Linksys routers plagued by security vulnerabilities, research finds

In a major boost to cyber-security practices and to making Wi-Fi routers impervious to hacking attempts, security firm IOActive today revealed that they have successfully identified as many as ten low to high-risk vulnerabilities in Linksys Wi-Fi routers, some of which are in active circulation in the UK right now.

Linksys and IOActive are now working together to build a new firmware which will plug the vulnerabilities and protect more than 20 models of Linksys Smart Wi-Fi Routers from cyber-attacks.

Alarmingly, IOActive found that as many as twenty models of such Wi-Fi routers were susceptible to risks like access denial, leaking of sensitive information, and manipulation of settings via unauthorised access. Such risks could seriously endanger confidential data of their owners and could also impact their access to Wi-Fi services as a result.

“A number of the security flaws we found are associated with authentication, data sanitization, privilege escalation, and information disclosure. Additionally, 11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks,” said Tao Sauvage, senior security consultant at IOActive.

"Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router. By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack," he added.

Owned by Belkin, Linksys home Wi-Fi routers are very popular outside of Asia and the researchers found that at the time of testing, over 7,000 such routers were actively being used by customers. 69% of such devices were in use in the United States and 10% in Canada. The number of devices being used in the UK counted for just 1% of the total number of routers. As many as 11% of all devices were still using default login credentials, making them more susceptible to hacks compared to those protected by firewalls or new credentials.

Even though Linksys hasn't released a firmware yet to fix the said vulnerabilities, the company has issued an advisory to its customers, offering temporary solutions which will keep the active routers secure from hacking attempts in the meantime.