Skip to main content

Millions of routers vulnerable to stack overflow hack

A vulnerability that leaves millions of routers and other Internet connected devices open to remote hacking and similar cyberattacks has been discovered.

Stefan Viehbock of SEC Consult Vulnerability Lab explained in his blog that a piece of proprietary software developed in Taiwan, called NetUSB, is the root of the security flaw.

Read more: So did he really do it? Man claims to have hacked into plane

NetUSB provides network access between USB devices such as printers or external hard drives and Linux-based embedded systems like routers and other access points. However, Viehbock discovered during the authentication check which occurs before establishing a connection that a significant vulnerability is present.

“As part of the connection initiation, the client sends his computer name,” he explains. “This is where it gets interesting: The client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. All the server code runs in kernel mode, so this is a 'rare' remote kernel stack buffer overflow.”

Stack buffer overflow flaws can cause programs to malfunction or crash, but can also be used to perform a deliberate cyberattack. It is possible to corrupt the stack by injecting malicious code into the program and gain control of the device remotely.

TP-Link, a manufacturer that uses the NetUSB software component, has already issued a security patch for 40 of its devices, but products being sold by other companies are also affected. Viehbock has released an advisory where he lists a number of vendors that could be at risk, including Netgear, TrendNet and Western Digital.

Read more: Google and Apple urge Obama to resist encryption backdoors

If your device has not had a patch issued for it, it may be possible to disable the NetUSB software using a web interface. In the meantime, KCodes, the developers behind NetUSB, have reportedly been unreceptive to the security concerns raised.

Barclay has been writing about technology for a decade, starting out as a freelancer with IT Pro Portal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.