Phil Purviance, a security researcher from San Jose in California has published a manifesto entitled Don’t Use Linksys Routers, which outlines a series of security vulnerabilities that he’s found in their products. In his post Purviance claims that:
I hooked it up and spent maybe 30 minutes testing the security of the embedded website used to manage the device, then never used it again. What I found was so terrible, awful, and completely inexcusable! It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!
Yeah, we also hate it when people are wishy-washy and don’t tell us how they really feel. He outlines 5 vulnerabilities in his post:
- A CSRF vulnerability that LInksys claims to have fixed but they really didn’t
- A cross-site scripting bug that works regardless of authentication and allows an attacker to access the device, change settings or upload modified firmware.
- A file path traversal vulnerability that enables an attacker to remotely access password or configuration files without being logged in.
- A cross-site request forgery flaw allows an attacker on the same network to change log-in information and remotely manage the hardware.
- A method to get access to the code that creates the HTML pages used in the interface. This really can’t do any harm other than give people something to red and possibly find more vulnerabilities.