Yesterday, TechCrunch reported that thousands of TP-Link routers are still vulnerable to a bug, discovered in January 2018. This vulnerability can allow any low-skilled attacker to remotely gain full access to an affected vulnerable router. The attacker could also target a vulnerable device, in a massive way, by searching the web thoroughly and hijacking routers by using default passwords, the way Mirai botnet had downed Dyn. TP-Link updated the firmware page sharing this vulnerability to their customers, only after TechCrunch reached out to them.
New: Thousands of TP-Link routers are vulnerable to a remote hijack vulnerability, according to @MabbsSec. Given the severity of the bug, TP-Link released a patch, but never posted it on its website. 🤦♂️https://t.co/ztK35fUo8B
— Zack Whittaker (@zackwhittaker) May 22, 2019
In October 2017, Andrew Mabbitt (founder of U.K. cybersecurity firm, Fidus Information Security) had first discovered and disclosed a remote code execution bug in TP-Link WR940N router. The multiple vulnerabilities occurred due to multiple code paths calling strcpy on user controllable unsanitized input. TP-Link later released a patch for the vulnerable router in November 2017.
Again in January 2018, Mabbitt warned TP-Link that another router WR740N was also at risk by the same bug. This happened because the company reused the same vulnerable code for both the devices. TP-Link asked Mabbitt for more details about CVE-2017-13772 (wr940n model) vulnerability. After providing the details, Mabbitt requested for an update thrice and warned them of public disclosure in March, if they did not provide an update. Later on 28th March 2018, TP-Link provided Mabbitt with a beta version of the firmware to fix the issue. He confirmed that the issue has been fixed and requested TP-Link to release the live version of the firmware. After receiving no response from TP-Link for another month, Mabbitt then publicly disclosed the vulnerability on 26th April 2018. The patch was still not fixed by then.
When TechCrunch enquired, the firmware update for WR740N was missing on the company’s website till 16th May 2019. A TP-Link spokesperson told TechCrunch that the update was, “currently available when requested from tech support” and did not explain the reason. It was only when TechCrunch highlighted this issue did TP-Link, they updated the firmware page on 17th May 2019, to include the latest security update. They have specified that the firmware update is meant to resolve issues that the previous firmware version may have and improve its current performance.
In a statement to TechCrunch, Mabbitt said, “TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.”
This has been a highly irresponsible behavior from TP-Link’s end. Even after, a third person discovered its bug more than a year ago, TP-Link did not even bother to keep their users updated about it.
This news comes at a time when both the U.K. and the U.S. state of California are set to implement laws to improve Internet of Things security. Soon companies will require devices to be sold with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.
This is one key reason that we manage CPE for our members. Neglected security updates or slow vendors have to be addressed to keep consumers secure.
— Dane Jasper (@dane) May 22, 2019