‘Amazon’s Choice’ best-selling TP-Link router comes with security flaws: Experts

*Researchers found several vulnerability issues within the default firmware and Web interface app of the TP-Link AC1200 Archer C50 (v6) router the global e-commerce and technology giant sells, likely to put owners and consumers at risk of attacks

Isola Moses | ConsumerConnect

Researchers have found several vulnerability issues within the default firmware and the Web interface app of the TP-Link AC1200 Archer C50 (v6) router, which may put its owners and users at risk of man-in-the-middle and Denial of Service attacks.

With yearly sales of 150 million devices and a 42 percent share of the global consumer WLAN market, Shenzhen-based TP-Link Technologies Company Limited is the world’s number one manufacturer of consumer-oriented Wi-Fi networking products, reports CyberNews.

ConsumerConnect gathered the device was produced by the world’s leading manufacturer, and sold by Amazon, which is adjudged the e-commerce giant and biggest online retailer on the planet earth.

TP-Link routers are so popular that some models are routinely awarded ‘Amazon’s Choice’ badges in the ‘Wi-Fi router’ category, agency report stated.

However, few home users realise how many popular consumer-grade router models are plagued by security problems. From default administrator passwords to unpatched vulnerabilities to even pre-installed backdoors, buying the wrong router can have disastrous consequences, such as network infiltration, man-in-the-middle attacks, and router takeovers.

Enter TP-Link AC1200 Archer C50 (v6): this best-selling ‘Amazon’s Choice’ wifi router retails for £34.50 (~$48) in the UK, and is mainly sold within the European market.

Shockingly, it also ships with an outdated version of firmware that is susceptible to numerous known security vulnerabilities.

Besides being sold with vulnerable firmware, the researchers said the router comes with another critical flaw: its web interface app suffers from subpar security practices and weak encryption, potentially putting thousands – if not millions – of its owners at risk of cyberattacks.

If you happen to own the TP-Link AC1200 Archer C50 (v6) router, you should install the latest firmware update immediately.

What researchers discovered

• Numerous known vulnerabilities in the default firmware version
• TP-Link web interface app code reveals subpar security practices
• A critical two-year-old vulnerability
• Why shipping routers with outdated firmware is dangerous
• How we collected and analysed the data
• Disassembling the router
• Extracting the data

During the course of our security analysis of the TP-Link AC1200 Archer C50 (v6) router, we found multiple unpatched flaws in the default version of the router’s firmware, as well as its web interface app:

The router is shipped with outdated firmware that is vulnerable to dozens of known security flaws.

WPS is enabled by default, potentially allowing threat actors to brute-force the router.

Session tokens are not deleted server-side after logging out of the router app and are accepted for subsequent authorisation procedures.

The router’s administrator credentials and configuration backup files are encrypted using weak protocols and can be easily decrypted by attackers.

The default version of the router’s web interface app suffers from multiple bad security practices and vulnerabilities, including clickjacking, charset mismatch, cookie slack, private IP disclosures, weak HTTPS encryption, and more.

On the other hand, most of the known flaws that affected older versions of the router’s firmware, such as code execution during ping procedures and path traversal vulnerabilities, have been patched in the version we analyzed. In addition, HTTP traffic during login and logout procedures on the router’s web interface app is now encrypted using the permutated base64 protocol.

However, some of the flaws were only patched halfway through. For example, the backend of the router still seems relatively sloppily secured, which means that someone else can potentially find an entry point within the web interface and re-exploit previously known flaws.

On July 18, CyberNews reached out to TP-Link for comment and to understand whether they were aware of the flaws, and what they plan to do to protect their consumers.

After we sent information about the affected TP-Link device, TP-Link stated that the company will force firmware updates on the affected devices, while the owners will receive “relevant notifications” about these updates via their management interface, “whether they manage the device through the web terminal or the mobile app Tether.”

Numerous known vulnerabilities in the default firmware version

Our initial investigation found that the services utilized by the router’s firmware matched 39 publicly-known security flaws listed on the MITRE database of Common Vulnerabilities and Exposures (CVE).

We then narrowed down this list by separating the vulnerabilities into 4 categories: Most likely present,  Likely present, Possibly present, and Unexploitable.

We identified their likelihood by investigating the router’s kernel and the version numbers of its services, as well as previous detailed reports and open-sourced code that we could look up on GitHub.

The findings

The researchers stated that 24 out of 39 vulnerabilities were identified as potentially present within the router’s firmware, with 15 being ruled out as ‘Unexploitable’.

Worryingly, 7 publicly-known vulnerabilities were deemed ‘Most likely present’ on the router:

The ‘Use-after-free’ vulnerability allows potential threat actors to mount Denial of Service attacks against the router by removing a network namespace.

The ‘PPPoL2TP’ feature allows potential attackers to gain privileges on the network by leveraging data-structure differences between the router’s sockets.

Multiple integer overflows in the router’s kernel let threat actors mount Denial of Service attacks or gain privileges.

This cURL vulnerability, if exploited by an attacker, can lead to the disclosure of sensitive information by leaking the credentials of the owner of the router.

Another cURL vulnerability allows potential threat actors to steal user data and mount Denial of Service attacks.

An scp.c vulnerability in Dropbear lets potential attackers bypass access restrictions and modify the permissions of target directories.

The CVE-2014-3158 vulnerability allows threat actors to access privileged options on the network and “[corrupt] security-relevant variables.”

Furthermore, 15 additional vulnerabilities were deemed ‘Likely present’. With that said, these were not practically tested, as we could not find direct references or proofs of concept to identify them as 100% positive.

Two other vulnerabilities – CVE-2011-2717 and CVE-2015-3310 – were deemed ‘Unlikely’ but were possibly present on the router.

TP-Link web interface app code reveals subpar security practices

Having identified a number of potential vulnerabilities within the firmware, we conducted an analysis of the router’s default web interface app by scanning it with the Nmap, BurpSuite, and OWASP ZAP penetration testing tools.

The scans, report noted, revealed a number of substandard security practices and flaws present in the router’s web interface app, which could be potentially exploited by threat actors:

The app does not support HTTPS by default, allowing potential attackers to intercept web traffic.

When enabled, HTTPS within the interface is implemented using weak TLS 1.0 and TLS 1.1 encryption protocols.

The app is using Base64 encoding schemes, which can be easily decoded by potential a-man-in-the-middle attackers.

The interface suffers from the Cookie Slack flaw, which potentially allows for fingerprinting by threat actors.

Charset mismatch allows potential threat actors to force web browsers into content-sniffing mode.

Content-type is incorrectly stated on images within the app, potentially leading to attacks where threat actors can camouflage malicious scripts as images.

X-Content-Type-Options headers are not set, allowing for content sniffing.

The ‘Eval()’ function is used in the app’s JavaScript code, which could allow potential attackers to inject malicious code into the function.

The router’s web interface is vulnerable to reverse tabnabbing attacks, where attackers can use framed pages in order to rewrite them and replace them with phishing pages.

The Content Security Policy header is not set, allowing web browsers to load any type of content within the web interface page, including malicious code.

The interface allows Private IP disclosures, which lets potential threat actors identify victims within a local network

Frameable response within the interface can be used by malicious actors to trick users into unintentionally clicking on a button or link on a different page instead of the intended page (also known as clickjacking).

Flooding the router with enough requests per second, it becomes unresponsive, which means that a Denial of Service vulnerability is present.

Report further said the researchers noticed that the default firmware version uses DSA and RSA algorithms for key encryption – a nine-year-old implementation of Dropbear SSH encryption service, itself plagued by multiple vulnerabilities.

The experts decided to check if the router’s firmware was still suffering from multiple severe vulnerabilities found in its previous versions by other security researchers.

Fortunately, the flaws found in older versions are no longer present in the version tested by CyberNews, which means that new owners are no longer exposed to path traversal attacks and unauthenticated access attempts.

Kindly Share This Story