It has not been a good year for the Internet of Things, security-wise.
We've seen a series of IoT-based DDoS attacks cause widespread disruption of major websites, the release of urgent firmware patches and forced recall of vulnerable webcams, and European internet users have their internet access torn away after their routers were exploited.
And despite our attempts to encourage users and manufacturers to take greater care over router security, it's clear that many are turning a blind eye to the problem. If you need any greater illustration of that, consider ESET's own research which determined that at least 15% of all home routers used weak passwords and 20% have open telnet ports.
Now, there's a new threat.
Carnegie Mellon University's Computer Emergency Readiness Team (CERT) has issued a warning that multiple Netgear routers contain a serious vulnerability that allows a remote unauthenticated attacker to execute arbitrary commands with root privileges on affected routers.
Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:
http://<router_IP>/cgi-bin/;COMMAND
An exploit leveraging this vulnerability has been publicly disclosed by a researcher calling himself Acew0rm, who claims he informed Netgear of the issue on August 25th.
AceW0rm has now released a video of what he describes as the "pretty bad" exploit, seemingly in an attempt to encourage a prompt fix.
https://www.youtube.com/watch?v=kOZs90BGPFk&rel=0
The flaw is truly trivial to exploit, and is reported to have been confirmed in Netgear's R7000 and R6400 models. The R8000 router, running firmware version 1.0.3.4_1.1.2, is also thought to be vulnerable.
CERT doesn't mince its words when it comes to its advice for consumers who own vulnerable devices:
Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.
That seems reasonable advice when you consider just how easily an attacker could trick an unsuspecting internet user into clicking on a boobytrapped link to compromise their router. And, as there are millions of vulnerable routers connected to the internet, this is clearly a serious problem.
Netgear says it is aware of the security issue, and is working on releasing a firmware update that fixes the command injection vulnerability "as quickly as possible."
Mindful that many users would prefer to have a fix sooner rather than later, Netgear is offering beta versions of the firmware update to users who want to apply it.
The company is also keen to emphasise that "being pro-active rather than re-active to emerging security issues is fundamental", and urges anyone who uncovers a security issue in its products to make contact via security@netgear.com.