Advertisement

Router vendor has patched some zero-days, but leaves others wide open

A researcher found 10 previously undisclosed vulnerabilities in MoFi Networks routers that could allow attackers to steal passwords and data from networks.
MoFi Networks
The research points to a longstanding yet unresolved issue: how to incentivize security among vendors who sell routers in a market that prizes affordability and convenience. (Getty)

In April, security researcher Rich Mirch got a text from a friend who had just switched to a new wireless router and was raving about its high-speed internet. You have to try it, the friend told Mirch.

Curious, Mirch downloaded the router’s firmware and started picking it apart. He found that the device, made by an obscure Canada-based company called MoFi Network, had multiple password-related vulnerabilities packed into its code.

But Mirch wanted to delve deeper. So the senior adversarial engineer at Texas-based security firm CriticalStart ordered the router online and rolled up his sleeves. He ended up finding 10 previously undisclosed vulnerabilities in the device that, if exploited, could allow attackers to steal passwords and data from networks running the vulnerable routers, including VPN credentials and API keys.

“Some of these vulnerabilities have probably existed since 2015,” said Mirch, who published his findings on Wednesday.

Advertisement

The research points to a longstanding yet unresolved issue: how to incentivize security among vendors who sell routers in a market that prizes affordability and convenience. It’s not just MoFi: in the last three months, security experts have found critical bugs in routers made by other vendors that have struggled, or even declined, to provide patches for them. The issue has only gotten more pressing as the pandemic caused by the coronavirus has enforced an indefinite work-from-home routine for countless corporations.

In MoFi’s case, the remediation process is not yet complete, according to Mirch. The company initially fixed some of the vulnerabilities, but it also introduced new bugs when it updated the firmware, he said. Those includes a vulnerability that could allow an attacker to remotely inject code on a device. In correspondence with Mirch reviewed by CyberScoop, a MoFi engineer argued that the remote access features the company introduced were necessary for customer support.

MoFi did not respond to phone calls, emails and Facebook messages seeking comment. As of this writing, four of the vulnerabilities that Mirch found haven’t been addressed, he said.

MoFi also argued that the routers were configured in a way that did not expose them to the public internet. But as of Wednesday, Mirch had found 6,800 MoFi devices in Shodan, the search engine for internet-connected devices. That number had been as high as 14,000 in June, Mirch said, before the device owners apparently began quietly addressing the issue.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts