One of the most popular routers from connectivity specialist Belkin contains “multiple vulnerabilities” that could allow a hacker to take control of it, security firms have warned.
And to make matters worse, the American vendor knows about the zero-data flaws but has yet to release a fix.
The flaws are so serious with this particular router, it could allow hackers to intercept cleartext transmission of sensitive information. Another flaw with the £59.99 Belkin N600 (pictured left) is that by default, it does not set a password for the web management interface. This could mean for example that a local area network (LAN) attacker could gain privileged access to the web management interface or carry out remote attacks such as cross-site request forgery.
“A remote, unauthenticated attacker may be able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request,” warns the advisory. “A LAN-based attacker can bypass authentication to take complete control of vulnerable devices.
“The CERT/CC is currently unaware of a practical solution to this problem,” it warned. So what should users of this particular router do?
CERT/CC said that until these flaws were addressed, users of the Belkin N600 router should only allow trusted hosts to connect to the LAN. It also advised strong Wi-Fi and web admin passwords.
This is not the first time that a problem has been discovered with Belkin equipment. Last year, the US government warned that of vulnerabilities with Belkin WeMo Home Automation devices could have been used to carry out destructive attacks on users’ homes.
In theory, these flaws could be used to cause a fire or simply use up electricity. After that vulnerability was revealed, Belkin patched the problem.
It remains to be seen how long before it issues a fix for the N600 router.
Are you a security expert? Try our quiz!
After US Supreme Court last week removed women's reproduction rights, Google tells staff they can…
Victory for irate neighbours? Airbnb confirms its temporary Covid ban on parties in its listings…