Security researchers have discovered a number of vulnerabilities in various models of Linksys routers that hackers could potentially exploit to create a botnet.
Senior security consultant Tao Sauvage and independent researcher Antide Petit discovered the bugs late last year. In a recent blog post, Sauvage reveals they identified ten vulnerabilities that range from low- to high-risk issues, six of which can be exploited remotely by attackers.
The security flaws could allow hackers to overload a device, force a reboot, deny user access, leak sensitive information about the router, and change restricted settings.
"A number of the security flaws we found are associated with authentication, data sanitisation, privilege escalation, and information disclosure," said Sauvage. "Additionally, 11 per cent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year's Mirai Denial of Service (DoS) attacks."
The flaws are present in over 20 different models of Linksys routers - the full list is available below. An initial scan discovered there were over 7000 vulnerable devices exposed at the time of the search. The majority of affected routers, 69 percent, are located in the US.
IOActive informed Linksys of the issues in January, allowing the company three months to address the problems before going public with its findings.
Benjamin Samuels, an application security engineer at Belkin (Linksys Division), said: "Working together with IOActive, we've been able to efficiently put a plan together to address the issues identified and proactively communicate recommendations for keeping customer devices and data secure."
"Security is a high priority and by taking a few simple steps, customers can ensure their devices are more secure while we address the findings. IOActive has been a great partner throughout what's been a textbook example of researcher and vendor working cooperatively."
In a recent advisory, Linksys advises users to enable automatic updates, disable the Wi-Fi Guest Network feature, and change the default admin password. A firmware update to fix the issues will be released in the coming weeks.
Here is the list of affected products: