If you have a Asus, Netgear, Belkin or Trendnet router, you may want to make sure you’ve updated it to the most recent firmware.
Fifteen ‘zero day’ vulnerabilities have been discovered in four router models by hackers competing at the DefCon 22 security conference and left open to attackers, they could allow people to hijack your WiFi.
Some of the holes were more critical than others. Those worst affected could give hackers access to execute privileged commands, meaning they can take full control of your router.
The ASUS RT-AC66U, the Netgear Centria WNDR4700 (which suffered two separate hacks), the Belkin N900, and the TRENDnet TEW-812DRU are all affected. A router made by Actiontec Electronics that Verizon Communications offers its customers also revealed flaws, but it’s not widely used in the UK.
A ‘zero day’ attack refers to a kind of vulnerability that may not have been discovered by the manufacturer yet, but may have been used by hackers for a while. It requires the manufacturer to patch the hole as soon as possible to prevent anyone using it to maliciously use equipment or software.
Only four of the vulnerabilities were revealed to be new. Flaws discovered in several other routers are all known about and have been patched in other products made by the manufacturers.
Stephen Bono is president of Independent Security Evaluators, the security firm that organised the competition. He said router manufacturers sometimes just decide not to fix the vulnerabilities, while in other instances, they are unable to do anythng because the flaws are in code provided by the chipset supplier so they can’t be patched.
If you do have one of these routers, it doesn’t necessarily mean you’ll be hacked. Those involved in the hackathon are security experts and there’s no evidence to show any of the products has been used maliciously.
On the other hand, you could argue that a product with known security flaws isn’t fit for purpose and your ISP should replace it, or if it’s still under warranty the retailer should give you a different model. But who’s to say that will be any more secure?