Skip to main content

Top-Selling Home Routers Vulnerable to Hacker Attack

Credit: Bruno Pereira/Shutterstock

(Image credit: Bruno Pereira/Shutterstock)

UPDATE: TRENDnet stated Monday (May 4) that none of its currently produced routers are affected by this vulnerability. It is investigating whether any discontinued TRENDnet routers may be affected.

What's the acceptable time frame to implement a patch for a major security flaw? One day? One week? One month? Try eight months — and counting. A significant flaw in software used by many popular home wireless routers use could let malefactors hijack them easily, and may affect favorite models from D-Link, TRENDnet and Netgear, among others.

The warning comes courtesy of Zero Day Initiative (ZDI), a subdivision of Hewlett-Packard's Tipping Point security division. ZDI discovered the flaw in August 2014, and notified Realtek, the company that produces the router software, immediately. In accordance with ZDI's policies, it contacted Realtek four times, all without reply, before making details of the vulnerability public.

Now that we can read about the vulnerability for ourselves, it's a rather nasty one. In a nutshell, the software does not adequately flush user data before accepting new users in certain situations. This means that an unauthorized user could easily fake the credentials of an authorized one, gaining administrative access to the router and infecting the computers, smartphones and tablets connected to the router's Wi-Fi network. however he or she chooses.

MORE: Your Router's Security Stinks: Here's How to Fix It

What makes the issue even more troubling is that Realtek provides software for more than 350 models of routers. ZDI did not disclose exactly which routers could suffer ill effects from the vulnerability, but there's a good chance that at least one popular brand-name model is in the mix. In addition to those named above, Amigo, ASUS, Belkin, and Iogear routers are potentially affected; the number of affected units is at least in the tens of thousands. Keep in mind, however, that Apple and LinkSys routers do not seem to use Realtek technology, and are not affected.

Since Realtek has not been forthcoming with a solution, there's no immediate patch on the way. Everyday users are at risk; a compromised router can undermine all your Internet connections, sending you to malicious websites that will try to steal your personal information or infect your PC with malware.

There are steps you can take to mitigate the threat, and anyone with a router on the long list linked to above will want to take them as soon as possible.

The vulnerability is tied into a router's Universal Plug 'n' Play (UPnP) protocol, which videophiles may realize as the same protocol that allows you to stream videos from your tablet to your TV via DLNA. To keep your system safe, access your router's administrative functions (the manufacturer's website will tell you how to do this), navigate (usually) to the Advanced tab and disable UPnP.

ZDI recommends that users "restrict interaction with the [router] to trusted machines," so even just protecting your router and its administrative page with non-default passwords will go a long way toward mitigating risk.

Aside from that, be sure to keep your router's firmware current (you would be amazed how few people do this, since the process is generally not automatic). If Realtek does not issue a patch for the issue, individual router manufacturers may pick up the slack instead.

Marshall Honorof is a senior writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof. Follow us @tomsguide, on Facebook and on Google+.

  • Vlad Rose
    "Keep in mind, however, that Apple and LinkSys routers do not seem to use Realtek technology, and are not affected."

    Just too bad Linksys routers barely work right in the first place; let alone die after about 6 months. I really wish Cisco never bought them out....
    Reply
  • firefoxx04
    Asus N16 + Tomato 1.28
    Reply
  • weilin
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.
    Reply
  • plasmastorm
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.

    Does that mean Belkins own products are getting better? Last time I sold them at my shop 5+ years ago they were truly shocking.
    Reply
  • Vlad Rose
    15772801 said:
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.

    Does that mean Belkins own products are getting better? Last time I sold them at my shop 5+ years ago they were truly shocking.

    Yeah, that actually sounds scarier that Belkin bought them out as they were the only other brand I had worse luck with than Linksys... lol
    But who knows, things can turn around. Just look at MSI (MicroStar International) and LG (Lucky Goldstar); who used to be cheap junk brands before 'initializing' their names and changing their quality.
    Reply
  • littleleo
    15772801 said:
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.

    Does that mean Belkins own products are getting better? Last time I sold them at my shop 5+ years ago they were truly shocking.

    Yeah, that actually sounds scarier that Belkin bought them out as they were the only other brand I had worse luck with than Linksys... lol
    But who knows, things can turn around. Just look at MSI (MicroStar International) and LG (Lucky Goldstar); who used to be cheap junk brands before 'initializing' their names and changing their quality.
    15772801 said:
    @Vlad Rose

    Cisco doesn't own Linksys anymore, Belkin does... and it looks like they're doing a decent job turning that ship around.

    Does that mean Belkins own products are getting better? Last time I sold them at my shop 5+ years ago they were truly shocking.

    Yeah, that actually sounds scarier that Belkin bought them out as they were the only other brand I had worse luck with than Linksys... lol
    But who knows, things can turn around. Just look at MSI (MicroStar International) and LG (Lucky Goldstar); who used to be cheap junk brands before 'initializing' their names and changing their quality.

    Belkin has owned them for a little while now. The last Linksys I got has lasted a good couple of years+ w/o any issue and I love the guest network function.
    Reply
  • reggjoo
    A lot of the cheaper routers never see a update, you gotta spend at least $90, and hope. This problem with malware, should be discussed on a bigger stage, than this site(sorry tom). If the general public never knows, then mfg's will get away with it, and get to sell their inventory, with the realtek hardware, before fixing anything. Put this problem on a bigger stage(a network), for the public, who's not as informed, and things will change.
    Reply
  • rmse17
    Just too bad Linksys routers barely work right in the first place; let alone die after about 6 months. I really wish Cisco never bought them out....

    Any product can have random failures. I had 1 Linksys router that ran for 6 years before I upgraded it in order to get gigabit lan.

    My other Linksys router is still running strong at my mom's apartment, 10 years.

    My newer Linksys is on its 4th year. Never had any issues with them...
    Reply
  • Vlad Rose
    15782629 said:
    Just too bad Linksys routers barely work right in the first place; let alone die after about 6 months. I really wish Cisco never bought them out....

    Any product can have random failures. I had 1 Linksys router that ran for 6 years before I upgraded it in order to get gigabit lan.

    My other Linksys router is still running strong at my mom's apartment, 10 years.

    My newer Linksys is on its 4th year. Never had any issues with them...

    The last 3 different high end Linksys routers ($150+) I had owned all exhibited the same problem after the 6 month mark. I switched to a Netgear and it has been running strong for over 2 years.

    Pre-Cisco, I never had a problem with Linksys and used them exclusively. Either it's been really bad luck on my part, or they had a problem on their part. Either way, they are now a hard recommendation to give for me anymore.

    Friends of mine had bought Belkin's because they were cheap and available at Walmart or Best Buy. They always have been a nightmare to keep connectivity with from the get go to where they have to be Power cycled at least once a day; usually in the middle of a game session for them.

    Things may have changed since Linksys and Belkin have combined, I just won't take the risk.
    Reply