Beware! Dozens of Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws

Thursday, April 20, 2017 Swati Khandelwal



Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.

IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.

Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers.

According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors.



Many of the active Linksys devices exposed on the internet scanned by Shodan were using default credentials, making them susceptible to the takeover.

Researchers found more than 7,000 devices impacted by the security flaws at the time of the scan, though this does not include routers protected by firewalls or other network protections.

"We performed a mass-scan of the ~7,000 devices to identify the affected models," IOActive says. "We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers."IOActive made Linksys aware of the issues in January this year and is working "closely and cooperatively" with the company ever since to validate and address the vulnerabilities.


Here's How critical are these Flaws:
The researchers did not reveal more details about the vulnerabilities until the patch is made available to users, although they said two of the flaws could be used for denial-of-service attacks on routers, making them unresponsive or reboot by sending fraudulent requests to a specific API.

Other flaws could allow attackers to bypass CGI scripts to collect sensitive data such as firmware versions, Linux kernel versions, running processes, connected USB devices, Wi-Fi WPS pins, firewall configurations, FTP settings, and SMB server settings.

CGI, or Common Gateway Interface, is a standard protocol which tells the web server how to pass data to and from an application.



Researchers also warned that attackers those have managed to gain authentication on the devices can inject and execute malicious code on the device's operating system with root privileges.

With these capabilities in hands, attackers can create backdoor accounts for persistent access that are even invisible in the router smart management console and so to legitimate administrators.

However, researchers did not find an authentication bypass that can allow an attacker to exploit this flaw.


List of Vulnerable Linksys Router Models:
Here's the list of Linksys router models affected by the flaws:

EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.

The majority of the exposed devices (nearly 69%) are located in in the United States, and others are spotted in countries including Canada (almost 10%), Hong Kong (nearly 1.8%), Chile (~1.5%), and the Netherlands (~1.4%).

A small percentage of vulnerable Linksys routers have also been spotted in Argentina, Russia, Sweden, Norway, China, India, UK, and Australia.


Here's How you can Mitigate Attacks originating from these Flaws:
As temporary mitigation, Linksys recommended its customers to disable the Guest Network feature on any of its affected products to avoid any attempts at the malicious activity.

The company also advised customers to change the password in the default account in order to protect themselves until a new firmware update is made available to patch the problems.

Linksys is working to release patches for reported vulnerabilities with next firmware update for all affected devices. So users with Smart Wi-Fi devices should turn ON the automatically update feature to get the latest firmware as soon as the new versions arrive.

Vivo V5 Plus IPL Limited Edition phone to launch today in celebration of IPL 2017

Image Credit: Vivo

Chinese smartphone maker Vivo is launching a limited edition smartphone for the upcoming IPL 2017 (Indian Premiere League). IPL 2017 marks the 10th season of the annual Twenty20 cricketing event in India. The opening match of IPL 2017 is set for 5 April, Wednesday between Sunrisers Hyderabad vs Royal Challengers Bangalore.

The company has sent invites across for the launch event in Hyderabad. The Vivo V5 Plus was announced back in January and made available for the general public back in February. The only difference between the Vivo V5 Plus and the IPL Limited edition seems to be the matte black colour of the smartphone. One thing to note here is that Vivo is the official sponsor for IPL and the smartphone may come loaded with IPL-related apps but we are purely speculating about the second part here.

The Vivo V5 comes with a 5.5-inch display with HD (1280×720) resolution and a 2.5D curved Gorilla Glass 3 on top, a 1.8 GHz Snapdragon 652 octa-core processor with 4 GB RAM along with 32 GB internal storage expandable up to 128 GB via microSD card is also present. In the camera department, it offers a 13 MP sensor on the back while a 20 MP sensor on the front takes charge of capturing selfies.

The camera on the back features a soft-LED flash and PDAF (phase detection autofocus). The smartphone also features a fingerprint scanner embedded in the home button, 4G LTE bands support, dual-SIM card slot, a 3,055 mAh battery and even Vivo’s proprietary Fast Charging technology. It runs on Android 6.0 Marshmallow with Vivo’s FunTouch OS 2.6 skin on top.

It is highly unlikely that the smartphone will come with any changes in the hardware.

Publish date: April 4, 2017 9:25 am| Modified date: April 4, 2017 9:25 am

MWC 2017: Gionee launches two smartphones A1 and A1 Plus from its new flagship A series

Image Credit: Gionee

By tech2 News Staff /  27 Feb 2017 , 18:33

Chinese Smartphone maker Gionee announced the launch of two smartphones from its new flagship A series. Gionee A1, the first smartphone from the series packs a 20MP front-facing camera for selfies.

The A1 will be powered by a MediaTek Helio P10 MT6755 processor along with 4GB RAM and 64GB internal storage. It will come with a 5.5-inch Full HD Amoled display with an effective resolution of 1920 x 1080.

The smartphone comes along with an expandable storage slot that supports microSD cards up to 128GB. The smartphone packs 16MP camera module with f/2.0 aperture and fixed focus on the front along with a flash unit. The company has added a 13MP camera module on the rear with f/2.0 aperture, autofocus and LED flash unit.

Gionee has added 4,010 mAh battery in the smartphone and will run on Android Nougat 7.0 out of the box. The smartphone comes with a Dual SIM slot, 3.5mm headphone jack, Wi-Fi, Bluetooth and others. “We have noticed that more and more people are regarding selfies as an expression of themselves and they tend to share their photos through various social channels whenever and wherever they are.

As a consumer-oriented smartphone manufacturer, we hope to set up the evolution of the selfie experience and provide the best portfolio at the best price,” added William Lu, President for Gionee.

Image Credit: Gionee

Gionee A1 Plus is the second smartphone launched by the Chinese smartphone maker. A1 Plus will sport a 6.0-inch Full HD display with an effective resolution o of 1920 x 1080. It comes with a 20MP front camera and a Dual camera setup with a 13MP Camera sensor and a 5MP camera sensor. Both the sensors of the dual-camera setup have an aperture of f/2.0 and autofocus.

The smartphone will be powered using a massive 4,550 mAh battery while running on MediaTek Helio P25. One thing to note is that the smartphone will run Android Nougat 7.0 out of the box. A1 Plus comes with a 64GB internal storage and an expandable storage slot that allows users to add microSD cards with a capacity up to 256GB.

Similar to A1, the company has offered similar connectivity options to the A1 Plus and will be powered by Android Nougat 7.0 out of the box. The smartphone will sport ‘Ultra Charge’ Technology that will ensure that the entire battery is charged in 120 minutes. Last but not least, both the smartphones will come with an enhanced camera experience where the facial recognition system and algorithms will enable a bokeh-selfie mode that will enable blurred backgrounds for better sense of depth.

Huawei runs past Oppo and Vivo in smartphone shipments in Q4 of 2016 in China

  19 Feb 2017 , 11:54

China shipped 131.6 million smartphones in in the fourth quarter of 2016 with Huawei topping the list, followed by Oppo and Vivo, a new report said on Saturday. According to a report by Singapore-based market research firm Canalys, the smartphone shipments in China accounted for nearly a third of worldwide shipments.

“Smartphone shipments in China for the fourth quarter of 2016 were also the quarterly highest in the history. Shipments for all of the year came to 476.5 million units, rising 11.4 percent from 2015 levels,” Digitimes reported, quoting Canalys report. Huawei shipped 76.2 million units in China’s smartphone market in 2016, followed by Oppo with 73.2 million units and Vivo with 63.2 million.

“In 2016, the top three brands were competing with new product launches, go-to-market strategies and brand building,” Canalys research analyst Jessie Ding was quoted as saying. Xiaomi took the fourth spot while Apple fell to fifth place.

“In 2017, competition between Huawei, Oppo and Vivo will become much more intense, while their increasing scale and bargaining power within the industry will have a larger impact on device strategies of operators and open channel partners,” Ding predicted. This comes right after the reports that Xiaomi is facing some problems in the Chinese market and Oppo, Vivo and Huawei are pushing up with innovation.

With inputs from IANS

Xiaomi launches Redmi Note 4X in China with Snapdragon 653 and special Miku edition

Image Credit: Xiaomi

By tech2 News Staff /  09 Feb 2017 , 12:56

Xiaomi officially launched the updated version of Xiaomi Redmi Note 4, the Redmi Note 4X in China. As all the product launches, officially, this will be limited to China in terms of availability. One important thing to note is that design-wise the Redmi Note 4X is same as the Redmi Note 4. The only difference is the availability in Teal Green which is being termed as the limited edition Hatsune Miku edition, on the occasion of Valentine’s Day.

Image Credit: Xiaomi

For the uninitiated, Hatsune Miku is an extremely popular singing synthesiser app primarily popular in Japan. The popularity is such that people attend concerts where the holographic avatar of Miku is performing on stage. In addition to the ‘Hatsune Gree’, the company has also launched a variant in ‘Cherry Pink’ colour as reported by GSMArena. The entire package comes along with a stylised package, protective case and limited edition Mi Power bank.

Image Credit: Xiaomi

The company has not published detailed specs of the smartphone along or the pricing but the company is expected to release these details prior to the sales day. However, as reported by GSMArena, the internals of the Redmi Note 4X are exactly the same as the internals of Redmi Note 4. In terms of hardware, the phone will be powered by a Snapdragon 653 chipset internationally and a MediaTek Helio X20 in China (the same as on the Chinese Note 4). The current international edition of the Note 4 uses the Snapdragon 625 chip, which is slightly less powerful than the 653, but more power efficient.

Storage options will now include variants with 3GB RAM / 32GB storage, 4GB RAM / 32GB storage and 4GB RAM / 64GB storage. Unlike the Note 4, there will be no 2GB RAM variant.

China is planning to undertake 30 space launch missions in 2017

Seen here is China's Long March 4C rocket. Image: Reuters

  04 Jan 2017 , 15:57

China plans to conduct some 30 space launch missions in 2017, a record-breaking number in the country’s space history, said China Aerospace Science and Technology Corporation. Long March-5 and Long March-7 rockets would be used to carry out most of the space missions, the China News Service reported.

Long March-5 is China’s largest carrier rocket. The successful test launch of the vehicle in November in Hainan would pave the way for space station construction, analysts said. Wang Yu, general director of the Long March-5 program, said 2017 is a critical year for China’s new generation of carrier rockets and the Long March-5 rockets would carry Chang’e-5 probe to space.

The probe would land on the moon, collect samples and return to Earth. On the other hand, Long March-7, the more powerful version of Long March-2, would send China’s first cargo spacecraft Tianzhou-1 into the space in the first half of 2017, according to Wang Zhaoyao, director of China Manned Space Engineering Office.

Tianzhou-1 was expected to dock with Tiangong-2 space lab and conduct experiments on propellant supplement, People’s Daily reported. China conducted 22 launch missions in 2016 and 19 in 2015. The country successfully tested its Long March-7 rocket in June 2016, and has gradually shifted to new generation rockets that reduce the use of toxic rocket fuels.

IANS

Apple pulls New York Times app from Chinese app store after China reports the app

Image Credit: REUTERS

  05 Jan 2017 , 16:19

Apple has removed the New York Times from its China app store, the tech giant said, after authorities told the company the app breached regulations. The US newspaper said both its English- and Chinese-language apps were pulled late last month, blocking one of the few remaining channels for readers in China to access its reports.

“For some time now the New York Times app has not been permitted to display content to most users in China, and we have been informed that the app is in violation of local regulations,” Apple spokeswoman Carolyn Wu said in a statement to AFP.  “As a result, the app must be taken down off the China App Store.”

When the situation changes, she added, Apple will offer the app again for download in China.  The development marks the latest move by Beijing to suppress the newspaper’s output in China, after the government blocked its website following a 2012 Times report saying that former Premier Wen Jiabao’s family controlled assets worth $2.7 billion.

Incoming correspondents for The New York Times were not given Chinese residence visas in apparent retaliation. China’s Communist Party oversees a vast censorship apparatus designed to censor online content they deem politically sensitive, while blocking some Western websites and the services of Internet giants including Facebook, Twitter and Google.

In recent months Beijing censors had “struggled” to prevent readers from using the Chinese-language app, the Times reported.  A Times spokeswoman said the company had asked Apple to reconsider its decision, it added.  “The request by the Chinese authorities to remove our apps is part of their wider attempt to prevent readers in China from accessing independent news coverage by The New York Times of that country,” spokeswoman Eileen Murphy said.

‘Must comply’

China has seen a sprawling crackdown on dissent under President Xi Jinping, restricting citizens’ speech online and jailing hundreds of lawyers who had taken on civil rights cases considered sensitive by the ruling party.  At the same time the world’s number two economy is Apple’s second-biggest market, and a key part of its supply chain, where many of its products are manufactured.

Apple CEO Tim Cook is a frequent visitor to the People’s Republic and the company has made several large-scale investments in the country.   The California-based firm announced last year it will open two research and development centres in Beijing and Shenzhen. In December it bought a 30 percent stake in wind farm projects across China that will produce 285 megawatts of power, its largest clean energy project to date.

It poured $1 billion into the ride hailing app Didi Chuxing in May, a move some observers saw as a strategic play to shore up sales in the Asian market and prepare for a rumoured move into self-driving cars. But Apple has also struggled with the country’s Communist rulers, with its movie and book services shut down last year by Chinese authorities, shortly after launching.

Chinese foreign ministry spokesman Geng Shuang told reporters Thursday that he was “not really aware” of the removal of the New York Times app. “What I can tell you is that the Chinese government always encourages and supports the development of the internet,” he added at a regular briefing. “But the development of the internet in China must comply with Chinese rules and regulations. This is a principle.”

Apple has seen its smartphone market share eroded, beaten out by rising Chinese firms — market leader Huawei and three companies little known elsewhere, Vivo, Oppo and Xiaomi. Sales of the iPhone have slumped, with revenues in the key “Greater China” market down 30 percent in the fourth quarter to $8.8 billion, according to Apple’s annual report.

AFP

Video bloggers will now need a license to broadcast in China

  14 Dec 2016 , 18:39

Video bloggers in China must register their real identities before publishing anything online from January 1, the Ministry of Culture announced Wednesday. All presenters — including amateurs, many of whom have gained enormous fame on the internet — would be compelled to comply with the new regulations in the new year, Xinhua reported.

The Chinese administration has asked online video bloggers to seek operating licenses from the authorities, as well as identify themselves via interviews or video calls starting 2017, said the report. Foreign video bloggers would require special permission, as well as those coming from Hong Kong, Macao and Taiwan.

The new regulation was arrived at after months of censorship on this type of new audiovisual media. The operators of video hosting services “must carry out real-time supervision of performances and keep records of all the shows”, it said. They would also have to create mechanisms for handling “emergencies” such as suspending content that violates the regulations and report any infringement to authorities.

The Chinese Ministry of Culture also announced the creation of a “blacklist” of video bloggers who failed to comply with these regulations in order to “ensure the sector’s healthy and orderly growth”. In recent months, the authorities have suspended video blog accounts and even arrested some of the presenters, claiming that they were broadcasting rude, erotic or violent content.

In April, China removed the online videos of blogger Papi Jiang, who had become famous for her monologues as she joked about daily life in China using sarcastic language. Chinese President Xi Jinping had called for culture and media to be subordinated to the values of the communist regime, which has resulted in high levels of censorship not seen in decades.

IANS

Huawei launches Enjoy 6S with Snapdragon 435 and 3GB RAM for $232

Image Credit: GSMArena

By tech2 News Staff /  07 Dec 2016 , 15:09

Huawei has launched the Enjoy 6S, successor to the recently launched Enjoy 6 in China today. The new smartphone continues to target mid-budget or low-budget consumers who don’t want to spend more money on they smartphone purchases.

The new smartphone is developed in partnership with China Mobile, and not much has changed regarding design except minor changes like the position of LED flash and overall 0.3mm slimmer housing than Enjoy 6.

According to the Huawei, Enjoy 6S packs an Octa-core Qualcomm Snapdragon 435 chipset clocked at 1.4GHz along with 3GB RAM. 6S comes with 5-inch HD IPS LCD screen powered by a 3,020mAh battery. The smartphone packs a 13MP camera module with a f/2.2 aperture on the back and a 5MP camera module on the front.

Huawei has doubled the internal storage from 16GB in Enjoy 6 to 32GB in Enjoy 6S along with the similar connectivity features. The connectivity features include LTE-enabled Dual SIM slot, Bluetooth v4.0, GPS, FM Radio, microUSB v2.0, Wi-fi 802.11 b/g/n, Wi-Fi Direct, Hotspot and 3.5mm headphone jack.

The smartphone packs fingerprint, accelerometer, proximity sensor and compass as reported by GSMArena. Enjoy 6S will be available in white, gold and silver variants for approximately $232. There is no information on the availability of the device outside Chinese market.

Cyber attacks in China and Hong Kong grew 969% from 2014 to 2016, says survey

Image credit: Reuters

  30 Nov 2016 , 10:53

Cyber attacks on Chinese companies have soared in the past two years, according to a survey, with new technologies that connect household items to the internet and allow them to receive and send data seen as particularly vulnerable.

The average number of cyber attacks detected by companies in mainland China and Hong Kong grew 969 percent between 2014 and 2016. The number of attacks averaged more than 7 a day for each of the survey’s 440 China-based respondents – around half of the global average of 13.

However, the average number of attacks fell by 3 percent globally over the last two years, and 30 percent since 2015, in contrast to the rise in China.

China’s rapid adoption of new consumer and industrial technology for the ‘Internet of Things (IoT)’ era may be part of the reason. PwC said such connected devices are the leading targets of cyber-attacks.

“IoT devices in general have not paid attention to cyber security,” said Marin Ivezic, a partner on cyber security at PwC in Hong Kong.

“In China and Hong Kong … we have more adoption than anywhere else in the world,” he said, noting China was also one of the biggest manufacturers of these items.

Chinese-made connected home devices such as webcams with security loopholes that gave way to botnet malwares were blamed by security researchers for a massive cyber attack in the US last month that temporarily paralyzed major internet sites.

The Chinese companies surveyed had cut their cybersecurity budget by 7.6 percent in 2016 compared with flat global spending. Thirty four percent of them identified competitors as a source of attacks, a rate higher than anywhere else in the world.

The PwC survey does not track the country of origin of the attacks, which Ivezic said is “almost impossible”. The drop in the global number of cyber attacks did not reflect a safer environment, he said, but was rather the result of more sophisticated cyber criminals who more selective in who they targeted.

Reuters

Blu is facing the possibility of a class action lawsuit because of China backdoor

The Blu R1 HD, one of the phones that passed on user data to China

By tech2 News Staff /  25 Nov 2016 , 11:35

Blu is facing a class action lawsuit in the US after mobile phones by the company were found to be secretly sending user information to servers in China. Blu admitted that it had updated firmware on phones to disable malware that collected text messages, call logs, and contacts from customers. The budget Android smartphones by Blu were affected by the malware.

Rosen Legal, a law firm that specialises in class action lawsuits, has posted a Consumer Security Alert. In the alert, Rosen Legal has announced that it has started investigating into the potential of a class action lawsuit against Blu. The alert asks Blu customers to check if their devices were affected by the malware. Rosen Legal has invited affected customers to participate in the class action lawsuit, with no cost to the users.

The backdoor to China was discovered by Kryptowire, an information security services company jumpstarted by the US Defense Advanced Research Projects Agency (DARPA). It was discovered that the data was being collected by the Chinese company Shanghai ADUPS. ADUPS released a statement saying that the firmware on the phone was not meant for those models, and is used in China to prevent spam. Blu promptly updated the firmware on their devices to prevent the data from being sent to China, and ADUPS deleted all the collected information.

Budget Android smartphones in US found stealthily sending user data to China

The Blu R1 HD, one of the phones that passed on user data to China

By Aditya Madanapalle /  16 Nov 2016 , 17:45

Low budget Android phones in the US have found to be sending user data to China, without the permission of the user. The data being transmitted included the apps installed on the device, what order the apps were used, diagnostic data, lists of files, the call logs, the numbers of the people the user had messaged, and the content of the text messages sent by the user. In some instances, the location information of the user was also transmitted. The data was being sent to Shanghai Adups Technology Limited.

Anti Virus software was not detecting the secret transmissions, because they normally assume that the firmware installed on the device by the manufacturers are safe. An expert user would have been able to detect the transmissions, but not a regular user. The compromised firmware was able to remotely reprogram the devices, bypass existing Android permissions, and allow for remote control of the device. The firmware essentially acted as a backdoor to devices.

The secret transmissions were discovered by Kryptowire, a company started by the US Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security (DHS). Google, Amazon, Adups and Blu were all informed of the transmissions. Permission from the user was not taken for transmitting the data, and the data was itself packed in multiple layers of encryption.

Blue representatives confirmed to the New York Times that the firmware was not meant for devices used in the US, and that it had acted swiftly to resolve the issue. Blu smartphones in the market are no longer affected, and are not beaming back data to China any more. Additionally, Blu representatives re-assured users that all data collected so far has been destroyed. Adups, Google, Blu or Kryptowire have not revealed a complete list of affected models.

In response to the disclosure by Kryptowire, Adups released a statement in response, claiming that the technology used in the firmware was for identifying and flagging junk text messages. The firmware was inadvertently shipped with the Blu devices. Adups has been cooperating with Blu and Google to make sure the data is not collected again. The data was collected for only a short period of time, and was not shared with anyone else.