Router vendor has patched some zero-days, but leaves others wide open

Written by

In April, security researcher Rich Mirch got a text from a friend who had just switched to a new wireless router and was raving about its high-speed internet. You have to try it, the friend told Mirch.

Curious, Mirch downloaded the router’s firmware and started picking it apart. He found that the device, made by an obscure Canada-based company called MoFi Network, had multiple password-related vulnerabilities packed into its code.

But Mirch wanted to delve deeper. So the senior adversarial engineer at Texas-based security firm CriticalStart ordered the router online and rolled up his sleeves. He ended up finding 10 previously undisclosed vulnerabilities in the device that, if exploited, could allow attackers to steal passwords and data from networks running the vulnerable routers, including VPN credentials and API keys.

“Some of these vulnerabilities have probably existed since 2015,” said Mirch, who published his findings on Wednesday.

The research points to a longstanding yet unresolved issue: how to incentivize security among vendors who sell routers in a market that prizes affordability and convenience. It’s not just MoFi: in the last three months, security experts have found critical bugs in routers made by other vendors that have struggled, or even declined, to provide patches for them. The issue has only gotten more pressing as the pandemic caused by the coronavirus has enforced an indefinite work-from-home routine for countless corporations.

In MoFi’s case, the remediation process is not yet complete, according to Mirch. The company initially fixed some of the vulnerabilities, but it also introduced new bugs when it updated the firmware, he said. Those includes a vulnerability that could allow an attacker to remotely inject code on a device. In correspondence with Mirch reviewed by CyberScoop, a MoFi engineer argued that the remote access features the company introduced were necessary for customer support.

MoFi did not respond to phone calls, emails and Facebook messages seeking comment. As of this writing, four of the vulnerabilities that Mirch found haven’t been addressed, he said.

MoFi also argued that the routers were configured in a way that did not expose them to the public internet. But as of Wednesday, Mirch had found 6,800 MoFi devices in Shodan, the search engine for internet-connected devices. That number had been as high as 14,000 in June, Mirch said, before the device owners apparently began quietly addressing the issue.