The US Department of Homeland Security through the Computer Emergency Readiness Team (CERT) at Carnegie Mellon issued an alert to owners of a number of Linksys routers to patch those routers ASAP. The alert referenced two vulnerabilities – the first one allowed anyone on the internet to read or modify sensitive information on the router; the second allowed anyone on the internet to read the device’s password file (and thereby gain full access to the router and as a result also gain access to the Linksys user’s internal network.
Unfortunately, according to an article on Security.org , LInksys has not yet released patches for all of the affected routers and a proof of concept attack for the vulnerability on some models was published on a Turkish hacker site in September.
If we follow the timeline in the article, Kyle Lovett, the researcher who discovered the bugs told Linksys about it in July (about 4 months ago), sample exploits were posted on a hacker web site in September (2 months ago) and the article claims that there are still no patches available for some models of Linksys routers.
On top of that, many small and medium size businesses do not have the knowledge, skills or staff to patch their routers, making them kind of a cyber sitting duck.
One part of every business’s cyber security plan should be to make sure that all devices (from network routers to phones) are patched frequently.
Does your business have a written, adopted and audited cyber security plan?