Security experts have found nearly a dozen cybersecurity bugs in "more than 7,000" Linksys smart Wi-Fi routers that, if exploited, could allow attackers to overload the device, force a reboot, deny user access, leak sensitive information and change restricted settings.
Cybersecurity researchers from IOActive said in an advisory this week (20 April) the routers "could be easily exploited" to potentially enable hackers to create a network of botnets, in the same fashion as the Mirai DDoS attacks which took down vast swathes of the web last year.
IOActive, which employs researchers known for hacking into a Jeep Cherokee in 2015, informed Linksys of the bugs in January this year and the two companies have been working "closely and cooperatively" ever since to validate and address the issues.
A security advisory has been issued which includes a workaround for customers until final firmware updates are finally posted, which the firm claimed will be published in the "coming weeks".
However, a full time-scale for the final fixes have not yet been disclosed.
The research was authored by IOActive senior security consultant, Tao Sauvage and independent researcher Antide Petit. Their analysis, conducted in 2016, reverse-engineered router firmware and a series conducted penetration tests of the exposed functions.
The pair uncovered 10 vulnerabilities, ranging from low to high risk, present in over 20 router models in production and distributed widely today. An initial search identified more than 7,000 vulnerable devices exposed on the internet at the time of the scan.
The majority of the exposed devices (~69%) are in the USA with the remainder are spread across the world, including Canada (~10%), Hong Kong (~1.8%), Chile (~1.5%), and the Netherlands (~1.4%). Others are Argentina, Russia, Sweden, Norway, China, India, UK and Australia.
"A number of the security flaws we found are associated with authentication, data sanitisation, privilege escalation, and information disclosure," said Sauvage in a statement.
"Additionally, 11% of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai [botnet] attacks."
In the case of Mirai, hackers were able to exploit a large amount of unprotected Internet of Things (IoT) devices, including routers and webcams, and use their power to conduct a series of unprecedented distributed-denial-of-service (DDoS) cyberattacks.
Benjamin Samuels, application security engineer at Linksys, said: "Working together with IOActive, we've been able to efficiently put a plan together to address the issues identified and proactively communicate recommendations for keeping customer devices and data secure.
"Security is a high priority and by taking a few simple steps, customers can ensure their devices are more secure while we address the findings. IOActive has been a great partner throughout what's been a textbook example of researcher and vendor working cooperatively."
Linksys provided a list of all affected models. If you own one of these it is advised to follow the workaround provided: EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, WRT3200ACM.