Leave a comment

Millions of routers are at risk

Millions of routers are at risk
Photo courtesy of Shutterstock

Your home router probably doesn't get much attention. After you set it up and secured it (you secured it, right?), you probably haven't thought much about it. It's just chugging along quietly in the background keeping your gadgets securely connected to each other and the Internet.

Unfortunately, your router might not be a secure as you'd hope. Hot off the presses is a report about a security flaw built into millions of home routers. This isn't the first major router security flaw, but it could be the worst so far.

The flaw comes courtesy of a bit of code called NetUSB. NetUSB lets you share the information on USB gadgets over a network simply by plugging the gadget into your router.

Unfortunately, the company that developed NetUSB left in a very basic flaw. It's called a "stack buffer overflow," and it really hasn't been a security problem in most programs since the '90s.

I won't bore you with technical details, but the basics are that a hacker can send a large amount of information to a specific port on your router and crash it. The crash can either be to knock you off the Internet, or the hacker can use the crash to run their own code.

Unfortunately, NetUSB is used in a lot of routers. According to SEC Consult Vulnerability Lab, the list includes routers from Allnet, Ambir Technology, AMIT, Asante, Atlantis, Corega, Digitus, D-Link, EDIMAX, Encore Electronics, Engenius, Etop, Hardlink, Hawking, IOGEAR, LevelOne, Longshine, NetGear, PCI, PROLiNK, Sitecom, Taifa, TP-LINK, TRENDnet, Western Digital and ZyXEL.

The list of affected models is still being compiled, but I'll give you what is known so far in a moment. The big question is how to fix the problem.

Unfortunately, there's no good answer. The TP-Link brand is planning to release an update for its routers later this month. Other router manufacturers haven't said when, or even if, they're going to release a fix.

Some routers do let you turn off the USB feature of your router in the settings. However, on NetGear routers this doesn't actually turn off NetUSB or solve the problem.

Check with your router manufacturer over the next month to see if it's offering a firmware update. Otherwise keep an eye on your router for unusual crashes or odd behavior.

Here's the current list of routers courtesy of SEC.

These routers are known to have the NetUSB flaw:

  • TP-Link TL-WDR4300 V1
  • TP-Link WR1043ND v2
  • NETGEAR WNDR4500

These routers have the vulnerable NetUSB feature:

  • D-Link DIR-615 C
  • NETGEAR AC1450
  • NETGEAR CENTRIA (WNDR4700/4720)
  • NETGEAR D6100
  • NETGEAR D6200
  • NETGEAR D6300
  • NETGEAR D6400
  • NETGEAR DC112A
  • NETGEAR DC112A (Zain)
  • NETGEAR DGND4000
  • NETGEAR EX6200
  • NETGEAR EX7000
  • NETGEAR JNR3000
  • NETGEAR JNR3210
  • NETGEAR JR6150
  • NETGEAR LG6100D
  • NETGEAR PR2000
  • NETGEAR R6050
  • NETGEAR R6100
  • NETGEAR R6200
  • NETGEAR R6200v2
  • NETGEAR R6220
  • NETGEAR R6250
  • NETGEAR R6300v1
  • NETGEAR R6300v2
  • NETGEAR R6700
  • NETGEAR R7000
  • NETGEAR R7500
  • NETGEAR R7900
  • NETGEAR R8000
  • NETGEAR WN3500RP
  • NETGEAR WNDR3700v5
  • NETGEAR WNDR4300
  • NETGEAR WNDR4300v2
  • NETGEAR WNDR4500
  • NETGEAR WNDR4500v2
  • NETGEAR WNDR4500v3
  • NETGEAR XAU2511
  • NETGEAR XAUB2511
  • TP-LINK Archer C2 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK Archer C20 V1.0 (Not affected)
  • TP-LINK Archer C20i V1.0 (Fix planned before 2015/05/25)
  • TP-LINK Archer C5 V1.2 (Fix planned before 2015/05/22)
  • TP-LINK Archer C5 V2.0 (Fix planned before 2015/05/30)
  • TP-LINK Archer C7 V1.0 (Fix planned before 2015/05/30)
  • TP-LINK Archer C7 V2.0 (Fix already released)
  • TP-LINK Archer C8 V1.0 (Fix planned before 2015/05/30)
  • TP-LINK Archer C9 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK Archer D2 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK Archer D5 V1.0 (Fix planned before 2015/05/25)
  • TP-LINK Archer D7 V1.0 (Fix planned before 2015/05/25)
  • TP-LINK Archer D7B V1.0 (Fix planned before 2015/05/31)
  • TP-LINK Archer D9 V1.0 (Fix planned before 2015/05/25)
  • TP-LINK Archer VR200v V1.0 (Fix already released)
  • TP-LINK TD-VG3511 V1.0 (End-Of-Life)
  • TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/31)
  • TP-LINK TD-W1042ND V1.0 (End-Of-Life)
  • TP-LINK TD-W1043ND V1.0 (End-Of-Life)
  • TP-LINK TD-W8968 V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-W8968 V2.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-W8968 V3.0 (Fix planned before 2015/05/25)
  • TP-LINK TD-W8970 V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-W8970 V3.0 (Fix already released)
  • TP-LINK TD-W8970B V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-W8980 V3.0 (Fix planned before 2015/05/25)
  • TP-LINK TD-W8980B V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-W9980 V1.0 (Fix already released)
  • TP-LINK TD-W9980B V1.0 (Fix planned before 2015/05/30)
  • TP-LINK TD-WDR4900 V1.0 (End-Of-Life)
  • TP-LINK TL-WR1043ND V2.0 (Fix planned before 2015/05/30)
  • TP-LINK TL-WR1043ND V3.0 (Fix planned before 2015/05/30)
  • TP-LINK TL-WR1045ND V2.0 (Fix planned before 2015/05/30)
  • TP-LINK TL-WR3500 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK TL-WR3600 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK TL-WR4300 V1.0 (Fix planned before 2015/05/22)
  • TP-LINK TL-WR842ND V2.0 (Fix planned before 2015/05/30)
  • TP-LINK TL-WR842ND V1.0 (End-Of-Life)
  • TP-LINK TX-VG1530(GPON) V1.0 (Fix planned before 2015/05/31)
  • Trendnet TE100-MFP1 (v1.0R)
  • Trendnet TEW-632BRP (A1.0R)
  • Trendnet TEW-632BRP (A1.1R/A1.2R)
  • Trendnet TEW-632BRP (A1.1R/A1.2R/A1.3R)
  • Trendnet TEW-634GRU (v1.0R)
  • Trendnet TEW-652BRP (V1.0R)
  • Trendnet TEW-673GRU (v1.0R)
  • Trendnet TEW-811DRU (v1.0R)
  • Trendnet TEW-812DRU (v1.0R)
  • Trendnet TEW-812DRU (v2.xR)
  • Trendnet TEW-813DRU (v1.0R)
  • Trendnet TEW-818DRU (v1.0R)
  • Trendnet TEW-823DRU (v1.0R)
  • Trendnet TEW-MFP1 (v1.0R)
  • Zyxel NBG-419N v2
  • Zyxel NBG4615 v2
  • Zyxel NBG5615
  • Zyxel NBG5715
Next Story
Source: Ars Technica
View Comments ()
4 scam charities getting rich off YOUR donations
Previous Happening Now

4 scam charities getting rich off YOUR donations

Check NOW if your browser is open to a new Heartbleed-style bug
Next Happening Now

Check NOW if your browser is open to a new Heartbleed-style bug