses router vulnerabilities that might only be fixed when new firmware versions are deployed.

The continuing problem of broadband router/modem vulnerabilities hit the security spotlight overnight, after it emerged routers from both Asus and Linksys were both affected by the issue.

Users of several Asus routers - typically used by premium broadband users in a corporate setting - woke on Wednesday morning to news that a white hat hacker had been leaving messages on their systems telling them their routers were vulnerable to attack.

Users of the more generic Linksys family of routers, meanwhile, have also been rocked by reports that their modems are also vulnerable to a simple exploit that could give an attacker remote access to the router. SCMagazineUK.com notes that the issues are worm-related, but are linked to the Moon worm reported last week by the SANS Institute. 

Ars Technica broke the bad news that users of several Asus routers - models RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R - have been hit by taunting messages that they should take more care, as their modems are hackable.

The exploit used by the unknown white hat hacker appears to be the same one as flagged up by PCWorld Norway earlier this month. 

Ars Technica says that users are finding warning advisories on USB storage devices attached to their Asus routers, apparently left there by seemingly non-malevolent white hat hackers.

As many as 13,000 users may be affected by the warning messages as that number of external IP addresses of Asus router users were recently published on the Internet, as well as a BitTorrent file containing lists of the files on each victim's hard drive.

Asus says it has patched the affected router models, however the patch needs to be installed manually, and stems from the fact that the Asus routers - unlike the industry norm - has access to remote administration, remote FTP and SMB functions open by default to all remote devices.

SCMagazineUK.com understands that this feature was enabled,  to allow easy access to Asus' cloud computing services.

On the Linksys side of the fence, meanwhile, researcher Kyle Lovett claims that the Linksys EA2700, EA3500, E4200 and EA4500 router models have Port 8083 left open to external interrogation and access.

An attacker would simply need to use the Shodan security vulnerability engine for details of the open port on the routers, and then gain immediate access to the modem's remote administration GUI, bypassing existing authentication systems.

Lovett, who reported his findings to Linksys last July, claims that around 30,000 routers have been found in his research scans, adding that Port 443 also appears to be open on the affected units. “What happens is that during installation or upgrade, often one of the CGI script hangs and doesn't complete,” he says.

The system then just bypasses the rest of the set-up and operates as is, he goes on to say, noting that he has spotted four vulnerable scripts: fw_sys_up.cgi; override.cgi; share_editor.cgi; and switch_boot.cgi. 

Linksys, for its part, says that its older E-series routers and Wireless-N access points come with the remote management access feature switched off by default and customers must enable it to be vulnerable.

Commenting on the latest batch of router vulnerabilities, Andy Davies, head of research with security consultancy Pentura, said that this type of hardware hacking is an increasingly common problem. 

"While users of affected routers could purchase a different model from another vendor, there's no guarantee that the replacement would be less susceptible to other, as yet undiscovered vulnerabilities," he said.  

"In some cases, routers are shipped with services such as remote administration and remote FTP open by default, so users should check these settings and change from the defaults where appropriate. But sometimes, there's no fix until the vendor eventually releases a new version of firmware that users can deploy," he added.

Sign up to our newsletters