Top-Selling Home Routers Vulnerable to Hacker Attack

Credit: Bruno Pereira/ShutterstockCredit: Bruno Pereira/Shutterstock


UPDATE: TRENDnet stated Monday (May 4) that none of its currently produced routers are affected by this vulnerability. It is investigating whether any discontinued TRENDnet routers may be affected.

What's the acceptable time frame to implement a patch for a major security flaw? One day? One week? One month? Try eight months — and counting. A significant flaw in software used by many popular home wireless routers use could let malefactors hijack them easily, and may affect favorite models from D-Link, TRENDnet and Netgear, among others.

The warning comes courtesy of Zero Day Initiative (ZDI), a subdivision of Hewlett-Packard's Tipping Point security division. ZDI discovered the flaw in August 2014, and notified Realtek, the company that produces the router software, immediately. In accordance with ZDI's policies, it contacted Realtek four times, all without reply, before making details of the vulnerability public.

Now that we can read about the vulnerability for ourselves, it's a rather nasty one. In a nutshell, the software does not adequately flush user data before accepting new users in certain situations. This means that an unauthorized user could easily fake the credentials of an authorized one, gaining administrative access to the router and infecting the computers, smartphones and tablets connected to the router's Wi-Fi network. however he or she chooses.

MORE: Your Router's Security Stinks: Here's How to Fix It

What makes the issue even more troubling is that Realtek provides software for more than 350 models of routers. ZDI did not disclose exactly which routers could suffer ill effects from the vulnerability, but there's a good chance that at least one popular brand-name model is in the mix. In addition to those named above, Amigo, ASUS, Belkin, and Iogear routers are potentially affected; the number of affected units is at least in the tens of thousands. Keep in mind, however, that Apple and LinkSys routers do not seem to use Realtek technology, and are not affected.

Since Realtek has not been forthcoming with a solution, there's no immediate patch on the way. Everyday users are at risk; a compromised router can undermine all your Internet connections, sending you to malicious websites that will try to steal your personal information or infect your PC with malware.

There are steps you can take to mitigate the threat, and anyone with a router on the long list linked to above will want to take them as soon as possible.

The vulnerability is tied into a router's Universal Plug 'n' Play (UPnP) protocol, which videophiles may realize as the same protocol that allows you to stream videos from your tablet to your TV via DLNA. To keep your system safe, access your router's administrative functions (the manufacturer's website will tell you how to do this), navigate (usually) to the Advanced tab and disable UPnP.

ZDI recommends that users "restrict interaction with the [router] to trusted machines," so even just protecting your router and its administrative page with non-default passwords will go a long way toward mitigating risk.

Aside from that, be sure to keep your router's firmware current (you would be amazed how few people do this, since the process is generally not automatic). If Realtek does not issue a patch for the issue, individual router manufacturers may pick up the slack instead.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Off-Topic / General Discussion forum about this subject
This thread is closed for comments
9 comments
Comment from the forums
    Your comment
  • Vlad Rose
    "Keep in mind, however, that Apple and LinkSys routers do not seem to use Realtek technology, and are not affected."

    Just too bad Linksys routers barely work right in the first place; let alone die after about 6 months. I really wish Cisco never bought them out....
    -1
  • firefoxx04
    Asus N16 + Tomato 1.28
    2
  • weilin
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.
    0