TP-Link router exploit spotted in the wild

Certain TP-Link wireless routers feature a vulnerability that leaves them open to DNS hijacking attacks, a researcher has found.

Researcher Jakob Lell uncovered the cross-site request forgery flaw, which could allow attackers to manipulate a vulnerable router’s upstream DNS server when a user browses to a malicious site.

Lell said he had found five different websites hosting the exploit and said there were likely to be more. He didn’t reveal which sites had been affected and said it wasn’t clear what the attackers planned on doing with the malicious servers.

Lell’s disclosure comes after another researcher warned that many domestic wireless routers contain unpatched security holes.

D-Link, Tenda and Netgear were all forced to issue patches in response to flaws that could allow hackers to bypass their routers’ authentication bypass processes. However, none of the researchers who disclosed the flaws said they had found real-world examples of the exploits.

How it works

The affected TP-Link routers allow access to the web-based admin settings using HTTP authentication – meaning browsers often store the password, even if it’s been changed. “Even if the user doesn’t want to permanently store the password in the browser, it will still temporarily remember the password and use it for the current session,” explained Lell.

A user who browses to a compromised site while still logged into their router then leaves their router open to attack. “When a user visits a compromised website, the exploit tries to change the upstream DNS server of the router to an attacker-controlled IP address, which can then be used to carry out man-in-the-middle attacks,” said Lell.

In theory, a compromised DNS server could allow an attacker to redirect users to phishing sites, block software upgrades or even hijack email accounts, said Lell.

Speaking to PC Pro, Lell said he had disclosed the problem to TP-Link. The company has issued patches for some affected models, but Lell has listed several devices that remain vulnerable. “Many vendors don’t care too much about security,” he added.

TP-Link hasn’t responded to a request for comment.

Lell added that users should change from the default password and ensure they log out of the administrative settings when browsing to other sites.

Update: TP-Link has got in touch with PC Pro and said it has corrected the issue.

“We have identified and updated vulnerable devices with new firmware that mitigate the ability of an attacker to affect our devices in this way,” a spokesperson said.

The company also advised users with the following router models to update to the most recent firmware: TL-WDR3600, TL-MR3020 and TL-WR1043ND V1.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.