Flaws found in Linksys routers that could be used to create a botnet

Multiple models of Linksys Smart Wi-Fi Routers have vulnerabilities that might be exploited to create a botnet, security researchers at IOActive warn.

The flaws could be abused to overload a router and force a reboot, deny user access, leak sensitive information about the router and connected devices, or change restricted settings. Many of the active devices exposed were using default credentials, making them particularly susceptible to takeover.

Ten separate security issues (ranging from moderate to critical) make more than 20 models of Linksys Smart Wi-Fi Routers susceptible to attack. An initial search identified over 7,000 vulnerable devices exposed on the internet at the time of the scan.

IOActive and Linksys have worked together to validate and address the issues found since January. A security advisory was issued by Linksys on Thursday, including a workaround for customers until final firmware updates are posted in the coming weeks.

The research was put together by IOActive senior security consultant Tao Sauvage and independent researcher Antide Petit.

"A number of the security flaws we found are associated with authentication, data sanitisation, privilege escalation, and information disclosure," said Sauvage. "Additionally, 11 per cent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai Denial of Service (DoS) attacks."

Benjamin Samuels, an application security engineer at Belkin (Linksys Division), added: "Working together with IOActive, we've been able to efficiently put a plan together to address the issues identified and proactively communicate recommendations for keeping customer devices and data secure.

"Security is a high priority and by taking a few simple steps, customers can ensure their devices are more secure while we address the findings."

In its advisory, Linksys advises users to temporarily disable the 'Guest Network' feature pending the availability of a more comprehensive fix.

"Linksys was recently notified of some vulnerabilities in our Linksys Smart Wi-Fi series of routers. As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature to avoid any attempts at malicious activity." ®