Linksys Wireless Router Full of Flaws, Researcher Says
UPDATED 12:45 p.m. ET Wednesday with comment from Linksys.
Linksys is taking heat for several vulnerabilities discovered in one of its wireless routers, which an expert said make any network hooked up to the router insecure.
The flaws, which run the gamut from simple to complex, specifically affect the Linksys EA2700 Network Manager N600 Wireless-N router, introduced last year and aimed for the everyday consumer and small-business markets.
San Jose, Calif., researcher Phil Purviance said it only took him half an hour to determine that the router was simply not safe to use.
"What I found was so terrible, awful and completely inexcusable," Purviance said in a blog posting. "It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!"
Digital Swiss cheese?
Purviance discovered the flaws while preparing to demonstrate how a malware worm could target a networked device.
"I thought it would be good to take a look at how Cisco's newer devices did in regards to securing their administration features," he said.
(Enterprise networking-hardware maker Cisco acquired the consumer-device maker Linksys in 2003, but after 10 years sold Linksys to rival consumer-device maker Belkin, in a transaction completed March 15.)
Upon examination of the router, Purviance found a cross-site-scripting flaw that would allow an attacker access, even without the proper authentication.
Another flaw could allow hackers to remotely change a router's password and access other configuration controls. That weakness, Purviance said, was evidence that the router's software never underwent a proper penetration test.
Another flaw, Purviance found, could be used in conjunction with a Web-hosted exploit to open the administrative controls and change the user's password to the generic "password," which hackers could then change later, effectively locking out the owner.
"This is just stupid," Purviance wrote. "I don't know whether to laugh or cry at this, because it's essentially the same as putting an unpatched Windows machine directly on the Internet."
Finally, Purviance found that adding a "/" character to any URL while browsing through the router's administrative controls would reveal the page's "Web-application-level source code that is used to convert the page to HTML."
Purviance disclosed the flaws to the public "so that consumers may be aware of the risk."
He said he had disclosed his findings to Cisco on March 5, before the sale of Linksys to Belkin was completed.
An email message seeking comment from Linksys was not immediately returned.
Not just this router
As of this writing, no security patches have been issued to address these vulnerabilities. Users operating a network on a Linksys EA2700 Network Manager N600 router may be vulnerable to attack.
As hacking becomes more lucrative and more sophisticated, researchers and cybercriminals alike are increasingly looking for flaws in networked devices not traditionally targeted by hackers.
In January, Boston network-security firm Rapid7 disclosed a flaw in a common networking protocol that affected tens of millions of devices, including consumer and small-business wireless routers made by Linksys, Belkin, Netgear, Siemens and Sony.
IT teams often overlook smaller devices such as modems and routers when taking stock of their network's security, but those devices can be effective entry points for hackers looking to gain unauthorized access.
No matter which wireless router you use, make sure you enable WPA encryption on your Wi-Fi network and force users to input a strong password before gaining access. (The older WEP encryption standard is no longer considered safe.)
Make sure to change the router's default administrative password, and use a strong password to protect those settings as well.
UPDATE: Linksys has not responded to our queries, but reporter Dan Goodin of the tech blog Ars Technica said a Belkin spokesman had told him the vulnerabilities revealed by Purviance were patched in a Linksys firmware update released in June 2012.
Purviance did not specify which version of Linksys firmware was installed on the router he tested.