Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label firmware. Show all posts
US
China Cyber Security firmware Routers US

U.S. Agencies Consider Restrictions on TP-Link Routers Over Security Risks

 



A coordinated review by several federal agencies in the United States has intensified scrutiny of TP-Link home routers, with officials considering whether the devices should continue to be available in the country. Recent reporting indicates that more than six departments and agencies have supported a proposal recommending restrictions because the routers may expose American data to security risks.

Public attention on the matter began in December 2024, when major U.S. outlets revealed that the Departments of Commerce, Defense and Justice had opened parallel investigations into TP-Link. The inquiries focused on whether the company’s corporate structure and overseas connections could create opportunities for foreign government influence. After those initial disclosures, little additional information surfaced until the Washington Post reported that the proposal had cleared interagency review.

Officials involved believe the potential risk comes from how TP-Link products collect and manage sensitive information, combined with the company’s operational ties to China. TP-Link strongly disputes the allegation that it is subject to any foreign authority and says its U.S. entity functions independently. The company maintains that it designs and manufactures its devices without any outside control.

TP-Link was founded in Shenzhen in 1996 and reorganized in 2024 into two entities: TP-Link Technologies and TP-Link Systems. The U.S. arm, TP-Link Systems, operates from Irvine, California, with roughly 500 domestic employees and thousands more across its global workforce. Lawmakers previously expressed concern that companies with overseas operations may be required to comply with foreign legal demands. They also cited past incidents in which compromised routers, including those from TP-Link, were used by threat actors during cyber operations targeting the United States.

The company has grown rapidly in the U.S. router market since 2019. Some reports place its share at a majority of consumer sales, although TP-Link disputes those figures and points to independent data that estimates a smaller share. One industry platform found that about 12 percent of active U.S. home routers are TP-Link devices. Previous reporting also noted that more than 300 internet providers distribute TP-Link equipment to customers.

In a separate line of inquiry, the Department of Justice is examining whether TP-Link set prices at levels intended to undercut competitors. The company denies this and says its pricing remains sustainable and profitable.

Cybersecurity researchers have found security flaws in routers from many manufacturers, not only TP-Link. Independent analysts identified firmware implants linked to state-sponsored groups, as well as widespread botnet activity involving small office and home routers. A Microsoft study reported that some TP-Link devices became part of password spray attacks when users did not change default administrator credentials. Experts emphasize that router vulnerabilities are widespread across the industry and not limited to one brand.

Consumers who use TP-Link routers can reduce risk by updating administrator passwords, applying firmware updates, enabling modern encryption such as WPA3, turning on built-in firewalls, and considering reputable VPN services. Devices that no longer receive updates should be replaced.

The Department of Commerce has not issued a final ruling. Reports suggest that ongoing U.S. diplomatic discussions with China could influence the timeline. TP-Link has said it is willing to improve transparency, strengthen cybersecurity practices and relocate certain functions if required. 

Read more »
zero Day vulnerability
firmware Hardware router Vulnerabilities and Exploits WiFi zero Day vulnerability

Should You Still Trust Your Router? What Users Need to Know and How to Secure Home Wi-Fi today

 



Public discussion in the United States has intensified around one of the country’s most widely purchased home router brands after reports suggested that federal agencies are considering restrictions on future sales. The conversation stems from concerns about potential national security risks and the possibility of foreign influence in hardware design or data handling. While the company firmly denies these allegations, the ongoing scrutiny has encouraged many users to reassess the safety of their home Wi-Fi setup and understand how to better protect their networks.


Why the issue surfaced

The debate began when officials started examining whether equipment manufactured by the company could expose American networks to security risks. Investigators reportedly focused on the firm’s origins and questioned whether foreign jurisdictions could exert influence over product development or data processes.

The company has rejected these claims, saying its design, security functions, and oversight structures operate independently and that its leadership teams within the United States manage core product decisions. It maintains that no government has the ability to access or manipulate its systems.


Common router vulnerabilities users should understand

Even without the broader policy debate, home routers are frequently targeted by attackers, often through well-known weaknesses:

Hardware-level risks. In rare cases, security issues can originate in the physical components themselves. Malicious implants or flawed chips can give attackers a hidden entry point that is difficult for users to detect without specialized tools.

Unpatched security gaps. Zero-day vulnerabilities are flaws discovered by attackers before the manufacturer has prepared a fix. Some older or discontinued models may never receive patches, leaving users exposed for the long term.

Outdated firmware. Firmware updates serve the same purpose as software updates on phones and computers. Without them, routers miss critical security improvements and remain vulnerable to known exploits.

Botnets. Compromised routers are often absorbed into large collections of infected devices. These groups of hijacked systems are then directed to launch attacks, spread malware, or steal information.

Weak login credentials. Many intrusions occur simply because users keep the default administrator username and password. Attackers run automated tools that test the most common combinations in an attempt to break in.

Exposed remote settings. Some routers allow remote control panels to be accessed from outside the home network. If these remain active or are protected with simple passwords, attackers can quietly enter the system.

Outdated Wi-Fi encryption. Older wireless standards are easy for attackers to crack. Weak encryption allows outsiders to intercept traffic or join the network without permission.


How to strengthen your home network today

Any user can substantially improve their router’s security by following a few essential steps:

1. Change default passwords immediately. Use strong, unique credentials for both the router’s control panel and the Wi-Fi network.

2. Check for firmware updates regularly. Install every available update. If your device no longer receives support, replacement is advisable.

3. Enable the built-in firewall. It acts as the first barrier between your home network and outside threats.

4. Turn off remote management features. Only leave such functions active if you clearly understand them and require them.

5. Use modern Wi-Fi encryption. Choose WPA3 whenever your device supports it. If not, use the most up-to-date option available.

6. Consider a trusted VPN. It adds an extra layer of protection by encrypting your online activity.

7. Upgrade aging hardware. Older models often lack modern protections and may struggle to handle security patches or stable performance.


What users should do now

A potential restriction on any router brand is still under government review. For now, users should focus on ensuring their own devices are secured and updated. Strengthening home Wi-Fi settings, using current security practices, and replacing unsupported hardware will offer the most immediate protection while the situation continues to escalate. 


Read more »
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
Router vulnerability
Cyber Security DDOS Vulnerability DrayTek routers firmware Forescout Research Labs Network Security Router vulnerability

DrayTek Patches 14 Vulnerabilities, Including Critical Buffer Overflow Flaws

 

DrayTek recently patched 14 vulnerabilities in 24 router models, including a critical buffer overflow flaw that could allow remote code execution (RCE) or denial of service (DoS). The vulnerabilities, identified by Forescout Research’s Vedere Labs and described in their “DRAY:BREAK” report, include two critical flaws, nine high-severity flaws, and three medium-severity issues. 

The most severe flaw, CVE-2024-41492, involves the “GetCGI()” function in the web user interface, allowing attackers to exploit query string parameters and execute RCE or DoS attacks. Another critical flaw, CVE-2024-41585, involves OS command injection via the “recvCmd” binary, which could lead to a virtual machine escape. Forescout’s analysis of exposed DrayTek devices revealed more than 700,000 connected devices vulnerable to similar flaws. Of these, nearly 38% remain susceptible to exploitation due to outdated firmware or years-old vulnerabilities. 

Notably, less than 3% of exposed devices have installed the latest firmware, with many still using version 3.8.9.2, which is over six years old. Furthermore, a significant portion of these devices, often used in business sectors such as healthcare and manufacturing, are vulnerable as they haven’t been updated to the latest firmware despite vendor recommendations. To mitigate the risk, organizations using DrayTek routers should immediately patch their devices with the latest firmware updates. Disabling remote access, enabling two-factor authentication, and implementing Access Control Lists (ACLs) are also vital measures to secure the devices. 

Furthermore, continuous monitoring using syslog logging for any unusual activity can help detect and mitigate potential threats. Forescout’s report emphasizes that outdated routers pose a serious threat, with about 63% of the exposed devices being end-of-sale or end-of-life (EoL) models. Such outdated devices are a prime target for attackers, as demonstrated by the addition of older DrayTek vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities catalog. 

Although no evidence currently exists of exploitation of these newly discovered vulnerabilities, the risk remains high, especially given the long-standing pattern of recurring flaws in DrayTek devices. The security of DrayTek routers hinges on timely updates and robust security measures. The newly patched vulnerabilities, while not yet exploited, demonstrate the importance of ongoing vigilance and proactive cybersecurity measures, especially in industries reliant on these devices for network access.
Read more »
TWSE
BIOS/UEFI Cyber Attacks CyberCrime Cyberfraud firmware Monet Message MSI PCMag Software TWSE

Firmware Caution Advises MSI Cyberattack

 


Aside from gaming hardware manufacturers, modern corporations face constant attacks from malicious hackers and other digital no-goodniks. Corporations are not the only ones attacked by malicious hackers. MSI confirmed to its customers it had been attacked. 

MSI has enumerated its responsibility for how much damage has been caused. As a result, the company threatened to release proprietary software and source code. It has been reported that the Taiwanese computer manufacturer MSI (short for Micro-Star International)'s network has been compromised in a cyberattack. 

As reported earlier this week, a ransomware group has infiltrated MSI systems with the help of the Money Message ransomware attack. Unless the company pays a $4 million ransom fee to the hackers, well-protected corporate data will be released online next week. 

Asus advises all of its customers to ensure the latest BIOS and firmware updates are delivered only to the MSI website and not from anywhere else.

As expected, there are not many details, but it seems that MSI initiated "defense mechanisms and recovery measures" after detecting network anomalies and then notified law enforcement and the government. 

Earlier this week, in a filing with Taiwan's Stock Exchange (TWSE), first spotted by PCMag, MSI revealed that a cyberattack had occurred against some of its information service systems. The terrorist attack has been reported to the appropriate authorities. 

This group of criminals is demanding a $4 million ransom to avert the release of the entire data cache available on the web by the criminals. Although MSI does not specify details, the company warns customers not to download BIOS/UEFI files or firmware from any source other than the company's website. In light of this, it appears that compromised software is a current problem in the wild. 

It has been reported yesterday that there has been a cyberattack against the customer. The report stated that the attacker, a ransomware group called Money Message, has claimed to have stolen source code, a framework for developing bios and private keys. 

Moreover, the chat logs on this site showed that the group claimed to have stolen 1.5 TB of data. They wanted a ransom payment of over four million dollars for the stolen data. Whether these are connected or if MSI paid a ransom for these files is unclear. 

In a report, MSI representatives said that the company regained normal operations after restoring its systems. They have seen a minimal impact of the attack on their day-to-day operations. As long as customers exercise the usual level of due diligence when downloading software, drivers, and updates, they should not have too much to worry about if the company is telling the truth. According to rumors, this hack is unrelated to fraudulent emails in February. These emails purported to offer lucrative sponsorship deals to content creators through MSI.

In addition, MSI advises its customers to stick to the official MSI website exclusively for BIOS and firmware updates. This is preferable to downloading from unreliable sources like unknown websites or torrent download sites. If users search for unofficial - yet perfectly safe - firmware dumps on the internet for their devices, it would be rather pointless for them to look for modified or unofficial firmware dumps that are perfectly safe.
Read more »
Vulnerabilities and Exploits
Advisory Authetication CISA firmware Flaws RCEs Vulnerabilities and Exploits

CISA Alerts on Serious Flaws in Industrial Equipment & Infrastructure

 

According to the US government's CISA and private security researchers, 56 vulnerabilities have been discovered in industrial operational technology (OT) systems from ten global manufacturers, including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk. 

Some of these flaws obtained CVSS severity ratings as high as 9.8 out of 10. This is especially unfortunate given that these devices are employed in vital infrastructure throughout the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining, and construction and automation industries. 

Remote code execution (RCE) and firmware vulnerabilities are the most serious security problems. If exploited, these flaws might allow criminals to shut down electricity and water infrastructure and damage the food supply. This is not to claim that all or any of these situations are practically achievable; rather, these are the kind of devices and processes involved. 

Forescout's Vedere Labs uncovered the flaws in devices produced by 10 vendors and used by the security firm's customers and termed them OT:ICEFALL. As per the researchers, the vulnerabilities affect at least 324 enterprises worldwide – a figure that is likely to be far higher in reality because Forescout only has access to its own clients' OT devices. In addition to the previously mentioned firms, the researchers discovered weaknesses in Bently Nevada, Emerson, JTEKT, Omron, Phoenix Contact, and Yokogawa devices.

OT Devices are insecure by design

The majority of issues are found in level 1 and level 2 OT devices. Physical processes are controlled by level 1 devices such as programmable logic controllers (PLCs) and remote terminal units (RTUs), whereas level 2 devices include supervisory control and data acquisition (SCADA) and human-machine interface systems.

In addition to the 56 highlighted in a Vedere report today, the threat-hunting team uncovered four more that are still being kept under wraps owing to responsible disclosure. One of the four allows an attacker to compromise credentials, two let an attacker to change the firmware of OT systems, and the fourth is an RCE through memory write flaw. 

Many of these flaws are the consequence of OT products' "insecure-by-design" build, according to Forescout's head of security research Daniel dos Santos. Several OT devices lack fundamental security protections, making them simpler for criminals to exploit, he said. 

Since that earlier analysis, "there have been real-word real incidents, real malware that has abused insecure-by-design functionality of devices to cause disruption and physical damage, like Industroyer in Ukraine in 2016, or Triton in the Middle East in 2017. One instance of insecure-by-design is unauthenticated protocols. So basically, whenever you interact with the device you can call sensitive functions on the device, invoke this function directly without it asking for a password," dos Santos stated.

The security researchers found nine vulnerabilities related to protocols that have no authentication on them: CVE-2022-29953, CVE-2022-29957, CVE-2022- 29966, CVE-2022-30264, CVE-2022-30313, CVE-2022-30317, CVE-2022-29952 and CVE-2022-30276. 

The majority of these may be used to download and run firmware and logic on other people's devices, resulting in RCEs, or shutdowns and reboots that can create a denial of service circumstances. In an ideal world, equipment employing these protocols is not linked to computers and other systems in such a way that a network intruder may abuse them. 

Credential compromise: Most common issue

Five of the flaws were noted more than once by Vedere Labs because they had various possible consequences. More than a third of the 56 vulnerabilities (38%) can be exploited to compromise user login credentials, while 21% might allow a criminal to change the firmware if exploited, and 14% are RCEs. 

Other vulnerability categories include denial of service and configuration manipulation (eight percent), authentication bypass (six percent), file manipulation (three percent), and logic manipulation (two percent). 

Fixing these security flaws will be difficult, according to the researchers, since they are the consequence of OT products being vulnerable by design, or because they need modifications in device firmware and supported protocols. 

As a result, they did not reveal all of the technical information for the faulty OT devices, which explains the lack of depth. They did, however, advise users to read each vendor's security advisory, which is expected to be released today or soon. Furthermore, where possible, the security shop suggests disconnecting OT and industrial control system networks from corporate networks and the internet.
Read more »
SSD
Cyber Security firmware Security Researchers South Korea SSD

Firmware Attacks can Leave Persistent Malware in the SSD's Hidden Section

 

Korean researchers have created a set of assaults against some solid-state drives (SSDs) that could allow malware to be planted at a position beyond the user's and security solutions' reach. The attack models are designed for drives with flex capacity characteristics and target a hidden section on the device known as over-provisioning, which is extensively used by SSD manufacturers these days for performance improvement on NAND flash-based storage systems. 

The over-provisioning region is invisible to the operating system and any applications that run on it, including security and anti-virus software. The SSD manager dynamically adjusts this space against the workloads when the user runs different applications, depending on how write or read-intensive they are. 

Flex capacity is a feature of Micron Technology SSDs that allows storage devices to automatically modify the sizes of raw and user-allocated space to improve performance by absorbing write workload volumes. It is a dynamic system that builds and changes a buffer of space which typically consumes between 7% and 25% of total disk capacity. 

Hardware-level assaults provide the highest level of persistence and stealth. In the past, sophisticated actors worked hard to execute such concepts against HDDs, concealing dangerous code in unreachable disk sectors. One assault modeled by researchers at Korea University in Seoul targets an invalid data area containing non-erased information that resides between the usable SSD space and the over-provisioning (OP) area, the amount of which depends on the two. According to the research article, a hacker can adjust the size of the OP region using the firmware manager, resulting in exploitable invalid data space. 

In a second attack model, the OP region is used as a covert location where a threat actor can hide malware that users cannot monitor or remove. According to the research article, "It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%." 

"At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behaviour of hackers," the article added.

To counteract the first type of assault, the researchers advise that SSD manufacturers wash the OP area with a pseudo-erase algorithm that has no effect on real-time performance. Implementing valid-invalid data rate monitoring systems that monitor the ratio inside SSDs in real-time is a potentially effective security measure against injecting malware in the OP area for the second type of attack.
Read more »
Users' Credential
Cyber Security firmware Hackers Users' Credential

Hackers are Remotely Erasing Western Digital Hard Drives

 

The whole goal of using a network-attached storage device is to have a hard drive where you can back up vital data and then retrieve the files when you're out and about. Unknown hackers, on the other hand, are turning Western Digital My Book NAS hard drives into nightmare backup tools by infiltrating users' computers and deleting all of their data. The My Books are controlled by WD My Book Live, an app that allows consumers to access their data and manage their NAS from anywhere. 

Last week, the drive manufacturer stated that certain owners' network-connected storage had been accessed unofficially and a complete reset had been triggered, though specifics on how seriously individuals should be concerned are still emerging. Western Digital said the WD My Book Live and WD My Book Live Duo drives are affected. They were first introduced in 2010, and the most recent firmware update was in 2015. The business has not stated how many drives are in circulation or estimated how many people are still using them. 

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. "In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” 

There is currently no proof that Western Digital's cloud services, firmware update servers, or client credentials have been compromised. Rather, the My Book Live drives were left directly available over the internet, “either through direct connection or by port forwarding that was enabled either manually or automatically via UPnP,” according to the report. According to the firm, hackers employed port scanning to identify possible victims.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.” 

While Western Digital advises customers to disconnect hard drives from the internet for safety, Reddit users' suggestions are much more cautious. On the assumption that hackers may have already loaded a malware or other exploit on the drives, the advice is to switch them off completely. This may then be set to activate, wiping the drive even if it isn't connected at the time.
Read more »
Subscribe to: Comments (Atom)