Two dozen Linksys router models are vulnerable to attacks that could extract sensitive information from their configurations, cause them to become unresponsive and even completely take them over.
The vulnerabilities were discovered by senior security consultant Tao Sauvage from IOActive and independent security researcher Antide Petit while working together to analyze the Linksys EA3500 Smart Wi-Fi wireless router.
The that affect not only the EA3500, but two dozen different router models from Linksys’ Smart Wi-Fi, WRT and Wireless-AC series. Even though these devices are marketed as consumer products, it’s not unusual to find them running in small business and home office environments.
The flaws range from low to high severity and directly impact over 7,000 routers that have their web-based administrative interfaces exposed to the Internet. Countless more are vulnerable to attacks launched over local area networks from compromised computers, phones or other devices.
, a malware program that enslaves embedded devices and uses them to launch distributed denial-of-service attacks.
In December, researchers from Kaspersky Lab found a malicious application for Android that was also designed to hack into routers over local networks by using default credentials.
The threat of local attacks is increased because people often let friends and family members connect to their wireless networks with their own devices, which might be compromised.
Linksys, a division of Belkin, is working on releasing firmware updates to fix these vulnerabilities. Meanwhile, the company to disable the guest Wi-Fi network feature on their routers to reduce the likelihood of malicious activity and to change their administrator password.
The Linksys advisory lists all of the affected models and recommends turning on the automatic update feature in order to receive the firmware patches when they become available.