One high-risk and one medium-risk vulnerability was found in one of TP-Link's currently available – and popular – routers by KPMG ethical hacker Kamillo Matek. TP-Link already has a fix for the high-risk vulnerability, but not for the medium one, as that requires the hacker to have physical access. According to the hacker, the router market needs comprehensive security regulation as not even the minimum security requirements are met.

“We will hear a lot more about the vulnerability of routers in the future, especially with regard to cheap Asian devices, because for a low price and easy usability the manufacturers ignore the most basic of safety rules” –  says Kamilló Matek. The head of KPMG’s CyberLab group and ethical hacker has recently examined several TP-link routers, finding security vulnerabilities in all of them. His latest scrutiny target was the popular TP-Link TLWR840N EU v6.20 model still available today, where he found a high-risk and a medium-risk vulnerability.

One of the vulnerabilities was rated high because it allows a hacker to assume admin rights on the router even remotely, meaning the hacker can access all the data of the user including video calls, correspondence and the other communication channels, directories and files. Accepting the ethical hacker’s report and the so-called Proof of Concept, TP-link has already issued a fix for the bug, which can be downloaded from here.

“Downloading the fix is highly recommended because the nature of the bug can be clearly deduced from the published fix, which the hackers will then try to exploit in great numbers, searching for devices where careless owners have failed to close the loophole” – says Kamilló Matek.

Due to GDPR, the Chinese manufacturer integrated encryption functions on some parts of the routers shipped to Europe, which meant the now revealed vulnerability was essentially hidden. The essence of the vulnerability is that the password length is not checked when it is entered, so the attacker can exploit the vulnerability to inject a code into the system. This code is carefully encrypted, decrypted and finally executed by the system, allowing the hacker to gain access to the router, essentially the device and its peripherals, i.e. the IT assets it serves. Attackers can also exploit the vulnerability to create a so-called botnet network, i.e. they can coordinate a large number of infected routers to carry out further attacks, such as overload attacks, against other IT systems.

A similar fix is not expected to be released for the medium-risk vulnerability because taking control over the router requires the hacker to physically access the router. “Nevertheless, routers may need to be checked periodically, because many small businesses and other institutions in Hungary use such low-cost routers, which are then placed in easily accessible public spaces,” says the head of KPMG’s CyberLab group. In this case, the weak point was the router's diagnostic module (UART), which can be used to gain unlimited administrator privileges even by plugging in a few office paperclips and connecting a suitable device to their ends.

According to KPMG’s ethical hacker, the only thing that can prevent hackers from exploiting such vulnerabilities is their capacity. For him, it took a few working days to find the high-level vulnerability, but the payback for the wrong hands finding such flaws can be very high. And such mistakes are common, especially in the cheaper and easier to install market segment, because security by default always comes at the expense of the user-friendliness of the product and increases costs for the manufacturer (tests, inspections, etc.)

“That is why we need some kind of input regulation in the market, defining what security requirements a device must meet to be put on the market in the first place,” says the head of the CyberLab. “Unfortunately, due to the nature of things, such regulations usually only make the agenda when a bug comes to light that affects a large number of users and causes a lot of damage. It would be better to prevent this,” adds Kamilló Matek.