CyberNews researchers found numerous security flaws within the default firmware and the web interface app of the TP-Link AC1200 Archer C50 (v6) router, which may put its owners at risk of man-in-the-middle and Denial of Service attacks.
With yearly sales of 150 million devices and a 42% share of the global consumer WLAN market, Shenzhen-based TP-Link Technologies Co, Ltd. is the world’s number one manufacturer of consumer-oriented wifi networking products.
Produced by the world’s leading manufacturer and sold by Amazon - the biggest online retailer on the planet - TP-Link routers are so popular that some models are routinely awarded ‘Amazon’s Choice’ badges in the 'wifi router' category.
However, few home users realize how many popular consumer-grade router models are plagued by security problems. From default administrator passwords to unpatched vulnerabilities to even pre-installed backdoors, buying the wrong router can have disastrous consequences, such as network infiltration, man-in-the-middle attacks, and router takeovers.
Enter TP-Link AC1200 Archer C50 (v6): this best-selling ‘Amazon’s Choice’ wifi router retails for £34.50 (~$48) in the UK, and is mainly sold within the European market.
Shockingly, it also ships with an outdated version of firmware that is susceptible to numerous known security vulnerabilities.
In addition to being sold with vulnerable firmware, the router comes with another critical flaw: its web interface app suffers from subpar security practices and weak encryption, potentially putting thousands - if not millions - of its owners at risk of cyberattacks.
If you happen to own the TP-Link AC1200 Archer C50 (v6) router, you should install the latest firmware update immediately.
- What we discovered
- Numerous known vulnerabilities in the default firmware version
- TP-Link web interface app code reveals subpar security practices
- A critical two-year-old vulnerability
- Why shipping routers with outdated firmware is dangerous
- How we collected and analyzed the data
- Disassembling the router
- Extracting the data
What we discovered
During the course of our security analysis of the TP-Link AC1200 Archer C50 (v6) router, we found multiple unpatched flaws in the default version of the router’s firmware, as well as its web interface app:
- The router is shipped with outdated firmware that is vulnerable to dozens of known security flaws.
- WPS is enabled by default, potentially allowing threat actors to brute-force the router.
- Session tokens are not deleted server-side after logging out of the router app and are accepted for subsequent authorization procedures.
- The router’s administrator credentials and configuration backup files are encrypted using weak protocols and can be easily decrypted by attackers.
- The default version of the router’s web interface app suffers from multiple bad security practices and vulnerabilities, including clickjacking, charset mismatch, cookie slack, private IP disclosures, weak HTTPS encryption, and more.
On the other hand, most of the known flaws that affected older versions of the router’s firmware, such as code execution during ping procedures and path traversal vulnerabilities, have been patched in the version we analyzed. In addition, HTTP traffic during login and logout procedures on the router’s web interface app is now encrypted using the permutated base64 protocol.
However, some of the flaws were only patched halfway through. For example, the backend of the router still seems relatively sloppily secured, which means that someone else can potentially find an entry point within the web interface and re-exploit previously known flaws.
On July 18, CyberNews reached out to TP-Link for comment and to understand whether they were aware of the flaws, and what they plan to do to protect their customers.
After we sent information about the affected TP-Link device, TP-Link stated that the company will force firmware updates on the affected devices, while the owners will receive “relevant notifications” about these updates via their management interface, “whether they manage the device through the web terminal or the mobile app Tether.”
Numerous known vulnerabilities in the default firmware version
Our initial investigation found that the services utilized by the router’s firmware matched 39 publicly-known security flaws listed on the MITRE database of Common Vulnerabilities and Exposures (CVE). We then narrowed down this list by separating the vulnerabilities into 4 categories:
- Most likely present
- Likely present
- Possibly present
- Unexploitable
We identified their likelihood by investigating the router’s kernel and the version numbers of its services, as well as previous detailed reports and open-sourced code that we could look up on GitHub.
Here’s what we found:
As we can see, 24 out of 39 vulnerabilities were identified as potentially present within the router’s firmware, with 15 being ruled out as ‘Unexploitable’.
Worryingly, 7 publicly-known vulnerabilities were deemed ‘Most likely present’ on the router:
- The ‘Use-after-free’ vulnerability allows potential threat actors to mount Denial of Service attacks against the router by removing a network namespace.
- The ‘PPPoL2TP’ feature allows potential attackers to gain privileges on the network by leveraging data-structure differences between the router’s sockets.
- Multiple integer overflows in the router’s kernel let threat actors mount Denial of Service attacks or gain privileges.
- This cURL vulnerability, if exploited by an attacker, can lead to the disclosure of sensitive information by leaking the credentials of the owner of the router.
- Another cURL vulnerability allows potential threat actors to steal user data and mount Denial of Service attacks.
- An scp.c vulnerability in Dropbear lets potential attackers bypass access restrictions and modify the permissions of target directories.
- The CVE-2014-3158 vulnerability allows threat actors to access privileged options on the network and "[corrupt] security-relevant variables."
Furthermore, 15 additional vulnerabilities were deemed ‘Likely present’. With that said, these were not practically tested, as we could not find direct references or proofs of concept to identify them as 100% positive.
Two other vulnerabilities - CVE-2011-2717 and CVE-2015-3310 - were deemed ‘Unlikely’ but were possibly present on the router.
TP-Link web interface app code reveals subpar security practices
Having identified a number of potential vulnerabilities within the firmware, we conducted an analysis of the router’s default web interface app by scanning it with the Nmap, BurpSuite, and OWASP ZAP penetration testing tools.
The scans revealed a number of substandard security practices and flaws present in the router’s web interface app, which could be potentially exploited by threat actors:
- The app does not support HTTPS by default, allowing potential attackers to intercept web traffic.
- When enabled, HTTPS within the interface is implemented using weak TLS 1.0 and TLS 1.1 encryption protocols.
- The app is using Base64 encoding schemes, which can be easily decoded by potential a-man-in-the-middle attackers.
- The interface suffers from the Cookie Slack flaw, which potentially allows for fingerprinting by threat actors.
- Charset mismatch allows potential threat actors to force web browsers into content-sniffing mode.
- Content-type is incorrectly stated on images within the app, potentially leading to attacks where threat actors can camouflage malicious scripts as images.
- X-Content-Type-Options headers are not set, allowing for content sniffing.
- The ‘Eval()’ function is used in the app’s JavaScript code, which could allow potential attackers to inject malicious code into the function.
- The router’s web interface is vulnerable to reverse tabnabbing attacks, where attackers can use framed pages in order to rewrite them and replace them with phishing pages.
- The Content Security Policy header is not set, allowing web browsers to load any type of content within the web interface page, including malicious code.
- The interface allows Private IP disclosures, which lets potential threat actors identify victims within a local network
- Frameable response within the interface can be used by malicious actors to trick users into unintentionally clicking on a button or link on a different page instead of the intended page (also known as clickjacking).
- Flooding the router with enough requests per second, it becomes unresponsive, which means that a Denial of Service vulnerability is present.
We also noticed that the default firmware version uses DSA and RSA algorithms for key encryption - a nine-year-old implementation of Dropbear SSH encryption service, itself plagued by multiple vulnerabilities.
Finally, we decided to check if the router’s firmware was still suffering from multiple severe vulnerabilities found in its previous versions by other security researchers. Fortunately, the flaws found in older versions are no longer present in the version tested by CyberNews, which means that new owners are no longer exposed to path traversal attacks and unauthenticated access attempts.
A critical two-year-old vulnerability
Coupled with the poor encryption of the router’s configuration file, one of the most severe security flaws we identified and verified was a vulnerability from 2019, which was only partially patched in the default version of the router’s firmware.
If an attacker intercepted the web traffic coming from a user who had administrator privileges and had successfully logged into the router, they would be able to extract their JSESSIONID cookie. This, along with a right hard-coded Referrer header, let us access any CGI script, including the backup of the router’s configuration file, which we could easily decrypt using a publicly available tool that dates back to 2018.
The decrypted configuration file stores multiple informational and sensitive variables of the router, including:
- Administrator password
- WPS key for wifi access
- Hardware Version
- Software version
- Network name (SSID)
In addition, the router’s configuration file is interpreted in the backend. This can potentially let attackers conduct command injection attacks by decrypting the configuration file, editing it, and uploading a re-encrypted malicious configuration file back to the router.
Why shipping routers with outdated firmware is dangerous
With the Covid pandemic forcing millions to work remotely, home routers have become a valuable target for cybercriminals. As more people shift to working from home, companies can find it nigh-impossible to adequately secure all of their employees’ networking devices.
Even though router manufacturers regularly release firmware updates to address new vulnerabilities, the responsibility for finding, downloading, and installing these updates falls on the average user. However, even seasoned IT professionals often forget to keep their router software up to date. This means that most home routers will retain default versions of their firmware indefinitely, which is one of the reasons why bad actors find them so tempting as targets.
With that in mind, by keeping outdated firmware on a best-selling router for years, TP-Link has been potentially putting untold numbers of TP-Link customers at risk of attacks by malicious actors.
Is AC1200 Archer C50 (v6) a good router? Maybe. Is it secure out of the box? Not until it’s force-updated by the manufacturer. And merely posting updates on the company’s website or sending notifications via an app won’t necessarily fix this problem.
How we collected and analyzed the data
To conduct this investigation, we disassembled the Amazon Best-Selling TP-Link AC1200 Archer C50 (v6) router, gained access to its shell terminal, and analyzed the router’s firmware (version ‘Archer C50(EU)_V6_200716’) and web interface using the Nmap, BurpSuite, and OWASP ZAP penetration testing tools.
When taking apart the router, we uncovered its UART serial port and accessed its backend terminal by connecting the uncovered serial port to a computer using an intermediate controller.
This allowed us to extract the router's default firmware, take a look at its boot loading sequence, and cross-reference the versions of services and applets used by the router with the MITRE CVE database, which we used as the standard to identify any potential security flaws. We then analyzed the router’s web interface to verify any potential vulnerabilities found in the MITRE CVE database.
In addition, we extracted the router’s weakly encrypted configuration file by intercepting a legitimate call to its CGI controllers. We were then able to decrypt this configuration file to reveal administrator credentials and the router’s WPS access key.
This allowed us to discover other subpar security practices, including weak encryption protocols, WPS being enabled by default, as well as access tokens being kept active after the administrator logout procedure.
Disassembling the router
In order to analyze the router’s firmware for potential security flaws, we first had to gain access to the router’s shell terminal.
We began by physically disassembling the device itself and uncovering its serial port.
After finding the router’s serial port on the circuit board, we connected the router to another computer via a USB converter, which allowed us to analyze its firmware.
We were able to access the router’s shell terminal by running a set of commands on the connected computer and turning on the router.
Extracting the data
After gaining shell access to the router, we collected the following information:
- The router’s boot loading sequence.
- The contents of the /etc/passwd folder, which is used to keep track of all registered users and store their information, including usernames and passwords.
- The contents of /var/tmp/dropbear folder, which stores the router’s SSH keys and the SSH password.
- The list of available commands, the $PATH variable, and the list of available services.
Having collected the raw data, our next step was to identify any potential vulnerabilities and then verify them manually to see if they could be exploited by threat actors, at least theoretically. We did it by cross-referencing the data with the MITRE CVE database, which helped us identify 39 potential security flaws and then verify them manually to see if they could be exploited by threat actors.
Finally, we scanned the router’s web interface with the Nmap, BurpSuite, and OWASP ZAP penetration testing tools. This allowed us to identify the encryption algorithms used by TP-Link to store and transfer sensitive information, revealing substandard security practices and flaws present in the router’s web interface app.
