If you own one of four TP-Link routers, including the TP-Link Archer C5 (v4), you’re going to want to find and install its latest firmware update right now. The patch fixes a critical vulnerability that would otherwise allow an attacker to take full control of your router—admin access and all—and lock you out of it.
The vulnerability, initially discovered by Grzegorz Wypych of IBM’s awesome-sounding “X-Force Red” hacker squad, appears to require someone to have network access to your router to get started. While that makes this slightly less applicable if you have a great wifi password (and a good lock on your front door), that’s not to say that there aren’t other vulnerabilities a skilled attacker could exploit to get onto your network or send commands to your router.
Even if this hack is more likely to affect business networks or anywhere else where a compromised router could be used as a vector for a larger attack, there’s no reason to be lazy about updating your device’s firmware at home. A few minutes spent on this simple task can save you a world of hurt, as Wypych and article co-author Limor Kessem describe at Security Intelligence:
After attaining admin access without needing real authentication, we found out that this specific device also allows for the configuration of FTP on the WAN. Furthermore, we could remotely manage the router over a secure HTTPS connection, which is also vulnerable to this CGI attack. The impact and implications of this router vulnerability, if exploited by a malicious third party, can be detrimental.
Not only can attackers attain privileged access, but the legitimate user can also be locked out and would no longer be able to log in to the web service through the user interface since that page would no longer accept any passwords (unbeknownst to the user). In such an event, the victim could lose access to the console and even a shell, and thereby would not be able to re-establish a new password. Even if there was a way to set a new password, the next vulnerable LAN/WAN/CGI request would, once again, void the password. The only access would, therefore, be FTP files via a USB port connection.
The vulnerability that allows this to happen is a quirky but seemingly simple one. The attack, known as a “password overflow,” involves spoofing HTTP headers to make it look like a login request comes from the router’s IP address or the domain TP-Link’s routers use during the initial setup process—tplinkwifi.net.
The router sees the login request as legitimate, and sending along a password string with the request that’s shorter than what the router expects prevents anyone from logging into it with the correct password. (It’s a denial-of-service attack, basically.) Sending a password string that’s longer blanks the previously legitimate password, giving an attacker full, unprotected access to the router.
Update your router’s firmware right now
To plug this vulnerability, TP-Link has issued firmware updates for affected routers. I recommend checking the underside or rear of your router to confirm what you have (and its hardware version number, like “V4″) and downloading the updates right now if you own one of these four routers:
Once you’ve done that, pull up your router’s web-based configuration screen, log in, and look for the section related to firmware updates. To use the C5 as an example, you’ll need to click on the Advanced tab at the top, scroll down to “System Tools,” and click on “Firmware Upgrade.” You can then browse to find the firmware update you downloaded (and unzipped), and install it on your device via the big “Upgrade” button.
While it would be wonderful if all routers could simply ping an update server and automatically download and install firmware updates for you, that’s not the case. The onus is typically on you to keep your router updated. And I get it; checking a website for firmware updates all the time is an annoying process.
In fact, this is probably the last thing you think about, even if you’re pretty into geeking out over your computer and networking gear (like me). To fix that, drop a reminder on your favourite scheduling tool to revisit your router manufacturer’s support page three months from now to check for updates, and set another reminder at that point for whatever time period feels appropriate.