Millions of Wi-Fi routers vulnerable to hacker attack — what you need to do

News
By Paul Wagenseil
published

Models from Netgear, TP-Link, D-Link thought to be affected

Lifestyle image of the Netgear Nighthawk R6700 Wi-Fi Router on a desk next to a computer monitor.
(Image credit: Netgear)

UPDATED Jan. 15 with comment and information from TP-Link.

A severe security flaw could let malicious hackers attack and take over millions of home Wi-Fi routers over the internet, researchers disclosed today (Jan. 11). 

So far, only Netgear is known to have released patches for its affected models, although routers made by Edimax, D-Link, Tenda, TP-Link and Western Digital are also believed to be vulnerable.

"This vulnerability affects millions of devices around the world and in some instances may be completely remotely accessible," wrote Sentinel Labs researcher Max van Amerongen in a company blog post. 

Successful router hijacks would let a hacker control all aspects of a victim's internet traffic and stage further attacks such as sending users to phishing sites or infecting other devices on the network. 

While there are no known exploits of this flaw in the wild yet, Van Amerongen added that "there is a chance that one may become public in the future despite the rather significant complexity involved in developing one."

Which router makers are doing what

If you have one of the three Netgear models known to be vulnerable — the D7800, R6400v2 and R6700v3 — we have update instructions below. 

For its part, D-Link has posted a brief note on its website stating that the company is "currently investigating this reported security issue" and "will provide further updates as soon as we have more information."

A D-Link spokesperson told us that the company has not used the affected software in new models for several years following a similar vulnerability discovered in 2015.

As for the other router brands, we've sent them requests for information and will update this story when we receive replies. 

In the meantime, we suggest that users of those other brands bother the manufacturers' tech-support teams with email messages asking for information about which models might be affected and if and when the router makers plan to fix the flaw.

Where the problem lies

The problem exists in NetUSB, a Linux kernel module developed by Taiwanese company KCodes that lets devices — such as a printer or network-ready storage drive — get local-network access through the router's USB port. 

Van Amerongen of Sentinel Labs noticed that NetUSB listens for not only local-network commands on port 20005, but internet commands as well, with no password or other authentication required.

He found it possible to create a memory-buffer overflow by sending NetUSB specific commands on that port number, gaining control over a router's Linux kernel. Needless to say, that's not good. Van Amerongen admitted that for technical reasons, doing this properly was a bit tricky but still feasible for skilled attackers.

"While these restrictions make it difficult to write an exploit for this vulnerability," he wrote, "we believe that it isn't impossible and so those with Wi-Fi routers may need to look for firmware updates for their router."

How to update affected Netgear routers

Sentinel Labs notified KCodes of the flaw on Sept. 9, 2021, and a NetUSB patch fixing the flaw was issued to vendors on Oct. 4. Netgear's patches were released on Dec. 20.

The three Netgear models affected are the D7800, otherwise known as the AC2600 WiFi VDSL/ADSL Modem Router; the R6400v2, aka the AC1750 Smart WiFi Router 802.11ac Dual Band Gigabit; and the R6700v3, also known as the Nighthawk AC1750 Smart WiFi Dual Band Gigabit Router.

Netgear has this habit of marketing its routers according to their technical specifications rather than their actual model numbers, and as a result customers will have to check their routers for stickers that designate the model number.

All three models affected look like the router in the photo above, except that the D7800 has four antennae while the other two have three. Note that there are earlier versions of the R6400 and R6700 that look identical but have different innards and are either not affected by this flaw or have reached the end of their working lives (and hence need to be replaced).

Fortunately, the main firmware-update procedure on all three models is the same and not difficult. (The R6400v2 and R6700v3 are also compatible with the Netgear Nighthawk smartphone app for iOS and Android, so if you have that installed on your phone, just use the app.)

You first need to access the router's administrative interface from a computer connected to the router's network, which you can do by opening a web browser and typing either "www.routerlogin.net", "192.168.1.1" or "192.168.0.1" into the address bar and hitting Return or Enter on your keyboard.

Log into the admin interface with the administrative credentials. The username is probably "admin," unless you changed it, plus the admin password that you chose when you set up the router. 

If you didn't change that admin password, then it's probably just "password," and you absolutely need to change it to something stronger as soon as you're done with this task.

Once you've logged into the admin interface, click the "Advanced" tab, then "Administration," and finally "Router Update." A new page will load, and you need to click "Check." If an update is available, click Yes to the prompt that asks you whether you want to download and install the update. 

The router will download the update and restart. Once it's done, you'll need to log back into the admin interface again and follow the same path to the router-update page. 

Check to see that the most recent firmware update has been installed. For the D7800, you want firmware version 1.0.1.68; for both the R6400v2 and the R6700v3, it's firmware version 1.0.4.122.

What if you can't remember your admin password?

What do you do if you've completely forgotten your admin password and can't log into the interface? Then you need to factory-reset the router by pressing the reset button on the back. 

Unfortunately, you'll then need to go through the entire setup process again, but that's still better than having a vulnerable router.

Late on Jan. 14, a TP-Link representative told us that some of its routers were indeed affected by this flaw, and we were directed to this TP-Link support page for more information: https://www.tp-link.com/us/support/faq/3279/

Three models, the Archer C7 V5, Archer C1200 V2 and Archer C5400 V1 have patches available. Instructions for installing the patches are on the TP-Link support page. 

The TP-Link representative told us that patches for other models were being developed.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

1 Comment Comment from the forums
  • adrian84481
    Use a proper router/firewall. Loads of options, pfsense, microtik, opensense etc. These are almost always better maintained than the consumer brands, and tend to have far less security issues, especially if not exposed on the Internet interfaces. Then use a WiFi of choice in access point or bridge mode.
    Reply