Researchers Say This Router Is Open to Outside Attack by Hackers

Researchers working for a cybersecurity firm found several vulnerabilities within a common router. They shared their findings to the router’s manufacturer six months ago and have yet to hear back.
Image: Tenda

A common router is filled with several vulnerabilities that could leave it open to outside attack by hackers, according to a group of researchers working for a cybersecurity firm.

Although the discovery was made as part of a research project and no instances of an actual attack were documented the researchers say the findings and lack of response by the manufacturer highlight the need for tech companies to be more proactive when it comes to fixing vulnerabilities found within their products.


Sanjana Sarda works as a junior security analyst for Independent Security Evaluators—a security firm that provides hacking services to technology companies looking to find vulnerabilities within their products.

Sarda found the vulnerabilities in Tenda’s AC15 AC1900 Smart Dual-band Gigabit Wi-Fi Router, and shared her findings in a blog post last week. The discovery was made as part of public research and not at the request of Tenda.

“I was just a bored junior security analyst with a week left at ISE before going back to college when my manager gave me a device to try and hack. Didn't know I would end up finding a root shell and three other [vulnerabilities],” Sarda said.

Her research uncovered several Common Vulnerabilities and Exposures or CVEs a system used by security professionals to reference publicly known cybersecurity vulnerabilities.

The vulnerabilities include a cross-site request forgery which can be used to reboot the router remotely, a cross-site scripting request which can be used to execute Javascript, an open Telnet service that can be accessed by anyone online, and remote code execution which can also be used to add JavaScript or bash script.

“These vulnerabilities are super common, they are on the OWASP Top Ten list and are low effort for an attacker to find. From our research some variant of these keep showing up in IoT devices, whether it's a router, nas device, webcam, or pet feeder,” Sarda said.


Sarda explained separately these vulnerabilities may simply create a mild inconvenience such as rebooting a router for 45 seconds. But together, they could be used to launch an elevated or escalated attack that can be way more damaging.

“I should be able to change your password for your admin account,” Sarda said. “Continuous resetting. Continuous rebooting. I should be able to create a keylogger using the JavaScript. So it's like pretty much anything I want it to.”

Sarda said a firmware update by Tenda should fix these issues, and that ISE shared their findings with Tenda in January and has yet to hear back. Sarda also said the firmware she tested on is still available on the Tenda website.

Tenda did not respond to Motherboard’s request for comment.

Sam Levin is a solutions consultant with ISE and said the company often does public research like this as part of its mission of keeping the public informed.

“Part of the goal of doing and publishing research is to work with the manufacturers to report and get vulnerabilities fixed. Also to help educate consumers about vulnerabilities, so they can make informed decisions on when to update or protect themselves,” Levin told Motherboard in an email.

Levin said he wasn’t surprised by Tenda’s lack of response.

“This isn't the first router that has the same sort of problems and it isn't going to be the last,” Levin said. “And this isn't the first manufacturer that has stood us up for six months.”

Ultimately, the researchers believe this is a lesson for manufacturers to be more proactive about fixing disclosed vulnerabilities in their products and incorporating more testing on their firmware before its release. They also said it is a reminder to consumers to be more careful about what they do online and how they configure their devices.

“It's another reminder that firmware updates are important because when a [vulnerability] is fixed by a company it will be included in an update,” Sarda said.