Yet Again, Vulnerabilities Found in a RouterThis Time, Random Pentest Finds Five Flaws in Tenda Router
It’s common for security researchers to be ignored when reporting a software vulnerability, and the situation is particularly bad when it comes to the internet of things. The latest example: Vulnerabilities found in a router by Independent Security Evaluators, a Baltimore-based security consulting firm.
Sanjana Sarda, a security analyst at Independent Security Evaluators, picked apart the AC15 AC1900 Smart Dual-band Gigabit Wi-Fi Router, which is made by China-based Shenzhen Tenda Technology Co. Ltd.
The router was left over from the DefCon conference’s annual IoT Village presentations, which ISE organizes. "We had this router just sitting around,” Sarda says. “I just kind of poked around and found a couple of things.”
She found a total of five vulnerabilities. One of the most serious flaws is a default, hardcoded password for telnet, which was left open to the internet. Sarda says the password could be used for any Tenda router of the same model.
“Once you have that password you can telnet into the router, and you have complete access to the router,” Sarda says.
She also found two methods to gain a persistent, reverse shell on the device. Among her other findings were a cross-site scripting flaw and a cross-site request forgery issue.
The findings point to the ease at which computer security researchers can take their pick of common routers and often find some security issues. “The chance of us picking that router was the same chance as someone buying it,” says Sam Levin, an ISE solutions consultant.
For years, security experts have issued warnings about the dangers of insecure routers. Commandeering a router can lead to invasions of privacy. Overtaken routers also can be used as proxies for cybercriminal activity, such as defeating geolocation checks performed during a credit card transaction. There’s also a potential to use hijacked devices for distributed denial-of-service attacks.
ISE notified Tenda of the issues in January, but it says it has yet to hear back from the company. ISMG’s efforts to reach officials at Tenda were also unsuccessful.
“It is interesting to note that as Tenda has yet to patch these vulnerabilities, similar vulnerabilities may exist in other firmware versions,” Sarda writes in an in-depth blog post describing her findings. “Attackers, consequently, can develop similar exploits that affect other Tenda embedded devices.”
Tenda was founded in 1999 and makes a variety of mostly consumer-focused products, including switches, IP cameras, powerline adapters for internet data, 3G and 4G modems and Wi-Fi extenders.
The router analyzed by ISE appears to date from around 2015, according to the documentation and firmware versions on its website. Sarda tested the latest available version of the firmware, version 15.03.05.19. That version has been removed from most of Tenda’s websites except for the one for the U.S. market, she writes.
Levin says that ISE debated whether it should publish the Tenda research given that the company had not responded. But after 180 days – which is nearly double the usual notification period given to a manufacturer for a software issue – Levin says ISE felt it was better for consumers to know of the flaws.
Still, Tenda’s non-responsiveness doesn’t bode well for the state of IoT security. ISE has had much contact with IoT vendors, as it has conducted two studies, one in 2013-2014 and one in 2019, SOHOpelessly Broken 2.0, both of which looked at the security readiness of routers and network-attached storage devices. Both resulted in finding dozens of CVEs.
The latest study also showed that “there was more sophisticated use among the companies around bug bounties or having vulnerability disclosure programs but it was still not consistent on a wide enough scale to feel super impactful,” Levin says.
Even if a company did have a bug bounty program or a vulnerability disclosure program, it didn’t mean that it would respond quickly, Levin says.
“Even though they might have had a disclosure program set up, it was still very delayed,” Levin says.