Use a Linksys, Cisco or Netgear router? You should read this.

04. January 2014 Security 2

Yesterday I read an interesting article that shows a backdoor was found in some Linksys and Netgear routers. I followed this for a day and found many people around the world jumped on this immediately and started testing their own hardware to see what other routers may be vulnerable. As it tuns out, more than a few. All routers have one thing in common, they are built by Sercomm, this is a company that handles the manufacturing for a number of brands including Linksys, Netgear, 3Com, Aruba and Belkin. The backdoor can be exploited by messing around in the firmware and this can apparently on the local network. Vulnerable models can be reset to factory default settings and reconfigured with the default username and password, among other things. This is bad news of course. While knowing about a vulnerability like this means the manufacturers will push out firmware updates (hopefully) to address this issue, until they do this is something that can be exploited right now.

What does this mean for home users?
As far as I can tell someone needs to be connected to your network (WiFi or Ethernet) to use this exploit. To prevent anyone that is not authorized/wanted from connecting, set up a strong WiFi password and limit physical access to the router so none can plug in an ethernet cable.

What about office/business users?
That’s a little bit more problematic. You may have a lot of clients connected to your network which at some point connects them, directly or indirectly, to the vulnerable router. Any one of them with the skill and knowledge can exploit this vulnerability to gain pretty much unlimited access to network resources. If this is a router used in a Starbucks, Apple Store or any other place that provides free WiFi the results of someone exploiting this vulnerability could be even worse.

Is my router affected?
Well, the research is ongoing so I expect more models to be added to the list but here is the list of routers that are using the backdoored firmware:

  • Cisco WAP4410N-E V02 2.0.1.0 V02 2,0,2,1 V02 2.0.3.3 V02 2.0.4.2 V02 2.0.5.3 V02 2.0.6.1
  • Cisco WAP4410N-E V02 2.0.1.0, 2.0.3.3, 2.0.4.2, 2.0.6.1
  • Linksys WAG120N
  • Netgear DG834 V5.01.09
  • Netgear DG834B V5.01.14
  • Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0
  • OpenWAG200
  • Cisco WAP4410N
  • Cisco WRVS4400N
  • Cisco WRVS4400N
  • Diamond DSL642WLG / SerComm IP806Gx v2 TI
  • LevelOne WBR3460B
  • Linksys RVS4000 Firmware V1.3.3.5
  • Linksys WAG160n v1 and v2
  • Linksys WAG200G
  • Linksys WAG320N
  • Linksys WAG54G2
  • Linksys WAG54GS
  • Linksys WRT350N v2 fw 2.00.19
  • Linksys WRT300N fw 2.00.17
  • NetGear DG834 v3
  • Netgear DG834[GB, N, PN, GT] version < 5
  • Netgear DG834G V2 and V3 firmware 4.01.40 and v3.01.32
  • Netgear DGN1000
  • Netgear DGN1000[B] N150
  • Netgear DGN2000B
  • Netgear DGN3500
  • Netgear DM111Pv2
  • Netgear JNR3210

These routers may be affected but this is not confirmed:

  • all SerComm manufactured devices
  • Linksys WAG160N
  • Netgear DG934 probability: 99.99%
  • Netgear WG602, WGR614 (v3 doesn’t work, maybe others…), DGN2000
  • Netgear WPNT834

And these are the models that have been found safe from this particular backdoor:

  • Cisco E2000 fwv 1.0.02
  • Cisco Linksys E4200 V1 fwv 1.0.05
  • Cisco Linksys X2000
  • Linksys E2500
  • Linksys E3000 fwv 1.0.04
  • Linksys E4200 Firmware Version: 2.0.26
  • Linksys WRT160Nv2
  • Linksys WRT320N
  • Linksys WRT54GL(v1.1) Firmware v4.30.16
  • Linksys WRT54GS v1.52.8 build 001
  • Linksys WRT600N running 1.01.36 build 3
  • Netgear CG3100
  • Netgear CG3700EMR as provided by ComHem Sweden
  • Netgear DG834G v5
  • Netgear DGN2200Bv3 (V1.1.00.23_1.00.23)
  • Netgear DGND3700
  • Netgear ProSafe FVS318G fwv 3.1.1-14
  • Netgear R6300
  • Netgear R7000
  • Netgear RP614v[4,2] V1.0.8_02.02
  • Netgear VMDG480 (aka. VirginMedia SuperHub) swv 2.38.01
  • Netgear VMDG485 (aka. VirginMedia SuperHub 2) swv1.01.26
  • Netgear WGR614v3
  • Netgear WGR614v7
  • Netgear WGR614v9
  • Netgear WN2500RP
  • Netgear WNDR3700
  • Netgear WNDR4000
  • Netgear WNDR4500
  • Netgear WNR2000v3
  • Netgear WNR3500Lv2

Checking for available firmware is something you should be doing already for all your devices regularly because of vulnerabilities like these. The manufacturer will patch them and release a new firmware version but I imagine the vast majority of people will not install it for a number of reasons. They never check for updates, don’t know how or why it should be done, don’t know the risks outdated firmware can pose etc.

Keep an eye on the github page of the French engineer Eloi Vanderbeken who discovered the backdoor. If and when more models are added to the list I’m sure it will show up there first. The page also links to a PDF with slides that show how the backdoor was discovered and plenty of links to other related information.

2 thoughts on “Use a Linksys, Cisco or Netgear router? You should read this.”

  • 1
    Indian DJ in Chicago - DJ OZA on July 16, 2015 Reply

    Very good information. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.